At Horizon3.ai, our mission is clear: to equip the world’s most sensitive organisations with the defensive clarity and offensive knowledge they need to stay ahead of the adversary. Protecting critical infrastructure, national security assets, and highly confidential data demands more than just patching vulnerabilities; it requires a proactive, attacker-centric approach that stops threats before they cause damage.
This is why we champion moving beyond traditional defence, embracing methods like cyber deception to shift the advantage back to the defender. Our commitment to validating the real-world efficacy of this approach recently culminated in our participation in the UK National Cyber Security Centre’s (NCSC) Active Cyber Defence (ACD) 2.0 Deception trials.
Validating Deception: Insights from the NCSC Trials
The NCSC’s ACD 2.0 program sought to build a nation-scale evidence base for cyber deception, testing its ability to increase network observability, enhance threat hunting, and even influence attacker behaviour. As one of the commercial providers selected to participate, we contributed our expertise and platform to this vital research.
The findings from the trials, which included 121 UK organisations, confirm what we have long advocated: cyber deception is a powerful, essential component of a modern, layered defence strategy.
Here are the key takeaways that reinforce why deception is non-negotiable for highly sensitive organisations:
1. High-Fidelity Detection in Complex Environments
The NCSC found that cyber deception can successfully uncover hidden compromises and detect new attacks as they happen. For the world’s most sensitive networks—which often contain niche or legacy systems—deception provides a unique, targeted form of visibility. When an attacker touches a decoy asset or fake credential, the alert is high-fidelity, immediate, and virtually guarantees malicious intent. This cuts through the noise of false positives that can overwhelm security teams in large, complex organisations.
2. Imposing Cost on the Adversary
One of the most valuable aspects identified by the NCSC is deception’s potential to impose cost on adversaries.
By deploying decoys, fake credentials, and attractive honeypots, organisations can:
- Waste the Attacker’s Time: Force attackers to spend resources navigating false environments.
- Break the Kill Chain: Disrupt their methodology and undermine their confidence.
- Slow the Attack: Increase the time between initial access and mission success, giving defenders the crucial window to respond.
For nation-state actors and highly motivated criminal organisations, this friction is a powerful deterrent, helping shift the economics of cyberattacks in favour of the defender and contributing directly to national cyber-resilience goals.
3. Strategic Deployment is Key
While the NCSC confirmed that “Cyber deception can work,” they rightly noted that it is “not plug-and-play.” Effective deception requires a clear strategy that aligns with an organisation’s specific threat model.
This is where Horizon3.ai’s expertise shines. Our solutions are designed to help sensitive organisations move beyond basic decoys to deploy deception that is:
- Authentic: Tailored to real operational environments.
- Integrated: Seamlessly layered into existing security architectures and tool stack.
- Proactive: Used not just for detection, but for gathering intelligence to continuously refine defences.
Correctly and effectively deploying deception is half the battle. Discovering attack chains with deterministic proofs allows organisations to build an early warning system across their uncovered exploitability and attack chains.
ACD 2.0 Deception Trial – Tripwires and AD Tripwires: Evidence-Based Attack Chain Protection
NodeZero Tripwires™ and AD Tripwires are security decoys designed to provide early, high-fidelity alerts by sitting on proven attack paths.
During the trial, Horizon3.ai used its autonomous pentesting engine to discover real-world attack paths in production and to provide high-fidelity intelligence for deception placement, thereby protecting organisations from exploitable threats and weaknesses with immediate effect.
What Are Tripwires?
- NodeZero Tripwires: Decoy files, credentials, or process monitors dropped by NodeZero on high-risk, compromised assets (hosts, writable shares) during a penetration test.
- They remain silent until accessed, then “phone home” to generate alerts.
- Examples include: AWS credentials files, fake MySQL dump files, and suspicious process monitors on Windows (for tools like tasklist.exe).
- AD Tripwires: Decoy Active Directory accounts designed to detect identity-focused attacks.
- They target three common identity attacks: Domain user scraping, Kerberoasting, and AS-REP roasting.
- They reside within AD and are monitored continuously by a lightweight AD Agent.
- Goal: Both types are placed on the exact attack paths NodeZero identifies, ensuring any real attacker re-using those paths triggers an early signal.
Building a Stronger Foundation for the Future
The NCSC’s trials provided impartial, real-world validation of a security methodology that has been historically underutilised. We are proud to have partnered with them on the Active Cyber Defence 2.0 programme, and we are committed to applying these learnings to enhance our offerings and provide even greater protection to the organisations that need it most.
Protecting the world’s most sensitive organisations requires constant innovation and a willingness to adopt strategies that mirror, then outmanoeuvre, the attacker. Cyber deception is a powerful tool in that arsenal, offering the precision and proactive capability needed to keep critical assets secure.
You can read the NCSC’s full analysis of the trials and their key findings here: Cyber deception trials: what we’ve learned so far.