DecoyPulse: Deception Technology That Generates Zero False Positives

Every detection technique in a SOC has a false positive rate. Network anomaly detection: legitimate traffic that looks unusual. Behavioural analytics: a user doing something unusual for a legitimate reason. Signature-based detection: a benign file that matches a malware pattern. Managing false positives is a significant part of what a SOC analyst does, and high false positive rates directly reduce the quality of a SOC's output.

Deception technology is the exception. A deception sensor — a honeypot, a decoy credential, a fake file share — generates alerts that have a false positive rate of effectively zero. If something interacts with a decoy, it's doing something it shouldn't be doing. There is no legitimate reason for a user or system to touch a file share that doesn't appear in any documentation, or to authenticate with a credential that was never issued to a real account.

This is the logic behind DecoyPulse. And it's why including it in every SOC in a Box deployment wasn't optional — it was essential.

What DecoyPulse Deploys

DecoyPulse operates across several deception layers, all of which are pre-configured for each SOC in a Box deployment based on the client's network topology and asset types.

Network Decoys

Virtual hosts that appear on the network as legitimate devices — servers, workstations, printers, network devices — but serve no operational function. Any network scan, connection attempt, or lateral movement that encounters these devices is immediately flagged. This is particularly effective against automated attack tools that sweep IP ranges looking for vulnerable hosts: they find the decoys, interact with them, and the interaction is logged and escalated.

Credential Decoys

Inactive accounts with convincing names — service accounts, administrator accounts, legacy user accounts — that exist in the directory but are never used by real systems or people. Any authentication attempt using these credentials is an immediate high-confidence indicator of credential theft or lateral movement. Attackers who have compromised a system and are harvesting credentials from memory will collect the decoy credentials alongside real ones — and when they use them, we know.

File and Share Decoys

Shares and files that appear attractive — named things like "HR_Salary_2025.xlsx" or "VPN_Credentials_Backup.txt" — but trigger an alert the moment they're opened or accessed. These are particularly effective against insider threats and against attackers who have gained initial access and are conducting reconnaissance before their primary objective.

Tuning Decoys for Small Environments

One of the challenges of deploying deception technology in a small environment is that the network is familiar. In a 20-person organisation, most staff know roughly what devices exist on the network and which file shares are legitimate. A decoy that's too obvious doesn't fool an attacker who's done basic reconnaissance. A decoy that's too similar to a legitimate resource might confuse legitimate users — though this is less of a problem than in a large, complex environment.

During the scoping call, we gather enough information about the client's network topology to position DecoyPulse sensors appropriately. Decoy hostnames are chosen to fit the naming conventions already in use. Decoy credentials follow the format of real service account names. File decoy content is chosen to match the sector — a healthcare organisation's decoys look different from a law firm's.

The goal is that the decoys are completely invisible to legitimate users going about their work, and completely plausible to an attacker mapping an unfamiliar network.

The Insider Threat Dimension

We don't often lead with insider threat when talking to prospective clients, because it's an uncomfortable conversation. But it's a real one. DecoyPulse's credential and file decoys are effective against the scenario where a departing employee, a contractor with inappropriate access, or a member of staff acting under financial pressure decides to exfiltrate data.

The tell is reconnaissance. Before someone takes data they shouldn't have, they typically explore what's available. That exploration — accessing unusual shares, trying credentials they've found, poking around parts of the network outside their normal working pattern — is exactly what DecoyPulse is designed to detect.

"The value of a decoy isn't the decoy itself. It's the signal it produces at the moment someone who shouldn't be there decides to investigate it."

Integration With the SOC365 Alert Pipeline

DecoyPulse events bypass the standard EmilyAI triage queue and are elevated directly to the analyst's priority queue. This isn't because EmilyAI can't handle them — it's because the signal quality is high enough that the enrichment step is unnecessary. A DecoyPulse interaction is already a high-confidence event. The analyst's job is to determine scope and initiate the appropriate response, not to spend time establishing whether the event is genuine.

Next week, we'll talk about one of the decisions that makes SOC in a Box most different from competitor products: the named analyst model, and why we believe that a relationship with a security professional who knows your environment is worth more than any amount of automation.