Attackers have long been accustomed to classic defense, so more and more security teams are trying to play on the cheating field. Instead of just closing the holes, they put in baits that look like real secrets, access and services. The one who will fall for them almost certainly did not come from work, but from other people’s data.
The Awesome Deception catalog has appeared on GitHub and is regularly updated. This is a large collection of articles, studies, reports, charts and tools about cyber hoaxes, hanipots and «signal» lures like honeytokens and canary tokens. The authors explicitly note that at some point the original list had to be actually saved, the old versions expanded and the links broke over time, so the new branch is made with an emphasis on the relevance of the materials.
If you translate the idea into simple language, cyberhoax is when you pre-position in the infrastructure things that should not be used legitimately. It can be a fake key, a bait account, a file that can attract an attacker, a test service or a whole fake network segment. As soon as the attacker interacts with the bait, the defenders receive a precise signal that someone else is in the system. This approach is supported by large methodologies, such as MITRE Engage, where cheating is considered part of planned operations to interact with the opponent, and MITRE D3FEND, where there is a separate tactic Deceive and set of techniques for «decorations» and traps.
Judging by the recent additions to the collection,
cheating is rapidly shifting into clouds and DevOps. Wiz, for example, discovered the HoneyBee source, a tool that uses LLM to generate intentionally misconfigured environments and configurations in order to deploy realistic baits and learn more quickly about attacks on popular technologies. It is no longer «one bait in the corner of the net», but the automation of deployment of vulnerable stacks similar to what is actually found in companies.
There is growing interest in the topic «AI vs AI». In the LLM Agent Honeypot research paper, researchers describe honeypot, which tries to distinguish between ordinary attackers and autonomous LLM agents and assess how much such agents are already found «in the wild». This direction is more like the exploration of future risks, but the very fact that such experiments have appeared shows where the industry is looking.
Interestingly, not all the new «fashionable» targets already attract real attackers. GreyNoise at the end of 2025 wrote that in their experiment with MCP-honeypots they almost did not notice specific attempts to exploit, although any services on the Internet, according to their observations, find quickly, and then begins the usual background of scanning. In other words, the trend on AI-middleware is noticeable, but there was no mass hunt for it at that time.
Practitioners also share experience, and sometimes it looks much more mundane than «full-fledged honeypots». Grafana Labs, for example, detailed how canary tokens help catch early signal intrusions and why not the form of the bait is more important than the clever placement and scaling. Thinkst develops the idea of «visible fraud» and produces unusual options, such as «credit cards» Canarytokens, which should scare fraudsters by the fact that any stolen number can be a trap.
At the same time, large regulators and state structures also test the approach in practice. The UK’s National Cyber Security Center in December 2025 published interim findings on testing cyberfraud solutions and stressed that such tools can provide valuable visibility and reveal hidden compromises, but require careful implementation and correct «trimming» processes.
