Deception Signals
Overview
Deception Signals turns decoys (honeypots) into high-fidelity alerts. When an attacker interacts with one of your workspace's decoys, the interaction is recorded and surfaced as a signal. Because nobody legitimate should ever touch a decoy, these alerts carry almost no false positives.
What it is for
- Catch attacker activity that slips past prevention, with very low noise.
- See exactly what was attempted against a decoy (path, method, tags) so you can respond quickly.
- Keep signals scoped to your workspace: you only ever see interactions with your own decoys.
How to use it
- Register a decoy (honeypot) for your workspace. Decoys enroll through the agent API using your workspace API key, which scopes the decoy to your workspace.
- Open Deception Signals (
#/deception) in the platform. - Review recent decoy interactions: the decoy that was hit, the event type, the request path and method, a hashed source identifier, and any risk tags.
By API:
GET /api/deception/signalsreturns{ "signals": [...], "nodes": [...], "node_count": N }scoped to your workspace. Authenticated, licensed workspace access is required.
Evidence and privacy
Signals are workspace-scoped: a workspace only ever sees interactions with its own decoys. Source identifiers are hashed, and payloads are sanitized at capture time. The editable global deception graph is managed by Dralvia and is not exposed to workspaces.
Where it appears
- Deception Signals console (
#/deception): decoy summary and recent interactions.
Limits
This is a read-only signals view scoped to your workspace's decoys. Designing and placing decoys across the shared fabric is managed by Dralvia. The value depends on having decoys registered for your workspace.