Cyber Deception & Active Defense
Honeypots, honeytokens, canary tokens, deception platforms, moving target defense, MITRE D3FEND, adversary engagement.
What is Cyber Deception & Active Defense?
Cyber deception flips the asymmetry of cybersecurity — instead of defenders needing to be right every time, deception creates an environment where any attacker interaction with fake assets is a guaranteed true positive alert. Honeypots, honeytokens, canary tokens, and deception platforms deploy convincing fake credentials, files, services, and systems that legitimate users never touch.
The MITRE D3FEND framework formalizes deception as a defensive technique, and modern deception platforms like Thinkst Canary have made deployment accessible to organizations of any size. A single canary token in an AWS credential file, a fake admin account in Active Directory, or a decoy database server can detect lateral movement that bypasses every other security control.
Moving target defense takes deception further by dynamically changing the attack surface — shuffling IP addresses, randomizing ports, and diversifying software stacks so that reconnaissance becomes unreliable and exploits become fragile.
Why it matters
Traditional detection has a false positive problem. Deception has a zero false positive advantage — if anyone touches a honeypot, it's malicious by definition. This makes deception the highest-signal detection source in any security stack.
Cyber deception complements detection engineering and threat hunting by creating tripwires that catch attackers who evade signature-based and behavioral detection. It's particularly effective against insider threats and post-compromise lateral movement.
Detect, Test & Respond
Watch, hunt, attack ethically, analyse, and respond — classical and AI.
Other domains in this layer
Standards and frameworks
Curated resources
Authoritative sources we ground Cyber Deception & Active Defense questions in — frameworks, research, guides, and tools.
MITRE Engage
Adversary engagement framework. Maps deception and denial operations to ATT&CK adversary behaviors. The defensive complement to ATT&CK for planning deception operations.
The Honeynet Project
Long-running international research community focused on honeypots and deception research. Source of many open-source honeypot tools (Cowrie, Conpot for ICS).
Canary Tokens (Thinkst)
Free, lightweight tripwire tokens (DNS, AWS keys, Word docs, Kubeconfig). Trivial to deploy, high signal — any access is suspicious by definition. The standard reference for canary-style deception.
NIST SP 800-160 Vol. 2 Rev. 1 — Developing Cyber-Resilient Systems
Cyber-resiliency engineering framework. Covers deception, diversity, dynamic positioning, and other techniques for systems designed to operate through compromise. The systems-engineering view of active defense.
Cowrie — SSH/Telnet Honeypot
Mature, widely deployed medium-interaction SSH and Telnet honeypot. Logs attacker commands, captures malware, proxies sessions. The standard reference implementation for SSH-honeypot questions.
Certifications that signal this domain
Credentials whose blueprint meaningfully covers this domain. Core means centrally covered; also touched means present in the blueprint but not the primary focus.
Core coverage
Browse all certifications → — pick a cert on the interactive map to highlight every domain it covers.
Education and certifications
More in Cybersecurity
Test what you know about Cyber Deception & Active Defense
109 questions available. Beginner to expert questions, scored against the global leaderboard.