{# Use overflow-x: clip instead of hidden so html/body don't become scroll containers, which would break `position: sticky` (e.g. the blog TOC sidebar). #} Decoy : definition and how it works | Trapster
Definition

Decoy

A decoy is a fake asset deliberately deployed on a network to imitate a legitimate production resource: a server, a workstation, an exposed service, a file share, a web application, a database, or even an IoT device or OT controller. Its entire purpose is to be discovered, probed and exploited by an attacker who is already inside the environment. Because no legitimate user or business process has any reason to touch it, any interaction with a decoy is a signal with an extremely low false-positive rate. The decoy is one of the foundational building blocks of deceptive security: it turns the internal network into booby-trapped terrain, where every reconnaissance attempt or lateral move risks hitting a monitored asset.

How it works

A decoy is engineered to be believable. It presents a realistic surface: consistent open ports, plausible service banners, hostnames aligned with the internal naming convention, certificates, apparent accounts and fake but credible content. The goal is that an attacker in the reconnaissance phase cannot tell the decoy apart from a real asset through simple scanning or enumeration. Every connection, authentication, query or attempted exfiltration against the decoy is logged and raised as a high-fidelity alert.

Decoys are deployed at scale. Rather than a single isolated asset, defenders scatter dozens or hundreds of decoys across VLANs, DMZ segments, user networks and server zones. This density increases the probability that an attacker in motion touches a decoy before reaching a real target, and lets the defender map the intruder's trajectory through successive interactions.

  • Reconnaissance: a network sweep or service enumeration eventually queries a decoy, triggering an alert as early as the discovery phase.
  • Lateral movement: an attacker pivoting from host to host connects to a fake share, RDP endpoint or service and gives themselves away.
  • Credential theft: fake accounts or secrets planted on the decoy, when reused elsewhere, reveal that the attacker tried to leverage them.
  • Early detection: because no legitimate traffic targets a decoy, the signal is virtually free of false positives.

Decoy and honeypot: a subtle distinction

The terms decoy and honeypot overlap heavily and are often used interchangeably. The nuance is one of emphasis. The word decoy refers first and foremost to the fake asset itself: the thing that mimics a real resource to attract an adversary. The term honeypot tends to emphasize the instrumented, monitored-trap aspect, that is, the system built to observe, record and analyze in detail the behavior of an attacker who has taken the bait.

In practice, a decoy becomes a honeypot once it is instrumented to capture activity. Conversely, every honeypot is a decoy from the attacker's point of view. Modern usage tends to speak of decoys when describing the large-scale deployment of fake assets spread across the network, and of honeypots when stressing the deep analysis of a single interaction. Both notions belong to the same discipline and complement each other: the decoy attracts, the honeypot observes.

Realism, scale and defensive role

A decoy's value depends entirely on its credibility. A fake asset that is too obvious, poorly integrated or detectable by anti-deception tooling will be ignored or bypassed. The quality of the realism, the consistency with the real environment and the strategic placement of decoys govern their effectiveness far more than their raw number.

Decoys work in concert with other deceptive security mechanisms. Breadcrumbs placed on real endpoints, such as saved credentials, history entries or configuration files, quietly steer the attacker toward the decoys. Together they sharply reduce the time it takes to detect an intrusion and give SOC teams direct visibility into the adversary's tactics, without relying on signatures or complex behavioral thresholds.

With Trapster

Trapster deploys realistic decoys at scale across your VLANs and network segments, with no agent on production assets, and surfaces every interaction as a high-fidelity alert your SOC can act on immediately.

Related terms

Honeypot A honeypot is a monitored decoy system with no legitimate use, so any interaction with it is inherently suspicious. Breadcrumb A trace or lure deliberately planted on a real endpoint to be discovered by an attacker and steer them toward a decoy or honeypot. Deceptive security Deceptive security is a defensive strategy that plants decoys and traps to detect, mislead and study attackers who are already inside the network. Lateral movement Lateral movement is the post-compromise phase in which an attacker progresses from an initial foothold toward other systems on the network.

From theory to detection

See how Trapster deploys honeypots, decoys and honeytokens across your network to turn every suspicious interaction into a reliable alert.

Book a demo Browse the glossary

30-min demo, no commitment ยท Hosted in France