Everyone knows the defense in depth principle: firewall, IDS, EDR, SIEM, each layer adds protection. But almost nobody applies the same principle to deception. Deception in depth means having deceptive elements at every level of infrastructure - from network to operating system, from application to data.
The idea is simple: if an attacker bypasses a defense layer, they should immediately interact with a deception element that reveals their presence. Not a single honeypot sitting in a corner of the network - a fabric of traps integrated at every level. Honeytokens in databases, honeycredentials in Active Directory, honeyfiles on file servers, honeypots on the network.
Practical layering
With Mirage I implemented this approach. Network layer: honeypot services (SSH, HTTP, database) emulating real systems. System layer: decoy files and credentials that, if touched, trigger immediate alerts. Application layer: fake API endpoints that log every interaction. Data layer: decoy records in databases that are never legitimately accessed.
The critical point is integration with detection systems. An isolated honeypot is useful. A honeypot that, at first contact, activates a SOAR playbook, creates an incident response case, automatically enriches the IOC with threat intelligence, and can block the attacker across the entire infrastructure in 30 seconds - that is a game changer. The integration between Mirage and Presidio makes exactly this possible.
The cost is surprisingly low. Deception elements don't require dedicated hardware - they are lightweight services running on existing infrastructure. The real investment is in design: positioning deception elements where an attacker will naturally find them during reconnaissance or lateral movement. This is where offensive security experience makes the difference.
If you want to dive deeper into this topic or need specialized consulting, let us talk.
Let's talk →