Deception-Based Threat Detection Technology

The Attivo Deception and Response Platform provides continuous visibility and efficient threat management for user networks, data centers, cloud, branch, IoT, ICS-SCADA, and POS environments.


Attivo Networks® is the leader in deception technology for real-time detection, analysis, and accelerated response to advanced, credential, insider, and ransomware cyber-attacks. The Attivo ThreatDefend™ Deception and Response Platform accurately detects advanced in-network threats and provides scalable continuous threat management for user networks, data centers, cloud, IoT, ICS-SCADA, and POS environments. Attivo Camouflage dynamic deception techniques and decoys set high-interaction traps to efficiently lure attackers into revealing themselves.


Attivo ThreatDefend Deception Platform is a modular solution comprised of Attivo BOTsink® engagement servers, decoys, and deceptions, the ThreatStrikeTM endpoint deception suite, ThreatPathTM for attack path visibility, ThreatOpsTMincident response orchestration playbooks, and the Attivo Central Manager (ACM), which together create a comprehensive early detection and active defense against cyber threats.

Attivo deception provides immediate value by providing “eyes inside the network” visibility and accurate detection alerting based upon decoy engagement or attempts to use deception credentials, most notably early in the attack cycle.

Camouflage dynamic deception sets high-interaction traps to misdirect and lure attackers into revealing themselves. The solution’s advanced attack analysis and lateral movement tracking automate investigation, deliver evidence-based alerts, and in-depth forensic reports. Incident response is simplified with ThreatOps™ playbooks and 3rd party integrations for automated attack blocking, quarantine, and threat hunting.

The system consists of two pieces: the BOTsink – a deception platform and IRES (Information Relay and Entrapment System) deception lure. Simply, the attacker performs certain functions that the system recognises as dodgy behaviour and directs the attacker to deception lures. The lures can be just about any operating system or application. They are heavily instrumented and when that behaviour is recognised the attacker is driven to the BOTsink for detection and action.

The BOTsink is an appliance – it can be physical, virtual or cloud-based – and the deception lures are specifically configured virtual machines. Setting up the BOTsink is straightforward and we saw no difficulty getting it up and monitoring quickly. The range of deception lures is impressive, including lots of flavors of Linux, just about all recent versions of Windows, and SCADA platforms as well.

The tool watches for certain things – such as scans, lateral movement, attempts at disallowed configurations, etc. When it sees that activity it engages with the attacker. By that, Attivo means that it takes some action, such as closing a port. The tool then determines the command and control structure, masquerades and collects data intended by the intruder for the C&C server.

BOTsink also performs, with the help of VirusTotal, detailed malware analysis. All of this information is available on the dashboard. The process showing on the dashboard is based on Attivo’s special version of the kill chain.



Let’s talk about how we can help you drive your business transformation.