DeceptIQ: High-Fidelity Detection at Cloud Scale
As former red teamers, we've compromised organizations with million-dollar security budgets running best-of-breed solutions. When we red teamed these organizations, we didn't restrict ourselves to exploiting technology - we exploited people and their processes. Detecting the playbooks we were running, and likewise the playbooks too many adversaries successfully use, requires time and maturity to extract signal from noise. Defenders couldn't distinguish attack from normal behavior without investing significant security engineering hours that become outdated as technology changes.
Once in a blue moon, we encountered environments with deception technology deployed across their infrastructure. The tables flipped. Blue teams caught us immediately. Deception technology uniquely detects adversaries by exploiting their behavior - digital assets with no legitimate use that trigger immediate, high-fidelity alerts when interacted with. Tripwires you can deploy across your environment without introducing additional risk.
Most organizations struggle to extract these benefits. Existing deception solutions don't provide the primitives, token catalog, automation, and tooling needed for deployment at scale. They require dedicated security engineers to own and maintain - made harder by architectural limitations and API rate limits - ultimately preventing widespread adoption. Consequently, high-fidelity detection has remained reserved for the most mature security teams with resources and expertise to deploy the technology correctly. From firsthand experience as a red teamer, this is all too rare.
For organizations already running deception technology - did it actually catch your last red team engagement?
Building DeceptIQ
We looked at enterprises who successfully deployed deception technology - what they did, what worked, what they wanted. Coupled with our experience as adversaries, we took the tried and tested concept and rebuilt it from first principles. We spent eight months researching how to fingerprint our own tokens, then doing it again and again. Each token type went through our "smell test" - tested against red team colleagues we've both worked with and competed against.
Our success metric: would we catch ourselves on a red team engagement? With today's launch, we believe we can.
We built DeceptIQ to be what we wish every organization we compromised had in place.
What We Built
Deception technology eliminates false positives. There's no legitimate use case for these credentials - any alert is definitive proof of unauthorized access.
Token Catalog and Primitives
The Problem: Existing solutions offer limited token types. You can't match the diversity of credentials across modern infrastructure.
Why It Matters: Adversaries target what they find - cloud credentials, SSH keys, database passwords, API tokens. If you can't deploy tokens that match your environment, you can't catch them.
How We Solve It: We offer 15 token types spanning persistent and ephemeral categories. Persistent tokens like AWS access keys work for static deployments in repositories and configuration files. Ephemeral tokens like AWS session tokens auto-expire for dynamic workloads in containers and CI/CD pipelines. All tokens are customizable with parameters like usernames, subdomains, and hostnames. Tokens deploy across hundreds of provider configurations spanning thousands of AWS accounts in separate organizations, making them impossible to fingerprint.
Scale
The Problem: Existing solutions hit API limits and can't scale beyond thousands of tokens. Shared infrastructure creates bottlenecks.
Why It Matters: Modern infrastructure is ephemeral. Kubernetes pods, Lambda functions, CI/CD pipelines spin up and down constantly. You need millions of tokens generated daily to maintain coverage.
How We Solve It: Infrastructure provisioning automation deploys each token provider to an isolated AWS account. The backend identifies the optimal provider for each request. The platform can scale to over 25 million tokens per day, and scaling up is easy - we can deploy custom providers on demand within minutes. For example, we support up to 10 million long-lived AWS access keys per day.
Automation and Tooling
The Problem: Manual token deployment doesn't scale. Tracking thousands of tokens across infrastructure requires dedicated engineering effort.
Why It Matters: Without automation, you can't maintain coverage as infrastructure grows. You need programmatic issuance and lifecycle management.
How We Solve It: The platform is API-first for programmatic token issuance. Channels automate deployment through MDM platforms, Kubernetes operators, and CI/CD pipelines. Rich metadata tracking and namespaces enable organization by team, environment, or purpose. Every alert includes full context - timestamp, source IP, asset details, and metadata. Events correlate automatically into incidents for streamlined investigation.
Today
DeceptIQ launches today. Cloud-first, cloud-scale deception technology built by red teamers to catch adversaries. The platform we wish every organization we compromised had in place.
Want more insights like this?
Related Articles
Rethinking Deception: Why We're Moving from Product to Enablement
After years of building deception technology and watching SOC teams struggle with yet another dashboard, we've made a fundamental shift in how we deliver cyber deception.
Early Warning Honey Tokens: Give Adversaries Options
This risk calculus has held for years. Early warning honey tokens (eWHT) exist to break it.