The alert with almost no false positives.
Decoys are a tripwire for attacker activity. Nobody legitimate should ever touch one, so when an attacker does, you get a high-fidelity signal, scoped to your workspace and ready to act on.
Catch what prevention misses.
Deception fires after an attacker is already moving, with signal quality that prevention and broad telemetry cannot match.
Decoy touched
Any interaction with a decoy is a signal worth acting on.
Full interaction detail
Event type, request method and path, hashed source, and risk tags.
No legitimate traffic
Decoys are not real systems, so they generate almost no false positives.
Register, wait, respond.
Register decoys
Enroll decoys for your workspace through the agent API.
Get signals
Any interaction with your decoys shows up as a scoped alert.
Respond
Triage the interaction and route it to your incident workflow.
Low-noise, scoped, automatable.
Workspace-scoped
You only ever see interactions with your own decoys.
High fidelity
A signal means something touched a decoy, which should not happen in normal use.
API + SIEM
Pull signals via GET /api/deception/signals into a SIEM or TicketBridge.
Security and response teams.
Responders
A low-noise tripwire that flags attacker activity worth investigating.
Security engineers
Place decoys near sensitive assets to widen coverage.
Honest answers.
No. The signals feed is strictly scoped to your workspace's decoys.
Add a high-fidelity tripwire.
Turn decoys into low-noise alerts scoped to your workspace.