RESEARCH FLEET — LIVE CATCHING REAL ATTACKERS SINCE APRIL 2026

Catch threats your other tools miss.

Adaptive honeypots that look and act like your real systems — so attackers reveal themselves the moment they touch one. Built for small security teams, utilities, and municipalities. No analyst army required.

── capture.logREC · ssh-XX78a4e1f0
{{ heroLog }}
A real attacker, captured and classified by our research fleet. They thought this was your server.
  Deploys in an afternoon   No dedicated SOC required   Works fully air-gapped   Zero false alarms by design   Priced for small teams
15+
device profiles emulated
7M+
attacks captured in 14 days
8.8K
unique attackers observed
longer attacker engagement
WHAT IT DOES

Deception that adapts in real time

Old-school honeypots follow a script, and attackers spot them in seconds. Ours use a local AI to improvise like a real server — so attackers stay engaged and keep revealing their playbook.

001 Works anywhere — even air-gapped Runs fully offline with local AI, on-prem, or cloud-managed. Nothing leaves your network — safe for ITAR, CMMC, and OT environments.
002 Convincing enough to fool real attackers File systems, credentials, and command outputs are improvised live by AI — never replayed from a static script attackers can fingerprint.
003 Covers IT and plant-floor protocols SSH, HTTP, Telnet, SMB, and SCADA-Modbus — including the OT protocols most vendors ignore.
004 Mapped to MITRE ATT&CK automatically Every session ships as STIX 2.1 / TAXII into your SIEM or inbox inside 60 seconds — no analyst translation step.
005 Attackers stay 8× longer Measured against Cowrie controls on the same network. Longer sessions mean more techniques revealed per intruder.
006 Every alert is a real intruder A decoy has no legitimate users, so there is no baseline to model and nothing to triage. Zero false alarms, zero alert fatigue.
HOW IT WORKS

Deploy in minutes, not months

Three steps from download to catching your first threat.

STEP 01

Set the traps

Spin up SSH, HTTP, Telnet, SMB, and SCADA-Modbus decoys with a single configuration file. Each one assumes a realistic persona tailored to your environment.

STEP 02

Let them bite

When an adversary connects, a local AI improvises responses in real time. They interact with what looks and feels like production — revealing tools, techniques, and objectives.

STEP 03

Collect the intelligence

Every keystroke and lateral-movement signal is logged, auto-mapped to MITRE ATT&CK, and shipped to your SIEM or SOC platform as STIX 2.1 / TAXII.

FROM THE RESEARCH FLEET

One real session, captured live

An actual adversary session from the April 2026 research window. The attacker thought they had root on a real Linux server. Every command logged, every technique mapped, the full record in the SOC pipeline inside 60 seconds.

SESSION
ssh-XX78a4e1f0 — redacted
SOURCE IP
XXX.XX.XXX.XXX — redacted
NODE
prod-fleet-llm
LLM BACKEND
Claude Haiku 4.5
BESTIARY MATCH
Human Attacker · rare
SESSION REPLAY {{ replayStatus }}
{{ sessionReplay }}
220
COMMANDS
220
SECONDS
VS COWRIE CONTROL
0
REAL ASSETS AT RISK

What happened: the attacker spent twenty-two minutes walking around our fake server — reconnaissance, credential dumping, payload staging, log tampering, and a C2 callback. They left with a fake SHA-512 hash they'll spend hours trying to crack. This is the session every SOC should be getting from their perimeter. Most aren't.

FROM THE BESTIARY

Know what's knocking

Every attacker our fleet catches is classified into an archetype and rated on how often you'll meet one — a field guide to the things probing your network, drawn from 7M+ real events.

LEGENDARY 1 in 8,887
🕷️
RAT Operator
The Puppeteer. Persistent, stealthy remote control — their zombies don't break in, they move in.
RARE 1 in 185
🧑‍💻
Human Attacker
Fingers on keyboard, brain engaged. Irregular timing and genuine curiosity about what's on the box.
COMMON 1 in 1
🦟
Nuisance Scanner
The background radiation of the internet. Billions of them; they accomplish nothing individually.
11 archetypes catalogued so far — custom illustrations arriving soon. Browse the full Bestiary →
RESEARCH

Built on data, not theory

Validated by a multi-cloud fleet capturing real adversary traffic against active attacker infrastructure since 2026.

FLEET SNAPSHOT — 14-DAY WINDOW
7M+total adversary events captured
8.8Kunique attacker IPs observed
43MITRE ATT&CK techniques seen in the wild
220commands in the longest sustained engagement
WHY THIS MATTERS IN 2026
79%of 2024 detections were malware-free (CrowdStrike)
80%of commodity IOCs stale within 10 days
+87%YoY growth in industrial-ransomware attacks (Dragos)
70%of US water systems fail SDWA cyber compliance (EPA)
INSIGHTS

From the research blog

View all research →

Field notes, threat breakdowns, and what the fleet is catching — published as we capture it.

VULNERABILITY 2026-07-09 CVE-2026-11405: a hidden password that lets anyone into the routerTenda firmware ships with an undocumented second password. No patch, vendor unreachable, public PoC circulating. Read → VULNERABILITY 2026-07-08 CVE-2026-8451: CitrixBleed comes back to the NetScaler front doorA pre-auth memory overread in NetScaler SAML IdPs — already under active exploitation days after disclosure. Read → VULNERABILITY 2026-07-05 CVE-2026-13768: one hard-coded cloud key, an entire fleet of gardensAn owner-level Azure IoT Hub key shipped on every Gardyn unit. CISA rated it a perfect 10.0. Read →
THE CAMPAIGN

Three checks. One party.

Deception Check is the first of a family built for the same small teams — detect, govern, and train, without hiring a department for each.

Deception Check Deception Check LIVE
Catch attackers in the act with adaptive honeypots. The detection layer.
Arcana Check COMING
Compliance without the dark arts. Evidence, frameworks, and audits — the governance layer.
Initiative Check COMING
Roll for initiative. Tabletop incident drills your whole team will actually show up for — the training layer.

Be first to deploy adaptive deception

Join the early-access waitlist.

Join waitlist
Deception Check mark © 2026 Deception Check, Inc.
Research Bestiary Waitlist Contact