Deception is the most underrated defensive technique in cybersecurity. While everyone invests in firewalls, EDR, and SIEM, few consider a simple question: what if we could make the attacker believe they found something valuable, while we are actually watching their every move?
Mirage was born from this insight. It is a deception platform with 11 Docker containers emulating vulnerable services - SSH, HTTP, databases - and uses AI (GPT-4o-mini) to generate realistic responses to attackers. When someone SSHs into our honeypot, they don't find a simple "access denied" banner. They find a system that looks real, with file systems, users, and coherent responses.
Why deception works
The fundamental advantage of deception is that any interaction is a true positive. No legitimate user should ever touch a honeypot. If someone interacts with it, it is because they are doing something they should not be doing. Zero false positives. In a world where SOC analysts are drowning in alerts, this property is gold.
Mirage's pipeline processes every event through NATS JetStream, enriches with VirusTotal and AbuseIPDB, builds attacker profiles, and - the crucial part - sends everything to Presidio via a dedicated bridge. So an access attempt on the honeypot can automatically trigger a SOAR playbook, create a case in DFIR-IRIS, and block the IP across the entire infrastructure.
With over 60,000 events captured and 92 attackers profiled, the data confirms what I knew in theory: deception is not a luxury, it is a force multiplier. And the deployment cost, using your own infrastructure and open source components, is a fraction of commercial solutions.
If you want to dive deeper into this topic or need specialized consulting, let us talk.
Let's talk →