Support Login

Attivo BOTsink Deception Solutions

Deception for Real-Time Inside The Network Threat Detection

Whether it is an attacker scanning the network through open ports on endpoints to find hosts to engage with and/or services or applications to compromise or it is an attacker looking to exfiltrate employee credentials or data, Attivo has a high efficacy attack detection solution to lure and engage these attackers.

How Inside the Network Threat Detection Works


Deception Platform3


Attivo’s patented detection technology uses deception to lure attackers into revealing themselves as soon as they attack your network. With the Attivo Deception Platform, you will be alerted in real-time if your user network, data center, cloud, ICS-SCADA or IoT network is infected. The Attivo BOTsink Solution is based on high interaction deception technology that creates a distributed decoy system to lure in the BOTs and APTs of attackers. This solution works with the Attivo End-Point Deception Suite to make the entire network a trap to detect attackers.





Once an attacker is engaged, the threat is analyzed to identifying the attack type, activities, and which device is infected. A substantiated alert is then raised and attack information provided to automatically block and quarantine the attacker.

To better understand the intent of the attacker to analyze polymorphic and time trigger attacks, a port can also be opened to connect to the hacker’s command and control (C&C) to collect additional information.


BOTsink Deception and Decoy

The Attivo BOTsink Solution stands guard inside your network, using high-interaction deception and decoy technology to lure attackers into engaging and revealing themselves. Through misdirection of an attacker, organizations gain the advantage of time to detect, analyze, and stop an attacker.

  • Real Windows and Linux operating systems and services appear as authentic production assets and create attractive targets for attackers
  • Detection occurs across all attack phases including reconnaissance and lateral movement
  • Solution is friction-less to install and highly scalable 
  • Available for user networks, data centers, AWS and OpenStack Clouds, ICS-SCADA, and IoT environments

Attack Analysis and Forensics

The BOTsink multi-dimensional correlation engine (MDCE) analyzes attacker activities and provides the actionable intelligence needed to quickly and effectively shut down inside the network threats. The MDCE will learn from any system/kernel changes, process creation, process injection, registry and network activity to accelerate identification and forensic analysis. Attack analysis will include:

  • Addresses of infected machines
  • Username and password combinations
  • Attempts to export data, any dropped payloads including location and type of attacks
  • Full reporting available in threat intelligence dashboard and IOC, STIX,.CSV, PCAP formats

Identify and Understand the Methods and Intent of Hackers

The BOTsink Analyze, Monitor and Record (AMR) Engine provides detailed attack information on the different varieties of intrusions including their tactics, techniques, and procedures (TTP). The administrator can monitor these intrusions and use the information gathered to update the security of the production network. 

  • Lateral movement, file drop, registry changes, and activity analysis 
  • Communications with Command and Control to understand tools, methods, and techniques
  • Virus Total integrations and reporting
  • Signatures gathered can be manual or automatically applied to block attackers

Centralized Management and Threat Intelligence Dashboard

Attivo provides a centralized threat intelligence dashboard with every BOTsink Solution. The Attivo Central Manager (ACM) is available for organizations seeking to centrally manage multiple locations or environments and to aggregate threat reporting. The ACM includes:

  • Central management console for network, data center, cloud, ICS- SCADA, and IoT BOTsink environments
  • Connects all versions of BOTsink devices: Appliance, VMware, AWS, OpenStack
  • Central point for configuration, management and upgrades
  • Consolidation of all logs and alerts

Common Use Cases

  • Zero-day signatureless targeted attacks and web services exploit detection
  • Detection of stolen employee credentials
  • Ransomware detection
  • Insider threat detection
  • Phishing risk analysis
  • VLAN visibility and monitoring

Read a Case Study

Product Offerings and Deployment Models

Product Offerings

The Attivo BOTsink solutions include: 

  • BOTSink Decoys: Appliances, virtual appliances, and cloud form factors
  • BOTsink Central Manager (ACM): Manages and centralizes threat intelligence and configurations of geographically distributed physical, virtual, and cloud deployments

Simple and Scalable Deployment

The Attivo BOTsink Solution comes pre-configured, with the ability to host multiple VMs and servers. In just five simple steps, you can be up and running with the peace of mind you have the coverage you need to protect your network from attacks targeting your high-value assets.

  • Setup Management and Configuration
  • Setup User Configuration
  • Whitelist Configuration
  • Subnet Configuration
  • Decoy Server Configuration


Complete customization of operating systems, services, and applications can by configured for organizations seeking to increase the authenticity by matching their IT environment.

Screen Shot 2016-05-19 at 1.56.06 PMMay 19, 2016[2]

BOTsink Benefits

Attivo deception and decoy solutions are an effective, efficient, and scalable way to catch inside the network threats that have bypassed prevention systems.

  • Real-time luring, detection, and identification of cyber attacks provides an additional layer of security protection for networks and data centers
  • Mitigates delayed detection of breaches and additional risks associated with signature-less attacks, BYOD, and medical devices
  • Effectively identify targeted attacks on BYOD devices with the intent to steal credentials to infiltrate company data
  • Slows down attackers and provide valuable time for security staff to block and quarantine threats
  • Provides authentic, believable deception solutions that are built on real operating systems and services that can be customized to a customer’s environment
  • Isolates and provides hacker intent for phishing emails, thwarting a hacker’s intent to exfiltrate business data and sensitive information through phishing campaigns
  • Seamless and non-disruptive installation with current security infrastructure
  • Scalable, non-inline architecture does not require compute-intense calculations for packet inspection or data analysis
  • No false positive design improves effectiveness of the security staff as they can focus on real threats instead of chasing false positives
  • Import infected VM’s to learn the attack methods of the adversary and help better prepare to defend against future attacks

Attivo is the leader in deception for inside the network threat detection and analysis with comprehensive solutions for the networks, data centers, cloud infrastructure, SCADA, and IoT environments.