RESEARCH FLEET — LIVE
CATCHING REAL ATTACKERS SINCE APRIL 2026
Catch threats your other tools miss.
Adaptive honeypots that look and act like your real systems — so attackers reveal themselves the moment they touch one. Built for small security teams, utilities, and municipalities. No analyst army required.
── capture.logREC · ssh-XX78a4e1f0
{{ heroLog }}
A real attacker, captured and classified by our research fleet. They thought this was your server.
✓ Deploys in an afternoon
✓ No dedicated SOC required
✓ Works fully air-gapped
✓ Zero false alarms by design
✓ Priced for small teams
15+
device profiles emulated
7M+
attacks captured in 14 days
8.8K
unique attackers observed
8×
longer attacker engagement
WHAT IT DOES
Deception that adapts in real time
Old-school honeypots follow a script, and attackers spot them in seconds. Ours use a local AI to improvise like a real server — so attackers stay engaged and keep revealing their playbook.
001
Works anywhere — even air-gapped
Runs fully offline with local AI, on-prem, or cloud-managed. Nothing leaves your network — safe for ITAR, CMMC, and OT environments.
002
Convincing enough to fool real attackers
File systems, credentials, and command outputs are improvised live by AI — never replayed from a static script attackers can fingerprint.
003
Covers IT and plant-floor protocols
SSH, HTTP, Telnet, SMB, and SCADA-Modbus — including the OT protocols most vendors ignore.
004
Mapped to MITRE ATT&CK automatically
Every session ships as STIX 2.1 / TAXII into your SIEM or inbox inside 60 seconds — no analyst translation step.
005
Attackers stay 8× longer
Measured against Cowrie controls on the same network. Longer sessions mean more techniques revealed per intruder.
006
Every alert is a real intruder
A decoy has no legitimate users, so there is no baseline to model and nothing to triage. Zero false alarms, zero alert fatigue.
HOW IT WORKS
Deploy in minutes, not months
Three steps from download to catching your first threat.
STEP 01
Set the traps
Spin up SSH, HTTP, Telnet, SMB, and SCADA-Modbus decoys with a single configuration file. Each one assumes a realistic persona tailored to your environment.
STEP 02
Let them bite
When an adversary connects, a local AI improvises responses in real time. They interact with what looks and feels like production — revealing tools, techniques, and objectives.
STEP 03
Collect the intelligence
Every keystroke and lateral-movement signal is logged, auto-mapped to MITRE ATT&CK, and shipped to your SIEM or SOC platform as STIX 2.1 / TAXII.
FROM THE RESEARCH FLEET
One real session, captured live
An actual adversary session from the April 2026 research window. The attacker thought they had root on a real Linux server. Every command logged, every technique mapped, the full record in the SOC pipeline inside 60 seconds.
SESSION REPLAY
{{ replayStatus }}
{{ sessionReplay }}
What happened: the attacker spent twenty-two minutes walking around our fake server — reconnaissance, credential dumping, payload staging, log tampering, and a C2 callback. They left with a fake SHA-512 hash they'll spend hours trying to crack. This is the session every SOC should be getting from their perimeter. Most aren't.
FROM THE BESTIARY
Know what's knocking
Every attacker our fleet catches is classified into an archetype and rated on how often you'll meet one — a field guide to the things probing your network, drawn from 7M+ real events.
LEGENDARY
1 in 8,887
🕷️
RAT Operator
The Puppeteer. Persistent, stealthy remote control — their zombies don't break in, they move in.
RARE
1 in 185
🧑💻
Human Attacker
Fingers on keyboard, brain engaged. Irregular timing and genuine curiosity about what's on the box.
COMMON
1 in 1
🦟
Nuisance Scanner
The background radiation of the internet. Billions of them; they accomplish nothing individually.
RESEARCH
Built on data, not theory
Validated by a multi-cloud fleet capturing real adversary traffic against active attacker infrastructure since 2026.
FLEET SNAPSHOT — 14-DAY WINDOW
7M+total adversary events captured
8.8Kunique attacker IPs observed
43MITRE ATT&CK techniques seen in the wild
220commands in the longest sustained engagement
WHY THIS MATTERS IN 2026
79%of 2024 detections were malware-free (CrowdStrike)
80%of commodity IOCs stale within 10 days
+87%YoY growth in industrial-ransomware attacks (Dragos)
70%of US water systems fail SDWA cyber compliance (EPA)
INSIGHTS
Field notes, threat breakdowns, and what the fleet is catching — published as we capture it.
THE CAMPAIGN
Three checks. One party.
Deception Check is the first of a family built for the same small teams — detect, govern, and train, without hiring a department for each.
Deception Check
LIVE
Catch attackers in the act with adaptive honeypots. The detection layer.
Arcana Check
COMING
Compliance without the dark arts. Evidence, frameworks, and audits — the governance layer.
Initiative Check
COMING
Roll for initiative. Tabletop incident drills your whole team will actually show up for — the training layer.
© 2026 Deception Check, Inc.