Most security advice focuses on keeping people out — firewalls, passwords, locked doors. But what happens when someone gets in anyway? That's the question deception technology is built to answer.
The idea is simple: instead of only trying to keep attackers out, you also plant fake things inside your system to trick them once they're in. Think of it like leaving a fake wallet on a table with a tracker inside it. If someone who shouldn't be there picks it up, you instantly know.
What It Actually Means
Deception technology means placing things in your system that look real but aren't — and have no real purpose except to catch someone who shouldn't be touching them. A normal user or program never interacts with these fake things, so if something does, you know right away that something is wrong.
A few common types, explained simply:
Honeypots are like a fake unlocked car left in a bad neighborhood with a hidden camera inside. It looks tempting and real, but it holds nothing of value — its only job is to attract someone who shouldn't be there and catch them the moment they try something. In a computer system, this is a fake server or fake service that looks valuable but does nothing real except log everything that touches it.
Honeytokens (or canary tokens) are like marking one specific $20 bill in your wallet and leaving your wallet somewhere. You never spend that bill yourself. So if it ever shows up being used somewhere, you know exactly what happened — someone took it, because there's no other explanation. In a computer system, this is a fake password, login, or file planted somewhere a legitimate user would never touch. The moment anyone uses it, an alarm goes off.
Decoys are like having a fake safe sitting next to your real one. Both look identical from the outside. A burglar who finds the fake safe wastes time cracking it open, only to find nothing — while the real one stays hidden and untouched, and you've been alerted the moment the fake one was tampered with. In a computer system, this might be a fake admin login page or a fake database sitting alongside the real ones, built purely to confuse anyone poking around.
Why It Works
Here's the clever part: once someone breaks in, they don't know what's real and what's fake. Every file, password, or system they come across could be genuine — or it could be a trap. That uncertainty alone makes them move slower and more carelessly, which makes them easier to catch.
And it gets even smarter. A good deception system doesn't stay the same — it quietly shifts and changes over time, without ever telling the attacker. The fake systems move, the fake passwords rotate, the traps rearrange themselves. So even if someone studied your system yesterday, what they think they know today might already be wrong.
This shifting part is like a museum that rearranges its rooms every night. A thief who scouted the building yesterday walks in today and nothing is quite where they remember. They can't case the place once and trust that knowledge later; they're always working with outdated information, which makes every move riskier for them.
Put it all together, and it's like trying to rob a house where the furniture secretly rearranges itself overnight, and some of it is wired with alarms. You can't ever be fully sure of your surroundings, and you can't trust what you learned last time. That constant uncertainty is exactly the point — it keeps attackers off balance and makes it very hard for them to ever feel safe moving around.
Why This Is Different From Normal Security
Normal security tries to stop someone from getting in. Deception technology assumes someone might get in anyway — and focuses on catching them fast, before they can do real damage. It's less about building a stronger wall and more about setting a trap inside the house, just in case the wall doesn't hold.
For further actions, you may consider blocking this person and/or reporting abuse
Top comments (2)
The honeytoken point is the strongest one here — near-zero false positives, since nothing legitimate ever touches the bait. What opens up right after the alert fires is severity: "your fake AWS key was just used" tells you something happened, not how far along it is. The cheapest way to rank a fired token is the source that tripped it. Same canary, same decoy login page — tripped from your own office range or some forgotten internal scanner, it's hygiene noise; tripped from a datacenter/hosting range, a Tor exit, or a known proxy pool, someone's already working out of rented infra and you're in an active incident, not a drill. You can make that call in the first second from the source IP alone, before pulling a single other log. I keep ipasis.com/scan open to eyeball how an IP classifies (residential vs datacenter vs proxy/VPN) when a token lights up. Good writeup — the museum-that-rearranges-itself-overnight framing lands well for moving-target defense.
Another thing i like about it is that there is a way you can switch environment from r
eal to fake without the attacker knowing maybe when the attacker attacks your system though i don't know if it actually exists but am trying something of that sought in my home lab