The challenge: simulate a modern adversary

In a world where cyber threats are becoming increasingly elusive, a global leader in transport and logistics turned to Trapster to test and strengthen its internal detection capabilities. Thanks to a carefully orchestrated Red Team exercise, the company validated the effectiveness of Trapster's deception technologies, detecting adversarial activities that had eluded traditional EDR solutions. Here is their story.

Setting up a deceptive architecture with Trapster

To balance the scales, the SOC team partnered with Trapster to deploy a detection architecture based on deception before the Red Team test. The implementation strategy focused on realism, diversity, and strategic placement.

Deployed assets:

• 8 honeypot servers (Trapster VM)

  Each VM simulated critical services and contained realistic but fictitious data.

• Breadcrumbs :

  Fake credentials and SSH key pairs were placed on real servers and production workstations to attempt credential dumping or local enumeration. Example: a .rdp file named Operations-Remote-Access.rdp was placed on a manager's desktop, pointing to a honeypot.

• Honeytokens:

  Honeytokens were disseminated on user shares and folders. For example, a .docx file named onboarding.docx triggered an alert when opened.

All events were centralized on the Trapster dashboard, integrated with the company's SIEM via a webhook API. Each alert generated rich contextual metadata: host name, timestamp, file path, user session, and associated data.

The Red Team operation: evasion and detection

During the second week of the exercise, the Red Team compromised a Windows workstation via a phishing email. It then used an undetected implant to begin its lateral movements.

The EDR agents remained silent.

The attackers used Living-Off-the-Land (LOTL) tools to bypass security controls and began exploring shares and folders.

Each of these actions triggered alerts in Trapster, allowing the SOC to reconstruct the timeline of the intrusion.

What distinguishes Trapster is the contextual correlation of multiple deception artifacts. When the attackers used a breadcrumb identifier to connect to the honeypot VM, the SOC received a critical alert and was able to trace the attack chain.

In a few minutes, the SOC was able to identify and isolate the compromised workstation, ending the simulation early thanks to detection.

Implementation strategy: realism and resilience

• The honeypots imitated internal naming conventions, OS versions, and service banners to ensure authenticity.
• The breadcrumbs were placed in frequently explored locations by attackers: AppData, Trash, .ssh folders, etc.
• The honeytokens were contextual, with realistic file names originating from internal projects.
• The integration with existing security tools ensured actionable alerts, enriched with AD context and correlated with system logs.

Results: proving value beyond EDR

The Red Team evaded network and endpoint detection. No EDR agent raised an alert during lateral movements, and the initial phishing attempt went unnoticed.

In contrast, Trapster's honeypots and breadcrumbs generated six unique alerts in 48 hours, all related to adversarial interactions. The SOC not only detected the intrusion but also traced the path, including intent and validated its incident response processes.

Key figures:

• Detection time: 6 minutes after first connection to honeypot
• Number of unique deceptive interactions: 11
• EDR/AV detections: 0
• SOC engagement: complete incident playbook executed and reviewed

Conclusion: Trapster, an active defense

This success illustrates a simple truth: traditional defenses are no longer sufficient. Advanced attackers know how to bypass radar. With Trapster, defenders can reverse the trend and turn the attacker's curiosity into a point of detection.

For this transport leader, Trapster was not just a passive tool. It was a real trap that transformed a simulated compromise into a strategic victory: validation of investments, reduction of presence time, and actionable intelligence at the right time.

Trapster does not just wait for a compromise to be discovered. It forces attackers to reveal themselves.