Logo of Acalvio, a leading company in cyber deception technology

Passive Defense vs Active Defense

Cyber security defenses can be Passive or Active. Passive solutions focus on “Denial”; essentially denying access to an asset when an attack against it is detected. Active Defense proactively detects and diverts attacks and engages the adversary to learn the attack Tactics, Techniques, and Procedures (TTPs). Active Defense is also about dynamically changing the landscape or the attacker’s perception to detect and mitigate attacks early.

Passive Defense (Denial) Active Defense (Deception)
Endpoint Detect and Block suspicious activity on endpoint elements Introduce decoy elements (breadcrumbs and baits) into the endpoint to feed decoy data and redirect attacks
Network Detect and Block suspicious lateral movement to network assets Introduce decoy assets into the network to engage with the attacks and collect TTPs
Identity Detect and Block suspicious accesses to identities / AD Introduce decoy identities (both in endpoints and AD) to slow down and redirect attacks
MITRE Engage for active defense

MITRE Engage

MITRE recently launched MITRE Engage, a knowledge base for Active Defense and adversary engagement. Not surprisingly, MITRE Engage features Deception methodologies as the most effective solution for adopting an Active Defense strategy. Deception technology has taken the center stage for Active Defense, as deceptions do not affect legitimate traffic and transactions, but are deployed to detect and respond to malicious activities.

Cyber Deception detects threats by overlaying a fabric of pervasive deception across the enterprise network. Deception is not part of the enterprise business processes and systems. Hence any interaction with deception generates a high-fidelity alert. This form of threat detection, which can detect even zero-day exploits, is increasingly acknowledged as an important security layer in the fight against cyber attacks.

Cyber Deception has been around for a couple of decades mostly as honeypots – cleverly crafted fake computing resources, placed as to seem part of the enterprise IT network and containing valuable information. Honeypots, though effective, have been difficult to deploy at scale and to manage by keeping them fresh and relevant.

The state of cyber deception has evolved significantly in the recent years. ShadowPlex is a state-of-the-art Distributed Deception Platform (DDP), which can automatically deploy thousands of deceptions corresponding to any network element, across distributed and hybrid enterprise networks.

Deception is NOT just Honeypots

ShadowPlex Cyber Deception provides a comprehensive deception palette that includes Decoys (also called honeypots), Lures, Breadcrumbs and Baits. The deceptive assets are blended into and deployed throughout the distributed (and hybrid) network, on the enterprise endpoints and in credential stores such as Active Directory. Any attacker access to deception generates a high-fidelity alert.

Different types of threat deceptions
Acalvio's architecture for active defense

Start with Decoy Types

Low Interaction Decoys

  • Network services and applications
  • Attacker cannot login
  • Often done via emulation leading to lower quality decoys
  • Can deploy many decoys

High Interaction Decoys

  • Real VM Hosts, Applications, Database Servers, Shares
  • Attacker can login – full interaction higher quality decoys
  • Can only deploy Few Decoys

Add Lures to make Decoys Attractive

Deliberately place Lures

  1. Vulnerabilities in OS, Application, Protocols
  2. Weak configurations and permissions
  3. Fake Service Accounts

Acalvio Innovation

  • Extensible framework for the customer to add lures as necessary
Adding lures makes decoys attractive
Breadcrumbs and baits for cyber deception

Lead Attacks to Decoys

Many uses for Breadcrumbs / baits

  • Act as Micro-sensors
  • Give (mis)information
  • Give booby trapped tools
  • Redirect attacks to decoys

Acalvio Innovation

  • Completely automated configuration, deployment and management of breadcrumbs and baits

Blend Deception

Deception needs to blend into the environment continuously to be effective

  • Networks can change
  • Adversary behavior will change
  • Threats will change

Acalvio Innovation

  • Integrated AI keeps track of each network neighborhood and each endpoint settings across the enterprise and automatically blends deception
Blend Deception

Keep Cyber Deception Dynamic

Static Deception

Static Deceptions

  • Hardly changes
  • Easy to fingerprint & avoid
Dynamic Deception

Acalvio Innovation Dynamic Deceptions

  • Always auto-changing
  • Hard to identify or fingerprint

How does deception-based Active Defense work?

End-user breach example


  • Initial foothold
  • Attacker has remote command & control
  • Initial recon

Establish Additional Beachheads

  • Redundancy
  • Sacrificial lambs

Lateral move towards Mission Objective(s)

  • Data exfiltration
  • Disruption
Deception based active defense How does deception-based active defense work
Decoy workstation


  • Dense Minefield
  • Detect Adversary as Beachheads Established
Breadcrumb for cyber deception


  • Present False Trail
  • Deceive Adversary During Recon
  • Divert Away from Mission Objective to Decoy
Baits for cyber deception


  • Tripwires

Active defense based on deception provides a completely different way to detect attacks and complements existing security solutions which are based on signatures and behavioral models. Cyber deception has proven to be very effective, but the first-generation solutions had limitations. Acalvio solved the limitations with innovative technology, that enables enterprise scale and autonomous deception.

Please follow the “Read More” link to understand why you need Active Defense when you have other security solutions already deployed in your enterprise network.

Next Steps

Explore our patented technologies to enable Active Defense and Identity Protection in your enterprise.