TrapX Security's DeceptionGrid™
TrapX Security's DeceptionGrid™

Name: DeceptionGrid™
Company: TrapX Security
Description: CAWS is a unique application that mimics a human operator.
Price: Price is per VLAN on a tiered basis (the more you buy the less you pay per VLAN). Average price is $1000 per VLAN
URL: https://www.


This product is the most representative of what we see as an advanced deception network. It is actively morphing constantly to cut off the intruder at every turn and lure him into the deception grid and away from the real network using advanced AI and an escalating deployment of lures and deceptions.

DeceptionGrid is an exceptionally well-thought-out system that has a specific process feeding a workflow and integrating with third party tools. In the early stages of an attack, the intruder is led through a series of intensifying functions that either derail the attack or lead it to a conclusion that is, itself, a dead-end.

The first stage is the deployment of endpoint lures.  These are low interaction and are intended to move a genuine attacker along or to defeat the attack as in the case of a script kiddy who finds himself seeing assets but getting nowhere near them and giving up. The next stage is a medium interaction trap that masquerades as whatever is typical within the victim network. This is not a full operating system but has the characteristics of one. A persistent attacker is led to a high interaction honeypot which is a real (virtual) machine with a complete operating system and the types of applications and activity that would be expected on the real network.

This behavior is routed to the workflow, which collects intelligence dynamically and feeds an incident response process supported by third-party products such as SIEMs.  The process is bait attackers with endpoint lures, then trap them with emulated traps and engage them with full operating system traps. The medium interaction traps can be deployed in very large numbers to help detect lateral movement when taken with the targets makes it easier to identify attackers.

The system can deploy any quantities of up to 500 unique decoys. When it is time to deploy full O/S decoys it uses lightweight virtual deployments, such as .ova files. These decoys can be deployed manually, can be imported or the system can decide what it needs on the fly. The medium interaction decoys are not full O/S deployments though they appear to be and have all the characteristics, behave correctly and the attacker cannot use them to escape into the real system.

High interaction honeypots are full O/S contained in a wrapper that allows the attacker to interact at all levels without being able to escape into the real operating environment. The deception tokens are lures or breadcrumbs that draw the attacker towards the safe part of the deception grid. To aid in identifying malware, a sandbox subscription is included in the licensing fee.

The highpoint of the system is the event analysis.  This consists of the event analyzer, attack visualization, forensics, event correlation, the monitor and the event workflow.  Attack visualization is one of the system's crown jewels.  The visualization shows exactly what the attacker has done, how it has moved and with what it is interacting. Drilling down gets significant detail.

TrapX contends that because assets in a deception network are not real they have no business reason to exist.  Therefore, any attempted interaction must be malicious.

The web site is adequate and there is premium support included in the licensing fee..

– Peter Stephenson, technology editor