{"id":112607,"url":"https://github.com/tracebit-com/awesome-deception","name":"awesome-deception","description":"An awesome collection of articles, papers, conferences, guides, and tools relating to deception in cybersecurity.","projects_count":63,"last_synced_at":"2026-06-12T10:00:19.621Z","repository":{"id":332741940,"uuid":"1131605007","full_name":"tracebit-com/awesome-deception","owner":"tracebit-com","description":"An awesome collection of articles, papers, conferences, guides, and tools relating to deception in cybersecurity.","archived":false,"fork":false,"pushed_at":"2026-05-08T22:33:56.000Z","size":269,"stargazers_count":123,"open_issues_count":0,"forks_count":9,"subscribers_count":3,"default_branch":"main","last_synced_at":"2026-05-26T18:27:35.201Z","etag":null,"topics":["awesome","awesome-list","awesome-lists","cybersecurity","deception","deception-technology","honeypot","honeypots"],"latest_commit_sha":null,"homepage":"https://github.com/tracebit-com/awesome-deception","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc0-1.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tracebit-com.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"contributing.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-01-10T10:48:42.000Z","updated_at":"2026-05-25T01:08:35.000Z","dependencies_parsed_at":"2026-04-08T05:00:31.561Z","dependency_job_id":null,"html_url":"https://github.com/tracebit-com/awesome-deception","commit_stats":null,"previous_names":["tracebit-com/awesome-deception"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/tracebit-com/awesome-deception","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tracebit-com%2Fawesome-deception","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tracebit-com%2Fawesome-deception/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tracebit-com%2Fawesome-deception/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tracebit-com%2Fawesome-deception/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tracebit-com","download_url":"https://codeload.github.com/tracebit-com/awesome-deception/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tracebit-com%2Fawesome-deception/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34238714,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-12T02:00:06.859Z","response_time":109,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"created_at":"2026-01-23T14:17:14.704Z","updated_at":"2026-06-12T10:00:19.622Z","primary_language":null,"list_of_lists":false,"displayable":true,"categories":["Uncategorized","Frameworks","Communities","Articles","Conferences","Research","Guides","Talks","Podcasts","Footnotes"],"sub_categories":["Uncategorized","Code Repositories","Papers"],"readme":"# 🥷 Awesome Deception [![Awesome](https://awesome.re/badge.svg)](https://awesome.re)\n\n\u003e Misleading attackers with honeypots, honeytokens, and decoys to detect, study, and disrupt intrusions. For a list of open source honeypots, see [awesome-honeypots](https://github.com/paralax/awesome-honeypots).\n\n## Contents\n\n- [Articles](#articles)\n- [Research](#research)\n- [Guides](#guides)\n- [Talks](#talks)\n- [Podcasts](#podcasts)\n- [Conferences](#conferences)\n- [Communities](#communities)\n- [Frameworks](#frameworks)\n\n## Articles\n\n- Explain Like I'm Five: [Poison Records](https://hackernoon.com/poison-records-acra-eli5-d78250ef94f) (2018) (Honeypots for Database Tables). (code) [Acra Poison Records](https://github.com/cossacklabs/acra-poison-records-demo).\n- Deception Engineering: exploring the use of [Windows Service Canaries](https://www.nccgroup.com/us/research-blog/deception-engineering-exploring-the-use-of-windows-service-canaries-against-ransomware/) (2021) against ransomware. (code) [KilledProcessCanary](https://github.com/nccgroup/KilledProcessCanary).\n- Valve used [secret memory access “honeypot”](https://arstechnica.com/gaming/2023/02/valve-used-secret-memory-access-honeypot-to-detect-40k-dota-2-cheaters/) (2023) to detect 40K Dota 2 cheaters; see the [Hacker News discussion](https://news.ycombinator.com/item?id=34909218) on potential implementation techniques.\n- Introducing HASH: The HTTP Agnostic Software [Honeypot framework](https://securitylabs.datadoghq.com/articles/hash-honeypot-framework/) (2023) for creating HTTP low-interaction honeypots. (code) [HASH](https://github.com/DataDog/hash).\n- Cloud [Active Defense](https://www.helpnetsecurity.com/2024/04/02/cloud-active-defense-open-source-cloud-protection/) (2024): Open-source cloud protection. (code) [Cloud Active Defense](https://github.com/SAP/cloud-active-defense).\n- Thinkst’s It’s Baaack… [Credit Card Canarytokens](https://blog.thinkst.com/2024/12/its-baaack-credit-card-canarytokens-are-now-on-your-consoles.html) (2024) are now on your Consoles.\n- UK’s NCSC on [building a nation-scale evidence base](https://www.ncsc.gov.uk/blog-post/building-a-nation-scale-evidence-base-for-cyber-deception) (2024) outlines the UK’s goals for large-scale deception deployment.\n- [LLM Agent Honeypot](https://ai-honeypot.palisaderesearch.org/) (2024-2025) - A live experiment tracking AI-assisted attack activity in the wild.\n- Wiz’s [HoneyBee threat research](https://www.wiz.io/blog/honeybee-threat-research) (2025) covers their open-source honeypot deployment tooling for misconfiguration and exploitation detection.\n- GreyNoise on [deploying MCP honeypots](https://www.greynoise.io/blog/deploying-mcp-honeypots) (2025) shares results from observing MCP exploitation attempts.\n- [Building a Military Honeypot](https://www.psu.edu/news/engineering/story/building-honeypot-fake-cameras-networks-deceive-military-adversaries) (2025) - Penn State’s effort to build deceptive camera and network environments for military use.\n- [Deel/Rippling lawsuit](https://www.rippling.com/blog/lawsuit-alleges-12-billion-unicorn-deel-cultivated-spy-orchestrated-long-running-trade-secret-theft-corporate-espionage-against-competitor) (2025) - A public case where an insider was detected via a honeypot Slack channel.\n- Grafana’s [security update on a GitHub workflow issue](https://grafana.com/blog/2025/04/27/grafana-security-update-no-customer-impact-from-github-workflow-vulnerability/) (2025) includes notes on deploying thousands of canaries.\n- AWS on [improving active defense to empower customers](https://aws.amazon.com/blogs/security/how-aws-improves-active-defense-to-empower-customers/) (2025) covers its large-scale honeypot system.\n- Grafana’s [canary tokens “unsung heroes” write-up](https://grafana.com/blog/2025/08/25/canary-tokens-learn-all-about-the-unsung-heroes-of-security-at-grafana-labs/) (2025) shares ROI and lessons learned.\n- watchTowr Labs on [Canary Credentials in the wild](https://labs.watchtowr.com/stop-putting-your-passwords-into-random-websites-yes-seriously-you-are-the-problem/) (2025) highlights credential leakage via online tooling.\n- UK’s NCSC on [cyber deception trials](https://www.ncsc.gov.uk/blog-post/cyber-deception-trials-what-weve-learned-so-far) (2025) shares early findings from UK-wide product trials.\n- SpecterOps on [mapping deception with BloodHound OpenGraph](https://specterops.io/blog/2025/12/23/mapping-deception-with-bloodhound-opengraph/) (2025) details how to model deception coverage in BloodHound.\n- Resecurity on [synthetic data for cyber deception and honeypots](https://www.resecurity.com/es/blog/article/synthetic-data-a-new-frontier-for-cyber-deception-and-honeypots) (2025) explores synthetic data to improve honeypot realism.\n- Forescout on [a hacktivist attack targeting OT/ICS](https://www.forescout.com/blog/anatomy-of-a-hacktivist-attack-russian-aligned-group-targets-otics/) (2025) analyzes the incident, including honeypot use and defensive takeaways.\n- UpGuard on [preventing supply chain attacks with honeytokens](https://www.upguard.com/blog/prevent-supply-chain-attacks-with-honeytokens) (2025).\n- Ars Technica on [a Canadian election-list canary trap](https://arstechnica.com/tech-policy/2026/05/in-canada-a-canary-trap-springs-shut-and-ids-election-database-leak/) (2026) covers how salted entries identified the source of a voter database leak.\n- Wiz’s [Practical Package Security: The Unofficial Guide](https://www.wiz.io/blog/practical-package-security-the-unofficial-guide) (2026) highlights CI/CD honeytokens for high-signal detection, citing Grafana’s canary AWS key alert during a compromised GitHub Action incident.\n\n## Research\n\n### Papers\n\n- [Demystifying Deception Technology: A Survey](https://arxiv.org/abs/1804.06196) (2018) - Survey of deception taxonomies, deployment models, and evaluation gaps.\n- [Deception Techniques in Computer Security: A Research Perspective](https://dl.acm.org/doi/abs/10.1145/3214305) (2019) - Broad survey of deception methods and research directions.\n- [The Tularosa Study: An Experimental Design and Implementation to Quantify the Effectiveness of Cyber Deception](https://scholarspace.manoa.hawaii.edu/items/f05182cc-6460-410e-a750-e7c17f674be1) (2019) - HICSS study with 130+ red teamers, manipulating deception presence and awareness while tracking cognitive and physiological effects.\n- [When Announcing Deception Technology Can Change Attacker Decisions](https://scholarspace.manoa.hawaii.edu/server/api/core/bitstreams/6c188375-03f6-4d66-afee-296308c9f2c0/content) (2024) - Study on how disclosure of deception influences attacker behavior.\n- [Prospect Theoretic Hypothesis Testing-based Cyber Deception](https://ieeexplore.ieee.org/abstract/document/11206237) (2025) - Study on using prospect theory to shape deception during reconnaissance.\n- [Towards bio-inspired cyber-deception: a case study of SSH and Telnet honeypots](https://backend.orbit.dtu.dk/ws/portalfiles/portal/398564454/ADND_Workshop_2025_Towards_bio_inspired_cyber_deception.pdf) (2025) - Evaluates bio-inspired deception strategies in Cowrie SSH/Telnet honeypots.\n- [Koney: A Cyber Deception Orchestration Framework for Kubernetes](https://arxiv.org/pdf/2504.02431) (2025) - Orchestrates deception assets across Kubernetes clusters.\n- [Applying game theory to deception](https://arxiv.org/pdf/2505.21244) (2025) - Models attacker-defender dynamics using game-theoretic approaches.\n- [Database Deception using Large Language Models](https://faculty.nps.edu/ncrowe/WAITI_Data_based_deception_paper.pdf) (2025) - Applies LLMs to create deceptive database artifacts.\n- [A Descriptive Model for Modelling Attacker Decision-Making in Cyber-Deception](https://arxiv.org/abs/2512.03641) (2025) - Proposes a model of attacker engagement decisions under deception cues.\n- [Agentic AI for Cyber Resilience: A New Security Paradigm and Its System-Theoretic Foundations](https://arxiv.org/abs/2512.22883) (2025) - Argues for agentic resilience with cyber deception case studies.\n- [SoK: Honeypots \u0026 LLMs, More Than the Sum of Their Parts?](https://arxiv.org/abs/2510.25939) (2025) - Systematizes LLM-powered honeypot research and evaluation trends.\n- [HoneyTrap: Deceiving Large Language Model Attackers to Honeypot Traps with Resilient Multi-Agent Defense](https://arxiv.org/abs/2601.04034) (2026) - Proposes a deceptive LLM defense framework with multi-agent coordination, plus a progressive jailbreak dataset and new metrics for measuring misdirection and attacker cost.\n- [Measuring the Efficacy of Cyber Deception](https://www.techrxiv.org/doi/full/10.36227/techrxiv.176834017.70221537) (2026) - Examines how to measure cyber deception effectiveness by reviewing existing evaluation approaches and proposing new metrics and frameworks to assess deceptive tactics in modern, AI-augmented threat environments.\n- [Q-Cowrie: Reinforcement Learning for Adaptive Honeypot Deception](https://link.springer.com/article/10.1007/s10207-026-01221-5) (2026) - Presents “Q-Cowrie,” a reinforcement learning-enhanced Cowrie honeypot that models attacker decisions with an MDP and adapts responses during attacker interaction.\n- [Deception and Detection: Why Artificial Intelligence Empowers Cyber Defense over Offense](https://direct.mit.edu/isec/article/50/3/86/135683/Deception-and-Detection-Why-Artificial) (2026) - Argues that AI automation benefits cyber defense more than offense, widening an offense-defense automation gap as stakes increase.\n- [Detecting Offensive Cyber Agents: A Detection-in-Depth Approach](https://www.iaps.ai/research/detecting-offensive-cyber-agents) (2026) - Proposes detection-in-depth for offensive cyber agents, recommending agent honeypots to reveal autonomous attackers’ methods and urging existing honeypot operators to add agent-activity collection.\n\n### Code Repositories\n\n- [Evaluating Deception and Moving Target Defense with Network Attack Simulation](https://github.com/dfki-in-sec/NASIM-MTD)\n- [Honeyquest](https://github.com/dynatrace-oss/honeyquest)\n- [Knocking on Admin’s Door: Protecting Critical Web Applications with Deception](https://github.com/BillyPragSec/pageknocking)\n- [SCANTRAP: Protecting Content Management Systems from Vulnerability Scanners with Cyber Deception and Obfuscation](https://github.com/dfki-in-sec/SCANTRAP)\n\n## Guides\n\n- [Birding Guide - Detect attackers without breaking the bank](http://canary-content.s3-website-us-east-1.amazonaws.com/documents/birding-guide.pdf)\n- [Taxonomy and terminology](https://bluepillsecurity.com/blog/001_terms/) - Terminology and definitions for cyber deception.\n- [The “AI Vulnerability Storm”: Building a “Mythos-ready” Security Program](https://labs.cloudsecurityalliance.org/wp-content/uploads/2026/04/mythosreadyv95.pdf) (2026) - CSA strategy briefing that flags deception as a priority in AI-driven vulnerability discovery and response programs.\n\n## Talks\n\n- [Deception \u0026 Operations Planning Frameworks](https://www.youtube.com/watch?v=yIutY_X2FcU) (2025) - ShmooCon talk on a physical deception operation.\n- [Applying Deception to the Attack Lifecycle](https://www.youtube.com/watch?v=vEHg9hRyJ9c) (2025) - Tim Pappa and Skylar Simmons (Walmart) on using deception across the attacker journey.\n- [Sweet Deception: Mastering AWS Honey Tokens to Detect and Outsmart Attackers](https://www.youtube.com/watch?v=R75ZTBnUwXk) (2025) - Nick Frichette.\n- [Continuous Integration / Continuous Deception: Trying my luck as a malicious maintainer](https://www.youtube.com/watch?v=ehmAy320R4A) (2025) - Benedikt Haußner.\n- [Turning The Tables: Using Cyber Deception To Hunt Phishers At Scale](https://www.youtube.com/watch?v=78qnM_ZzpNc) (2024) - BSides Exeter.\n- [Counter Deception: Defending Yourself in a World Full of Lies](https://www.youtube.com/watch?v=gHqDEMrqTjE) (2024) - DEF CON 32, Tom Cross and Greg Conti.\n- [Mirage: Cyber Deception Against Autonomous Cyber Attacks](https://www.youtube.com/watch?v=S0ioMe-g0vk) (2024) - Black Hat USA 2024, Ron Alford and Michael Kouremetis.\n\n## Podcasts\n\n- [EP281: Deceiving Adversaries at Scale with Kevin Conley](https://open.spotify.com/episode/2Ac5LRaC2fduw9B9S2A2WK) (2026) - Cloud Security Podcast by Google episode on lessons from scaling deception technology at Riot Games.\n\n## Conferences\n\n- [Active Defense \u0026 Deception (AD\u0026D)](https://adnd.work/) - Active conference, most recent event in 2026.\n- [Honeynet Workshops](https://www.honeynet.org/workshops/) - Active conference, most recent event in 2025.\n\n## Communities\n\n- [/r/cyber_deception](https://www.reddit.com/r/cyber_deception/) - Subreddit dedicated to cyber deception.\n- [The Honeynet Project](https://www.honeynet.org/) - Non-profit organization researching deception and honeynet technologies.\n\n## Frameworks\n\n- [MITRE Engage™](https://engage.mitre.org/) - Adversary engagement framework, with a [data repository](https://github.com/mitre/engage/tree/main).\n- [MITRE D3FEND™](https://d3fend.mitre.org/) - Defensive cybersecurity countermeasures knowledge graph, with [software repositories](https://github.com/d3fend).\n- [Deception-as-Detection](https://github.com/0x4D31/deception-as-detection) - Deception planning mapped against the MITRE ATT\u0026CK matrix.\n\n## Footnotes\n\nThis repository started as a fork of [emilyanncr/awesome-deception](https://github.com/emilyanncr/awesome-deception), which itself was forked from [tolgadevsec/Awesome-Deception](https://github.com/tolgadevsec/Awesome-Deception); it aims to be a more regularly updated awesome deception list.\n","projects_url":"https://awesome.ecosyste.ms/api/v1/lists/tracebit-com%2Fawesome-deception/projects"}