Deception controls are defensive assets designed to look valuable to an attacker while staying isolated from real systems. They include honeypots (fake hosts or services), honey tokens (fake credentials, API keys, documents, or records), and decoy paths that legitimate users should never touch.
Their value is detection and telemetry. When an attacker scans a honeypot, uses a honey token, or opens a planted file, that interaction is high-signal because normal business activity should not reach it. This helps defenders spot reconnaissance, credential abuse, lateral movement, and automated exploitation faster than with many traditional alerts. In practice, deception controls are often paired with segmentation, identity monitoring, and automated containment so a trigger can revoke a session, isolate an endpoint, or block a network segment. Used well, deception does not just catch intruders; it reveals how they move.



