Traditional honeypots are identifiable in under 60 seconds. Decoya uses NVIDIA NeMo to generate fake users, credentials, documents, and services that are statistically identical to real ones — and continuously updates them to stay ahead of attacker fingerprinting techniques. Every touch produces a zero-false-positive alert in Triago.
Security vendors have published the fingerprints for every major honeypot platform. Experienced attackers check for them routinely. The lures that rely on templates and rules were dead on arrival. What's needed is generated content that matches the statistical signature of the real environment so closely that automated fingerprinting cannot tell the difference.
Decoya generates that content. And keeps regenerating it as attackers improve their tools.
01
Decoya maps your real AD, network, and file structure to set the statistical baseline for lure generation.
02
NeMo produces fake users with plausible email histories, credential sets embedded in realistic documents, and fake service endpoints with convincing API behavior.
03
An adversarial loop runs continuously: a red-team model tries to fingerprint the lures; the generator updates them to evade detection.
04
Any attacker interaction triggers an immediate Triago alert. Full behavioral profile: what they accessed, what tools they used, where in the kill chain they are.
Fake admin credentials embedded in realistic-looking documents — runbooks, infrastructure notes, deployment scripts. When credentials are tested against real services, Triago knows immediately. The attacker has no way to distinguish them from legitimate credentials without trying them.
Zero false positives · immediate alert
Plausible AD users with realistic MFA enrollment dates, login history patterns, and group memberships matching real user profiles.
Fake SMB shares, LDAP directories, and internal APIs that respond to queries convincingly but log every interaction.
A GPU-accelerated red-team model continuously attempts to fingerprint deployed lures. The generative model updates them to pass. Lure quality improves over time and compounds with attacker interaction data from across the fleet.
Decoya captures what the attacker accessed, in what sequence, with what tools — before they trigger a real alert. Triago gets the full profile, not just an IOC.
Fine-tuned on real enterprise user, credential, and document patterns. Generates fake content that is statistically indistinguishable from real content. Runs continuously on H100 GPU to update and expand the lure fleet as the environment changes.
A GPU-accelerated red-team model attacks deployed lures; the generative model retrains on failures. This loop requires sustained GPU compute because it runs continuously, not on a quarterly schedule.
Real-time attacker behavior scoring at sub-50ms per interaction. Classifies kill-chain stage, identifies tool signatures (Mimikatz, Cobalt Strike, etc.), and feeds the full profile to Triago before escalation.
GPU-accelerated analysis of which lure types attract which attacker profiles. Continuously rebalances lure placement to maximize early-warning coverage across the environment.
Credential canaries and fake AD accounts go live same day. The NeMo generative layer follows. If anything is actively hunting your environment, you'll know within the first week.