Endpoint decoys are realistic but fake artifacts placed inside systems. These can include fake credentials, mapped drives, service accounts, files, or registry entries. From an attacker’s perspective, they look legitimate.
Now think about how an attacker behaves post-compromise. They search for credentials. They look for lateral movement paths. They enumerate systems. When they touch a decoy credential or attempt to use a fake mapped drive, they reveal themselves.
Legitimate users never access these assets because they don’t serve real operational purposes. So interaction becomes a high-confidence signal. There’s no need to rely on suspicious patterns alone.
This early interaction often happens during reconnaissance. That means detection occurs before privilege escalation or lateral movement fully unfolds.
That’s how deception endpoint coverage shifts detection earlier in the attack lifecycle.
