Ecosystem · AI deception intelligence

Lures that attackers
cannot fingerprint.

Traditional honeypots are identifiable in under 60 seconds. Decoya uses NVIDIA NeMo to generate fake users, credentials, documents, and services that are statistically identical to real ones — and continuously updates them to stay ahead of attacker fingerprinting techniques. Every touch produces a zero-false-positive alert in Triago.

NeMo generative models·Adversarial evolution loop·Zero false positives
Why deception breaks

Static honeypots are fingerprinted in less than a minute.

Security vendors have published the fingerprints for every major honeypot platform. Experienced attackers check for them routinely. The lures that rely on templates and rules were dead on arrival. What's needed is generated content that matches the statistical signature of the real environment so closely that automated fingerprinting cannot tell the difference.

Decoya generates that content. And keeps regenerating it as attackers improve their tools.

60s
Time to fingerprint a static honeypot
207d
Average dwell time before detection
100%
Signal quality on deception hits
How it works

Generate, deploy, evolve, catch.

01

Discover

Decoya maps your real AD, network, and file structure to set the statistical baseline for lure generation.

02

Generate

NeMo produces fake users with plausible email histories, credential sets embedded in realistic documents, and fake service endpoints with convincing API behavior.

03

Evolve

An adversarial loop runs continuously: a red-team model tries to fingerprint the lures; the generator updates them to evade detection.

04

Alert

Any attacker interaction triggers an immediate Triago alert. Full behavioral profile: what they accessed, what tools they used, where in the kill chain they are.

What Decoya deploys

The lure types that actually catch attackers.

Credential canaries

Fake admin credentials embedded in realistic-looking documents — runbooks, infrastructure notes, deployment scripts. When credentials are tested against real services, Triago knows immediately. The attacker has no way to distinguish them from legitimate credentials without trying them.

Zero false positives · immediate alert

Fake AD accounts

Plausible AD users with realistic MFA enrollment dates, login history patterns, and group memberships matching real user profiles.

Shadow services

Fake SMB shares, LDAP directories, and internal APIs that respond to queries convincingly but log every interaction.

NeMo adversarial evolution

A GPU-accelerated red-team model continuously attempts to fingerprint deployed lures. The generative model updates them to pass. Lure quality improves over time and compounds with attacker interaction data from across the fleet.

Behavioral profiling

Decoya captures what the attacker accessed, in what sequence, with what tools — before they trigger a real alert. Triago gets the full profile, not just an IOC.

NVIDIA GPU infrastructure

Why generative deception requires GPU.

NeMo generative lure model

Fine-tuned on real enterprise user, credential, and document patterns. Generates fake content that is statistically indistinguishable from real content. Runs continuously on H100 GPU to update and expand the lure fleet as the environment changes.

Adversarial training loop

A GPU-accelerated red-team model attacks deployed lures; the generative model retrains on failures. This loop requires sustained GPU compute because it runs continuously, not on a quarterly schedule.

TensorRT behavior classification

Real-time attacker behavior scoring at sub-50ms per interaction. Classifies kill-chain stage, identifies tool signatures (Mimikatz, Cobalt Strike, etc.), and feeds the full profile to Triago before escalation.

RAPIDS lure optimization

GPU-accelerated analysis of which lure types attract which attacker profiles. Continuously rebalances lure placement to maximize early-warning coverage across the environment.

Deploy a deception layer in 48 hours.

Credential canaries and fake AD accounts go live same day. The NeMo generative layer follows. If anything is actively hunting your environment, you'll know within the first week.

Request access