Deception Taxonomy: A Common Language

December 16, 20256mRad KawarThreat Research

It recently came to our attention that in discussions even with well-informed individuals we struggled to communicate effectively due to a lack of basic vocabulary, a common language to ensure we are on the same page when asking questions or discussing a topic. This is by no means the fault of the reader, more so the larger industry as a whole and our own fault for assuming a common language exists for deception taxonomy.

This is an observation we've held for a while and our motivation for previous articles. The NCSC recently noted the same in their cyber deception trials:

  • "Language is a barrier"
  • "Vocabulary across the industry is often inconsistent"

We try to leave the jargon introduced by marketing-led campaigns out and keep it simple and effective, and with each term we opt for language that drives the right mental models as we understand how important terminology is to shaping the way we think.

Formula

The formula from Deception Fundamentals:

Deception Assets + Communication Channels = Desired Effect

Deception Asset - What you deploy

Communication Channel - How adversaries find it

Desired Effect - Why you bothered in the first place

Diagram

Desired effects:

  • Detection - Not just "attacker present" but where they are and what they want
  • Deterrence - Make attackers question every discovery
  • Distraction - Draw attention from crown jewels
  • Delay - Force methodical validation that extends dwell time
  • Perception Management - Fundamentally alter how attackers view your environment

Meta Language

These terms exist to create precision when discussing deception operations, and more importantly to enable effective filtering, correlation, and pattern detection across deployments.

Asset - A unique identifier representing what is being protected, existing purely to answer "what was compromised" (not to be confused with a deception asset)

Asset Type - The system category of the asset, existing to enable filtering across similar systems and pattern detection across interactions (examples: endpoint/cicd/container/secret/repository)

Channel - The distribution method, how deception assets are advertised and deployed into an environment (examples: Microsoft Intune/GitHub Action/CrowdStrike RTR)

Metadata - Tracking information attached to a deception asset that provides context when triggered or accessed

The following two terms describe qualities rather than objects, and they determine whether deception succeeds or fails against skilled adversaries:

Environmental Authenticity - Deception that matches your organization's real naming conventions, configurations, and behaviors

Congruence - The principle that communication channels and asset characteristics must align with attacker expectations for deception to succeed

Deception Assets

Deception Asset - A generic term for any deception resource

Honey Token - A deception asset in credential form, real credentials that authenticate to monitored infrastructure serving no legitimate business purpose

Tripwire - A deception asset in resource form, decoy resources deployed in environments with no legitimate business purpose where any access is inherently suspicious

Breadcrumb - A deception asset designed to lead adversaries toward other deception assets

Persistent Token - A deception asset that lives until explicitly revoked, typically deployed to long-lived channels where credentials remain static

Ephemeral Token - A deception asset that auto-expires after a defined period, typically deployed to dynamic infrastructure where short-lived access is expected

Alert Lifecycle

Interaction - Any engagement with a deception asset, whether validation, access, or enumeration

Event - A single interaction representing one validation attempt, one access, or one enumeration result

Session - A single source of identity access, the unique identifier for that principal

Incident - Events correlated from a single point of actionable intelligence, where for tokens correlation is by source IP and for tripwires correlation is by session

Diagram

Precision and Attribution

Precision determines where the token is deployed. One token per location is ideal because one token across many locations dilutes the signal and makes it harder to identify the source.

Attribution determines who could have had access to the asset, and therefore who could have discovered the deception asset advertised through the channel. When a token triggers, you work backwards: this token was deployed to this asset, these people had access to that asset, therefore these people could have discovered and used the credential.

  1. Broad - One token across many assets means many people could have discovered it, resulting in weak attribution (e.g., company-wide documentation)
  2. Narrow - One token per system or team means a smaller group could have discovered it, resulting in stronger attribution (e.g., team repository)
  3. Exact - One token per asset means a single user or small group could have discovered it, resulting in full attribution (e.g., individual workstation)

Worked Examples

Example 1: CI/CD Pipeline Protection

Setup:

  • Asset: GitHub Actions workflow
  • Asset Type: cicd
  • Honey Token: AWS Access Key
  • Channel: github-actions
  • Breadcrumb: Environment variable export
  • Precision: Narrow (one token per workflow)
  • Attribution: Whoever had access to that workflow, its logs, or its environment variables

Attack Path:

An adversary compromises the GitHub Actions workflow, enumerates environment variables, and discovers the AWS access key.

Detection:

When the adversary validates the AWS key, the alert fires. The incident correlates events by source IP, identifying credential theft from cicd infrastructure.

Example 2: Endpoint Lateral Movement Detection

Setup:

  • Asset: Workstation (acme/john.doe)
  • Asset Type: endpoint
  • Honey Token: SSH Private Key
  • Channel: Microsoft Intune (deploys the key and SSH configuration to managed endpoints)
  • Breadcrumb: Entries in ~/.ssh/config and ~/.ssh/known_hosts
  • Precision: Exact (one token per endpoint)
  • Attribution: That user or anyone with access to their workstation

Attack Path:

An adversary lands on the endpoint through initial access, enumerates SSH configuration files, and discovers the private key.

Detection:

When the adversary attempts to authenticate with the discovered key, the alert fires. The incident correlates events by source IP, identifying lateral movement from endpoint infrastructure.

Afterthoughts

Taxonomy exists to remove ambiguity. When we say honey token, we mean credentials. When we say tripwire, we mean resources. When we say incident, we mean correlated events ready for investigation. This shared vocabulary enables precise communication about deception operations, whether discussing deployment strategy, analyzing alerts, or coordinating response. The terms are deliberate and the distinctions matter, putting us on the same page and bypassing the jargon this industry is known for.

Your security team is trying to spot bad behavior in a sea of normal activity. This is extraordinarily hard. There's a simpler way.

Book a Demo with the Founder

Learn more about why it works.

Try Starter Edition

Free forever. No credit card required, ever.

Related Articles

Getting Started with Early Warning Honey TokensBest PracticesEarly Warning Honey Tokens: Give Adversaries OptionsProduct InsightsDeception Fundamentals: The Missing Piece in Your Security StrategyIndustry Analysis
Deception Taxonomy: A Common Language | DeceptIQ