SC 2020 Awards
Info Security Products Guide 2020 Gold
Astors award platinum 2019


In-network threat detection can occur at the endpoint or within the network. Network-based deception addresses the attack tactics that start at the network level where attackers seek to enumerate the environment to find usernames and info on groups, shares, and services on networked computers or to harvest credentials by attempting a Man-in-the-Middle attack. This detection method is universally recognized for its ability to deliver high fidelity alerts because they are based on actual attacker engagement.

To reduce the risk of a successful attack, network-based deception is used to derail attempts at reconnaissance early in the attack cycle. Human or automated attackers will see devices that appear as production systems, where they are, in fact, decoys designed to mimic them. Deception devices that run full-OS decoys create the highest levels of authenticity. Emulated systems can also be effective for certain use cases and environments. Today’s cyber deception platforms have removed the operational issues associated with early-day honeypots and now use machine-learning to learn the environment automatically. This acquired information is then used to automate deployment and make ongoing operations to maintain authenticity extremely simple, no longer needing highly skilled experts to operate. High-interaction cyber deception platforms also provide the means to gather adversary intelligence safely for faster triage and remediation.

The Network Threat Detection Challenge

Reduce Dwell Time

Zero Day Threats

Unknown threats, mistakes, and misconfigurations can allow attackers to bypass prevention solutions.

Cloud Threats

Shared security, containers, and serverless environments create unique detection challenges.


IoT / ICS Threats

Not all endpoints can run AV or produce logs for analysis ie: ICS, IoT, network infrastructure.

Median time to Detection

Increasing Dwell Times

73 Days to find an in-network attacker. Deception can reduce dwell times by 91%.


Early and Accurate Detection of Network Attack Activity to Minimize Organizational Risk


Detect reconnaissance from human and automated attacker.


Reduce false positives. Receive only high-fidelity alerts.

Derailing Attacks

Create virtual landmines to efficiently derail attacks.

Detection Coverage

Detection coverage for on-premises, cloud, and specialized environments.


Machine-learning for automated operations.

Threat Intelligence

Safely gather adversary intelligence including TTP’s and IOCs.

Learn Attacker Intent

Decoy documents serve as bait and to reveal attacker targets.

Incident Response

Automate incident response via native integrations.

Dwell Time

Reduce time attackers remain undetected and response time.

Network-Based Threat Deception

Quickly detect in-network threat activity across all attack surfaces as an attacker seeks target assets, moves laterally, and maintains presence.

Decoys for Early Detection of Reconnaissance & Lateral Movement Activity

Active Directory
Specialized Devices


Medical IoT

Industrial Control


Router Infrastructure


Medical IoT

Industrial Control


Router Infrastructure


The ThreatDefend platform provides extensive endpoint protection functions that prevent attacker lateral movement. Deceptive credentials and shares protect production assets by redirecting attackers away from operational systems and into a decoy engagement environment.

High-fidelity detection

Gain early and accurate threat detection of human and automated attackers targeting networked systems and devices. Golden image customization delivers optimal authenticity

Cloud Threat Detection

Improve visibility into threat activity within an organization’s cloud environment

Industrial Control Threat Detection

Achieve awareness of attacks targeting ICS/SCADA systems

IoT Threat Detection

Improve security over IoT devices on the network

Network Infrastructure Threat Detection

Learn when attackers target routers, switches, and other networking infrastructure

Scalability and ease of operation

Coverage for a wide-variety of endpoints and machine-learning for automated learning and deployment

Gather company-centric threat-Intelligence

Capabilities to collect adversary intelligence and forensic data empower faster triage

Accelerate Incident Response

Integrations with EPP and EDR solutions facilitate automated incident response


  • Early Threat Detection

    — Decoy engagement-based detection
    — Not reliant on signatures to detect attacks
    — No pattern matching or database look up

  • Lateral Movement Threat Detection

    — In-network threat detection
    — Detect early reconnaissance
    — Detect lateral movement
    — Detect activities used to maintain presence

  • Evolving Attack Surface

    — Decoys to address all attack surfaces
    — User Network
    — Data Center
    — Cloud (AWS, Azure, Google, OpenStack)
    — Specialized: IOT, ICS, POS, SWIFT, Router

  • Man-in-the-Middle Attacks

    — Early detection of MitM attacks
    — Attack replay to better understand movement

  • Data & DecoyDoc Deceptions

    — Data deceptions to misdirect attack
    — DecoyDocs for counterintelligence on attacker intent
    — Geolocation tracking of opened documents

  • Compliance Breach Investigation M&A Visibility

    — Demonstrate in-network detection
    — Forensics to demonstrate resolution
    — Trust but verify M&A visibility
    — Blue Team’s choice control during Pen Testing

  • Skills Shortage & Ability to Respond to Incident

    — High-fidelity alerts are actionable
    — Basic and advanced user interface
    — Easy to deploy and operate
    — Automations for attack analysys and incident response


Ready to find out what the Attivo Networks solution can do for your organization? Our security experts are standing by, ready to answer your questions.

“If you don’t know what threats are inside your network, then deception-based detection is your answer.”

Augusto Barros, Gartner, Inc.