Decoy: Autonomous, Synthetic Asset
High-Fidelity Simulation
A decoy is a fully simulated but isolated system created and managed by our Deceptor. It is never used for legitimate business purposes and exists only to attract, engage, and study adversaries.
Key characteristics
High-Fidelity Simulation: May run a full OS (Windows, Linux) with realistic services (IIS, Apache, MySQL, SMB, RDP, API endpoints).
Isolated from Production: Segregated network zones ensure attackers cannot pivot to a real system.
Autonomous Operation: Generates its own simulated user activity, file changes, and network traffic to appear authentic.
Behavioral Adaptation: Can evolve in real time based on attacker skill level (e.g., exposing more services for a skilled attacker).
Forensic Capture: Every command, connection, and file modification is recorded for incident analysis.
Example
A decoy Linux server mimics a production database server. It has plausible table names, realistic data, and normal query activity. When an attacker connects to it, the system logs every SQL command and can feed that data into ThreatIQ for behavioral analysis.
| Feature | Endpoint | Decoy |
| Purpose |
Real business operations and deception delivery |
Pure deception and attacker engagement |
| Control |
Managed by Artifact Manager |
Managed by the Deceptor |
| Data |
Real business data and planted artifacts |
Synthetic but realistic data |
| Connectivity |
Integrated into real network |
Isolated deception zone |
| Risk |
Needs protection from compromise |
Safe to compromise (designed for it) |
| User Interaction |
Used by employees |
No legitimate user interaction |
| Deployment |
Existing hardware or VMs |
Dedicated deception VMs or container |