Browse Definitions :

deception technology

Deception technology, commonly referred to as cyber deception, is a category of security tools and techniques designed to detect and divert an attacker’s lateral movement once they are inside the network. Deception technology enables defenders to identify a wide variety of attack methods without relying on known signatures or pattern matching.

The technology is known for issuing reliable alerts because any engagement with deceptive technology is by definition "unauthorized." In addition to obfuscating the attack surface and making it challenging for attackers to look around undetected, deception technology will also redirect the attacker to an engagement server that will gather intelligence about the attacker’s tools, methods and behaviors. Third-party integrations can be used to automate appropriate response actions, including isolation, blocking, and threat hunting.

Gartner predicts that by 2022, 25% of all threat detection and response projects will include deception features and functionality.

Growth of the Deception Technology market

Increased adoption of deception technology has stemmed from the need for scalable threat detection across a wide variety of attack surfaces, including: 

  • Active Directory (AD)
  • software applications,
  • virtual private clouds
  • Internet of Things (IoT)
  • PoS systems

 Breaches such as the Solar Winds incident, have also brought to light the magnitude of the need for detecting lateral movement and privilege escalations.

Standards organizations are also embracing deception, with the National Institute of Standards and Technology (NIST) adding the technology to several recent guidelines. Similarly, the MITRE ATT&CK framework helps organizations understand how deception fits in their security stack to derail attack techniques and tactics – specifically around discovery, lateral movement, privilege escalation and collection.

How Deception Works

Once thought to be only for large organizations with mature security teams, deception platforms have evolved into a practical and effective solution for companies of all sizes.

Companies seek out cyber deception for comprehensive attack surface protection, early detection, and a better understanding of their adversaries. Deception platforms meet these needs through their deployment scalability, ease of use for operators and an ability to work seamlessly with security solutions already in place.

Unlike security information and event management (SIEM) solutions that use event logs to report what happened, deception proactively reports on what could happen.  Deception is based on detecting techniques vs. a reliance on signatures or pattern matching, which also leads to its efficacy.

Deception technology will alert on early discovery, reconnaissance and privilege escalation activities. Defenders can set lures and decoys, hide production assets and misdirect attackers with disinformation that will derail their attack. The decoys mimic genuine IT assets throughout the network and run either a real or emulated operating system (OS). The decoys provide services designed to trick the attacker into thinking they have found a vulnerable system. The technology can also reduce the attack surface by finding and remediating exposed credentials that create attack paths.

Upon attacker interaction with a deceptive asset, the security team will receive a high fidelity, engagement-based alert with intelligence gathered about the attack. By gaining insight into the attacker’s tools, methods and intent, the defender will have the necessary knowledge to shut down the attack, strengthen overall defense strategies and level the playing field with their opponent.

The attacker will also get an unclear picture of the attack surface, which will slow them down, force them to make mistakes, expend additional resources and negatively impact the economics of their attack.

For companies conducting security assessments, deception technology plays an important role in detecting the attacker early and recording the attack activity.  These capabilities make deception technology one of the most effective methods to deal with ransomware. It is particularly adept at detecting intruders attempting to move laterally within the network -- even if intruders use authentic credentials.


Deception technology is available as a full deception fabric or platform, as features within a broader platform and as independent solutions. Advanced deception platforms use machine learning for fast and accurate deployment and operations without disrupting other network functions. Native platform integrations with existing security infrastructure can provide seamless attack information sharing and facilitate automation. Benefits include automated blocking, isolation, threat hunting, repeatable playbooks that accelerate incident response and integration with SOAR solutions.

The most advanced deception platforms will also provide concealment technology, which hides and denies access to data. Instead of interweaving deceptive assets among production assets, the technology can hide real assets from an attacker's view. It can also return fake data to the attacker to disrupt and derail further attacks. Coverage includes AD objects, credentials, files, folders and removable drives, as well as network and cloud shares. This function serves as a powerful ransomware deterrent because attackers can’t find and takeover domain control or encrypt or steal data on drives they can’t access.


Cyber deception complements existing security controls by detecting discovery, lateral movement, privilege escalation and collection activities that other tools are not designed to address. The technology is highly scalable, which allows it to protect an ever-evolving attack surface.

Many of the attack activities that deception provides visibility to are traditionally challenging to detect.  These include lateral movement, credential theft and reuse, internal threat reconnaissance, man-in-the-middle (MiTM) activities, and attacks on directory services such as Lightweight Directory Access Protocol (LDAP) or AD.

The ability to deceive, direct, and guide the adversary away from critical assets denies them their goals and reveals how they want to move through the networks. It also holds the benefit of increasing the attacker’s cost, because they must now decipher what is real from what is fake and forces them to restart their attacks.

This was last updated in January 2021

Continue Reading About deception technology

  • SD-WAN security

    SD-WAN security refers to the practices, protocols and technologies protecting data and resources transmitted across ...

  • net neutrality

    Net neutrality is the concept of an open, equal internet for everyone, regardless of content consumed or the device, application ...

  • network scanning

    Network scanning is a procedure for identifying active devices on a network by employing a feature or features in the network ...

  • strategic management

    Strategic management is the ongoing planning, monitoring, analysis and assessment of all necessities an organization needs to ...

  • IT budget

    IT budget is the amount of money spent on an organization's information technology systems and services. It includes compensation...

  • project scope

    Project scope is the part of project planning that involves determining and documenting a list of specific project goals, ...

  • director of employee engagement

    Director of employee engagement is one of the job titles for a human resources (HR) manager who is responsible for an ...

  • digital HR

    Digital HR is the digital transformation of HR services and processes through the use of social, mobile, analytics and cloud (...

  • employee onboarding and offboarding

    Employee onboarding involves all the steps needed to get a new employee successfully deployed and productive, while offboarding ...

Customer Experience
  • chatbot

    A chatbot is a software or computer program that simulates human conversation or "chatter" through text or voice interactions.

  • martech (marketing technology)

    Martech (marketing technology) refers to the integration of software tools, platforms, and applications designed to streamline ...

  • transactional marketing

    Transactional marketing is a business strategy that focuses on single, point-of-sale transactions.