Browse Definitions :

deception technology

Deception technology, commonly referred to as cyber deception, is a category of security tools and techniques designed to detect and divert an attacker’s lateral movement once they are inside the network. Deception technology enables defenders to identify a wide variety of attack methods without relying on known signatures or pattern matching.

The technology is known for issuing reliable alerts because any engagement with deceptive technology is by definition "unauthorized." In addition to obfuscating the attack surface and making it challenging for attackers to look around undetected, deception technology will also redirect the attacker to an engagement server that will gather intelligence about the attacker’s tools, methods and behaviors. Third-party integrations can be used to automate appropriate response actions, including isolation, blocking, and threat hunting.

Gartner predicts that by 2022, 25% of all threat detection and response projects will include deception features and functionality.

Growth of the Deception Technology market

Increased adoption of deception technology has stemmed from the need for scalable threat detection across a wide variety of attack surfaces, including: 

  • Active Directory (AD)
  • software applications,
  • virtual private clouds
  • Internet of Things (IoT)
  • PoS systems

 Breaches such as the Solar Winds incident, have also brought to light the magnitude of the need for detecting lateral movement and privilege escalations.

Standards organizations are also embracing deception, with the National Institute of Standards and Technology (NIST) adding the technology to several recent guidelines. Similarly, the MITRE ATT&CK framework helps organizations understand how deception fits in their security stack to derail attack techniques and tactics – specifically around discovery, lateral movement, privilege escalation and collection.

How Deception Works

Once thought to be only for large organizations with mature security teams, deception platforms have evolved into a practical and effective solution for companies of all sizes.

Companies seek out cyber deception for comprehensive attack surface protection, early detection, and a better understanding of their adversaries. Deception platforms meet these needs through their deployment scalability, ease of use for operators and an ability to work seamlessly with security solutions already in place.

Unlike security information and event management (SIEM) solutions that use event logs to report what happened, deception proactively reports on what could happen.  Deception is based on detecting techniques vs. a reliance on signatures or pattern matching, which also leads to its efficacy.

Deception technology will alert on early discovery, reconnaissance and privilege escalation activities. Defenders can set lures and decoys, hide production assets and misdirect attackers with disinformation that will derail their attack. The decoys mimic genuine IT assets throughout the network and run either a real or emulated operating system (OS). The decoys provide services designed to trick the attacker into thinking they have found a vulnerable system. The technology can also reduce the attack surface by finding and remediating exposed credentials that create attack paths.

Upon attacker interaction with a deceptive asset, the security team will receive a high fidelity, engagement-based alert with intelligence gathered about the attack. By gaining insight into the attacker’s tools, methods and intent, the defender will have the necessary knowledge to shut down the attack, strengthen overall defense strategies and level the playing field with their opponent.

The attacker will also get an unclear picture of the attack surface, which will slow them down, force them to make mistakes, expend additional resources and negatively impact the economics of their attack.

For companies conducting security assessments, deception technology plays an important role in detecting the attacker early and recording the attack activity.  These capabilities make deception technology one of the most effective methods to deal with ransomware. It is particularly adept at detecting intruders attempting to move laterally within the network -- even if intruders use authentic credentials.


Deception technology is available as a full deception fabric or platform, as features within a broader platform and as independent solutions. Advanced deception platforms use machine learning for fast and accurate deployment and operations without disrupting other network functions. Native platform integrations with existing security infrastructure can provide seamless attack information sharing and facilitate automation. Benefits include automated blocking, isolation, threat hunting, repeatable playbooks that accelerate incident response and integration with SOAR solutions.

The most advanced deception platforms will also provide concealment technology, which hides and denies access to data. Instead of interweaving deceptive assets among production assets, the technology can hide real assets from an attacker's view. It can also return fake data to the attacker to disrupt and derail further attacks. Coverage includes AD objects, credentials, files, folders and removable drives, as well as network and cloud shares. This function serves as a powerful ransomware deterrent because attackers can’t find and takeover domain control or encrypt or steal data on drives they can’t access.


Cyber deception complements existing security controls by detecting discovery, lateral movement, privilege escalation and collection activities that other tools are not designed to address. The technology is highly scalable, which allows it to protect an ever-evolving attack surface.

Many of the attack activities that deception provides visibility to are traditionally challenging to detect.  These include lateral movement, credential theft and reuse, internal threat reconnaissance, man-in-the-middle (MiTM) activities, and attacks on directory services such as Lightweight Directory Access Protocol (LDAP) or AD.

The ability to deceive, direct, and guide the adversary away from critical assets denies them their goals and reveals how they want to move through the networks. It also holds the benefit of increasing the attacker’s cost, because they must now decipher what is real from what is fake and forces them to restart their attacks.

This was last updated in January 2021

Continue Reading About deception technology

  • routing table

    A routing table is a set of rules, often viewed in table format, that's used to determine where data packets traveling over an ...

  • CIDR (Classless Inter-Domain Routing or supernetting)

    CIDR (Classless Inter-Domain Routing or supernetting) is a method of assigning IP addresses that improves the efficiency of ...

  • throughput

    Throughput is a measure of how many units of information a system can process in a given amount of time.

  • quantum key distribution (QKD)

    Quantum key distribution (QKD) is a secure communication method for exchanging encryption keys only known between shared parties.

  • Common Body of Knowledge (CBK)

    In security, the Common Body of Knowledge (CBK) is a comprehensive framework of all the relevant subjects a security professional...

  • buffer underflow

    A buffer underflow, also known as a buffer underrun or a buffer underwrite, is when the buffer -- the temporary holding space ...

  • benchmark

    A benchmark is a standard or point of reference people can use to measure something else.

  • spatial computing

    Spatial computing broadly characterizes the processes and tools used to capture, process and interact with 3D data.

  • organizational goals

    Organizational goals are strategic objectives that a company's management establishes to outline expected outcomes and guide ...

  • talent acquisition

    Talent acquisition is the strategic process employers use to analyze their long-term talent needs in the context of business ...

  • employee retention

    Employee retention is the organizational goal of keeping productive and talented workers and reducing turnover by fostering a ...

  • hybrid work model

    A hybrid work model is a workforce structure that includes employees who work remotely and those who work on site, in a company's...

  • database marketing

    Database marketing is a systematic approach to the gathering, consolidation and processing of consumer data.

  • cost per engagement (CPE)

    Cost per engagement (CPE) is an advertising pricing model in which digital marketing teams and advertisers only pay for ads when ...

  • B2C (Business2Consumer or Business-to-Consumer)

    B2C -- short for business-to-consumer -- is a retail model where products move directly from a business to the end user who has ...