Cyber deception has been gaining momentum for years, but the conversation has changed quickly. What was once viewed by some security teams as an advanced or specialized capability is now being discussed as a practical response to AI-assisted attacks, shrinking exploit timelines, and overloaded security operations.
The expert community is pointing in the same direction. Gartner has been talking about preemptive cybersecurity, where the goal is to deny, deceive, and disrupt attackers before they can complete their objectives. MITRE Engage is built around the same active defense ideas, helping organizations think through adversary engagement, denial, and deception as part of a deliberate security strategy.
Meanwhile, two important documents arrived in quick succession this month, and security leaders should read them as a pair.
First, the Cloud Security Alliance (CSA), SANS, [un]prompted, the OWASP Gen AI Security Project, and a long list of cybersecurity leaders released The AI Vulnerability Storm: Building a Mythos-Ready Security Program, an expedited strategy briefing created in response to Anthropic’s Claude Mythos capabilities disclosure. The briefing gives CISOs an actionable framework for responding to AI-driven vulnerability discovery and includes a clear near-term recommendation: build a deception capability within the next 90 days. That recommendation is part of a broader 11-action security program, which also calls for actions like AI agent adoption, updated risk models, continuous patching readiness, attack surface reduction, environment hardening, automated response, and a permanent VulnOps function. Deception stands out because it is one of the more concrete steps security teams can begin taking now. It is measurable, operational, and directly tied to how AI-assisted attackers are beginning to behave.
Second, Anthropic’s LLM ATT&CK Navigator report adds important context. Anthropic analyzed 832 banned accounts associated with malicious cyber activity over one year and mapped observed behavior to MITRE ATT&CK. The report shows AI use moving beyond preparation and into operational activity inside live environments. Attackers are using AI to help with account discovery, service enumeration, lateral movement, exfiltration, and multi-step orchestration.
Read together, the two documents make a complete argument: as threats move faster and deeper into the kill chain, security teams need more than the traditional sequence of detection, research, patching, and response. The fundamentals still matter, but defenders also need controls that can detect suspicious behavior when the exploit, malware, or vulnerability is unknown.
Why the Clock is Ticking
AI-assisted vulnerability discovery changes the defender timeline. If attackers can find weaknesses faster, develop exploits faster, and move from discovery to action faster, then security teams have less time to rely on the usual sequence of detection, research, patching, prioritization, and response.
Patching, asset inventory, segmentation, MFA, dependency management, and incident response remain critical. In many cases, they matter more than ever. The challenge, however, is that those controls still depend on time, awareness, and coordination. Security teams need to know what exists, understand what is vulnerable, identify what matters most, apply the right fix, and respond before the attacker moves too far.
AI compresses that timeline.
It also changes what attackers can do once they are inside. Anthropic’s ATT&CK findings suggest AI use is moving from preparation into live operations, where attackers enumerate accounts, test access, pivot across systems, and chain actions together. Those behaviors matter because they create a detection opportunity. When an attacker explores an environment, follows credentials, tests access, or investigates something that appears valuable, deception can turn that activity into a high-confidence signal.
That is why the CSA/SANS recommendation matters. Deception is attack-tool and vulnerability independent. It doesn’t need to know which model the attacker used, which CVE got them in, or which exploit path they followed. It detects what the attacker does next.
How Cyber Deception Works
The basic concept behind deception is straightforward. A deception platform creates believable-but-fake assets that appear attractive inside an environment. These can include decoys, baits, breadcrumbs, lures, honey accounts, honey tokens, fake credentials, cloud artifacts, IT assets, OT assets, and other elements placed where an attacker is likely to look.
Those elements are designed to look useful to an attacker, but they have no legitimate business purpose. Since normal users and normal business processes shouldn’t need to interact with them, the signal is cleaner. If an attacker, insider, automated process, or AI-assisted attack path engages with a deception element, the security team gets an early indication that something deserves attention.
That is what makes deception especially relevant in an AI-assisted attack environment. AI can help attackers enumerate more thoroughly, move faster, and test more paths than a human operator might explore manually. The same exhaustive behavior that makes an AI-assisted intrusion dangerous can also make it more likely to touch a decoy, follow a breadcrumb, test a honey account, or interact with an asset that should never be touched.
Deception doesn’t replace the rest of the security program. It adds an early-warning layer in the places where attackers are likely to move after preventive controls fail.
What a 90-Day Deception Effort Can Look Like
Days 1-14: Begin with the assets and pathways attackers are most likely to care about. In the first month, the priority is identifying crown-jewel systems, sensitive data stores, privileged identities, key network segments, and the paths an attacker might use to reach them. This work supports deception, but it also strengthens broader cyber readiness by clarifying what matters most and where lateral movement risk is likely to concentrate.
Days 15-45: Place an initial deception layer in areas most likely to attract attacker attention. That may include breadcrumbs where an enumerating attacker would look first, baits and honey tokens in file shares or cloud storage, decoy service accounts in the directory, and decoy assets projected into key network segments. Early coverage should focus on the paths an attacker is most likely to test first, with high-confidence detection points placed around priority assets, credentials, and lateral movement routes.
Days 46-75: Connect the signal to response. A deception alert is only useful if the right people see it quickly and know what to do next. Alert routing, escalation contacts, runbook actions, containment expectations, and approval thresholds should be defined and documented before a real incident occurs. In an AI-assisted attack environment, the time between discovery and action may be shorter than teams are used to, so the response model needs to be ready before the alert fires.
Days 76-90: Test and tune. Organizations should validate that deception elements are visible where intended, alerts route correctly, runbooks make sense, and teams understand how to investigate and respond when a deception asset is touched. They can also measure time from interaction to investigation, identify gaps in coverage, tune deception placement, and refine response procedures.
By the end of the 90 days, deception should no longer be a concept or a pilot with unclear ownership. It should be an operational capability that produces actionable intelligence, supports faster investigations, and delivers a measurable improvement in cyber readiness to leadership.
Built for This Moment
Cyber deception has existed for years, but deploying it well takes planning. The technology needs to fit the environment. The deception elements need to be believable. The alerts need to route to the right people and tools. The incident process needs to be clear before a real alert occurs. Without that operational layer, even a strong platform can become another tool that a busy security team has to learn, tune, and maintain.
Velaspan’s Active Cyber Engagement (ACE) solution was built for this exact moment. ACE is a managed cyber deception and adversary engagement service powered by Acalvio ShadowPlex and operated by Velaspan. For qualified environments, ACE can help organizations stand up a deception capability in as little as 30 days, giving security teams a practical path to act on the 90-day guidance without spending that entire window evaluating, learning, staffing, and managing a new platform on their own.
That managed approach is the difference between deploying deception technology and making deception operational. Velaspan works with customers to understand the environment, identify the right use cases, define the deployment approach, coordinate implementation, integrate alerts into existing workflows, and manage the service over time. That includes the playbooks, runbooks, escalation paths, communication procedures, reporting expectations, and ongoing tuning needed to support deception in a real environment.
The goal is to give security teams a capability that fits into the way they already operate. ACE is designed to complement the customer’s existing SOC, SIEM, SOAR, EDR, MDR, and incident response processes by adding an active defense layer that produces high-fidelity alerts, supports faster investigation, and strengthens the tools and teams already in place.
The managed model also helps customers avoid the common trap of deploying a powerful tool without the time or staff to maintain it. Deception needs to stay believable. Environments change. Attack paths change. Priorities change. ACE gives customers a partner responsible for helping tune and operate the capability as part of an ongoing service, not just a one-time deployment.
ACE can also support use cases beyond initial detection. During an attack, deception can help test hypotheses, continue engagement with an attacker in a controlled way, and enrich investigation. During an acquisition, it can support threat hunting on new networks or new segments. During a purple team exercise or penetration test, it can provide additional visibility into how simulated attackers move and which controls need improvement.
A Practical Response to a Faster Threat Environment
The recent guidance reinforces the need for security leaders to move quickly while continuing to invest in the fundamentals. Deception belongs in that plan because it is independent of the specific exploit, tool, or vulnerability an attacker uses. It creates a way to detect suspicious behavior based on interaction with assets that should never be touched.
ACE gives organizations a practical way to build that capability without starting from scratch. Acalvio provides the deception platform. Velaspan provides the implementation, integration, and managed operations layer that helps customers put it to work.
For organizations building a 90-day cyber readiness plan, the next step is making deception operational in their own environment.
Velaspan can help.
Don’t spend 90 days evaluating options. Be operational in 30 with Velaspan ACE. Get started now.
