• Home
    • Documentation
    Welcome! We are in the process of updating the documentation - please contact us with any unanswered questions.

    Defused - Expand your Detection Capabilities with Better Data.

    Defused is a SaaS deception platform that helps you easily build advanced detection and response capabilities.

    Base features in a nutshell:

    • High-Fidelity Detection: Real-time alerts on suspicious activities through sophisticated detection and decoy engagement, enabling early breach detection and immediate response to prevent real damage.
    • Broad Coverage: Deploy customizable decoys across your network to mimic critical systems and lure attackers away from valuable assets, effectively enhancing your threat detection capabilities.
    • Low Overhead: Controlled via a single cloud interface, Defused is designed for busy professionals, offering efficient decoy deployment and maintenance with minimal overhead.
    • Multiple Deploy Modes: Defused VM & Defused Cloud Decoy provide coverage for network-level capabilities, Defused Windows Agent for host-level capabilities.

    Why Defused?

    Defused provides a straightforward and fast way to build high-fidelity detection capabilities into almost any type of environment, whether you run IT, OT, cloud, or any other type of infrastructure. Defused offers a plug-and-play experience for augmenting your infrastructure with an active deception layer.

    In contrast to the traditional detection approach, which typically involves crunching massive amounts of logs and applying rules to detect what is bad and what is not, using an active deception layer approach moves you beyond just passively detecting and provides numerous other benefits.

    First, it amplifies your threat signal quality by alerting only from activity that tries to exploit the deceptive layer. Second, using an active approach can slow down or completely deter an attacker trying to advance through your infrastructure, directly eliminating or greatly reducing downstream breach costs. Third, the deception layer can act as a digital security twin of your environment, producing actionable risk insights about your overall security posture.

    Defused offers various capabilities that can be deployed to detect and deter attacks across the lifecycle of an attack. A capability means a specific type of active deception element used for a specific attack or tactic. Currently, Defused offers over 150 capabilities.

    Most capabilities are click-and-deploy, meaning they require little to no fine-tuning, considerations for false positives, parsing, or similar efforts. Examples of active components include decoys—false but attractive-looking targets for attackers to go after. See our capabilities section for more information on what Defused offers.

    Whether you are a one-person IT team or part of a larger SOC team, Defused provides you the means to expand your detection capabilities with Better Data.

    Account Types

    Defused offers three distinct account types, each with its own set of features and capabilities.

    You can view the capabilities offered by each account level on our pricing page.

    Get Started

    Decoys can usually be deployed into any location - like a specific network (financial, HR, manufacturing), DMZ, a lab environment, or similar.

    The Defused Windows Agent runs on Windows 10 and 11.

    Defused VM is deployed via your virtualization software, e.g. VMWare Vsphere, ESXi or similar. The Virtual Machine Images section lists available Defused VM flavours.

    The other main deployment line is using the Defused Cloud Decoy to deploy on top of popular cloud services, e.g. Amazon EC2.

    Tactical and Enterprise accounts can opt to run their Defused VM's in standalone mode.

    I want to deploy capabilities into a virtual machine environment, such as an on-premise-type environment.

    Follow the Defused VM track to deploy your first decoy server.

    I want to deploy capabilities onto a cloud resource, such as AWS EC2 or similar.

    Follow the Defused Cloud Decoy track to deploy the Cloud Decoy.

    I want to add capabilities to a Windows machine.

    Follow the Defused Windows Agent track to deploy the Cloud Decoy.

    Defused Cloud Decoy Installation

    Time Icon Installation will take you 5-10 minutes

    No-infrastucture Install NEW!

    You can now deploy into the Defused Managed Decoy Network, allowing you to test Defused by deploying decoys into a network we manage. This provides the convenience of testing our tool without the necessity of provisioning any infrastructure. After a duration of 1 hour, both the decoys and the network they reside on will automatically vanish.

    Each VM/Cloud deployable capability has an option called "Deploy To Cloud", which deploys the selected capability into our managed network.


    Start with a fresh install of Ubuntu (22.04 & 20.04) or Amazon Linux 2 or 2023.

    More distros coming soon.

    Install required Ansible packages:

    • Elevate yourself to root.

      sudo su

      Update & install Ansible.

      apt update && apt install -y ansible

    • Elevate yourself to root.

      sudo su

      Update & install Ansible.

      amazon-linux-extras install ansible2 -y

    • Elevate yourself to root.

      sudo su

      Update & install Ansible.

      dnf install -y ansible

    Download and Run the Playbook

    Resource Image

    This Content Requires An Account

    You have to login to view this resource. Create a free community account to access this other platform features.

    AWS Autodeploy

    If you're deploying Defused into AWS, you can pass the below bash script directly into the user data field to perform the configuration automatically.

    Resource Image

    This Content Requires An Account

    You have to login to view this resource. Create a free community account to access this other platform features.


    The installer connects the decoy directly to the Defused Cloud. No further actions are needed - you're all set!

    The newly deployed decoy will be visible in the decoy servers list. The installer also automatically installs the selected decoy type and sets up alerting.

    Alert Testing

    This section introduces the "Live Exploit Simulation" tool, allowing you to test our alerting system by launching a safe, controlled exploit against a deployed decoy. This hands-on approach helps you understand the alert generation process and the effectiveness of the detection mechanisms in a real-life scenario.

    Resource Image

    This Content Requires An Account

    You have to login to view this resource. Create a free community account to access this other platform features.

    Firewall Rules

    Many cloud providers automatically open some standard ports and block others. To see which ports your selected decoy type uses, check the capabilities page. Then, ensure these ports are open on your cloud computing instance.

    When using the Managed Decoy Network as the deployment method, the relevant ports are whitelisted automatically.

    Defused Windows Agent Installation Guide

    Time Icon Installation will take you 5-10 minutes


    Before starting the installation process, ensure that your Windows system runs either Windows 10 or 11. An active internet connection is required for downloading additional dependencies.

    Downloading the Agent

    The Defused Windows Agent can be downloaded from the downloads page. Navigate to the page and locate the agent's installer, then click on it to start the download.

    Agent Capabilities

    The Defused Windows Agent attempts to automatically apply all available Windows Host capabilities listed under "Host Agent" on the capabilities page.

    Installation Steps

    The platform only stores information about the deployment paths and properties of honeyfiles to help you inventory & monitor them on target systems. Additionally, the system hostname is used to identify agent locations. No other data is collected.

    1. Start a command prompt window as an Administrator.
    2. Navigate to the folder you downloaded the Defused MSI installer into.
    3. Install the Defused Windows Agent by running:

    msiexec /i Defused.msi APIKEY= CONNECT="None"

    For Defused Subscribers, if you have an existing Defused VM running you can autoconnect your Windows Capabilities to existing Decoys by adding the "CONNECT" parameter:

    msiexec /i Defused.msi APIKEY= CONNECT="decoy-server-name-here"

    4. The installer will run and silently boot the Defused Windows Agent in the background.

    Post Installation

    Upon successful installation, a notification will appear in your Defused Cloud Management Dashboard. This notification confirms the registration of the newly installed agent.

    Defused Windows Agent Components

    agent.exe This executable is responsible for alert monitoring. Once deployed, it continually scans for alert events and forwards them to Defused Cloud Managament for processing and potential incident creation.

    generator.exe This executable generates decoy configurations locally on your system. It is only run on setup and on any update events.

    clean.exe This is an uninstaller executable. Running this file will remove all deployed decoys and agents from your system, reverting it to a pre-deployment state. See the next section on how to use the uninstaller.

    Uninstalling the Agent

    The Defused installation package contains an uninstaller (clean.exe) which is triggered via the command line using the --apikey="your-api-key-here" syntax. It will remove all honey files from your system and uninstall the program.


    If you encounter any issues during the installation or usage of the "Defused Windows Agent", refer to our troubleshooting guide or contact our support team for assistance.

    Defused VM

    Time Icon Installation will take you 20-30 minutes

    Defused VM is currently offered in the following formats:

    Most Linux distros already have KVM kernel modules and userspace tools available through their packaging systems. This is the easiest and recommended way of using KVM. More information: https://www.linux-kvm.org/page/Downloads
    Images for platforms like ESXi, Workstation and VMWare player is available.
    An image for Hyper-V Manager is available.

    Virtual Machine Images

    Resource Image

    This Content Requires An Account

    You have to login to view this resource. Create a free community account to access this other platform features.

    When you've downloaded your image, find your install instructions on the navigation column on the right.

    Using the Defused VM - KVM


    This link contains an additional installer script to get up and running as fast as possible.

    The local install script (aves-freemium.sh) will automate a lot of your decoy installment procedure. Download and place it into the same folder as your decoy server image:

    Resource Image

    This Content Requires An Account

    You have to login to view this resource. Create a free community account to access this other platform features.

    First, ensure you have the necessary KVM packages on the host machine.

    • In Fedora/CentOs:

      yum -y install virt-viewer virt-manager qemu-kvm bridge-utils net-tools virt-install libvirt

    • In Debian/Ubuntu:

      apt install -y virt-viewer virt-manager qemu-kvm bridge-utils net-tools virtinst libvirt-daemon-system

    • Installing the Server

      Once all necessary KVM packages are installed onto the host, copy/move the decoy server image (.qcow2) and your install script (.sh) into the following directory:

      cp aves-freemium.* /var/lib/libvirt/images/

      Now, jump into /var/lib/libvirt/images and edit the decoy server's ethernet interface according to your host machine interface:

      cd /var/lib/libvirt/images

      ip addr #your ethernet interface should start with "eth*", "eno*", "ens*", "enp*" or similar

      sudo nano aves-freemium.sh # edit ethernet interfaces here

      When editing aves-freemium.sh, change MANAGEMENT_INTERFACE and DECOY_INTERFACE according to your ethernet interface(s) (e.g. enp2s0).

      Starting the Decoy Server

      In /var/lib/libvirt/images on the host machine:

      chmod a+x aves-freemium.sh

      sudo ./aves-freemium.sh

      Your decoy server should now install and start.

      Inside the Decoy Server

      If you're using a graphical desktop, the decoy server (KVM) window should pop up automatically after executing aves-freemium.sh. If not:

      • 1) Use virt-manager to connect to KVM graphical desktop
      • 2) Use virtual machine console for text based connection:
      • virsh console aves-freemium

      There should be a login prompt when the server has successfully started. Use the user/password combination

      XXXXXXXXXX Sign up to view the password
      when logging in. Remember to change this password after your first login.

      user: [decoy-server-user], password: [decoy-server-password]

      sudo su [password]

      Networking Setup

      Now, we'll set up networking inside the decoy server image.

      Run our networking script inside the decoy server image to auto-setup networking:

      sudo /opt/aves/avestool -d #this generates /opt/aves/aves.conf

      Check what IP address was set up for your decoy server. It will look something like the following:

      ip a #check the IP address of the GUI for access to it


      This is the address where you can access your decoy server's management interface. We need to visit soon it to connect your decoy server with your cloud management. Finally, reboot the decoy server to ensure it has configured correctly:

      sudo reboot #Restart KVM

      Your decoy server networking is now set up. It may take a couple minutes to reboot. You can now jump into the Logging into the Local Server section.

      Defused VM - ESXi


      This guide assumes you have the VMware ESXi installed.

      • Login & Create

        Login to the ESXi host and right click Virtual Machines - then click Create/Register VM.

      • Select Files & Storage

        Give the virtual machine a name then click Click to select files or drag/drop.

        Locate the *.ovf and *.vmdk files that make up your VM, select them.

        Select a datastore to store the virtual machine on, then click Next.

      • Port Group & Network Settings

        Note! These settings are required for the decoys to have proper networking.

        Right-click Networking in the VMware Host Client inventory and click Add port group from the pop-up menu.

        Enter a name for the new port group.

        Set the VLAN ID to configure VLAN handling in the port group.

        Select a virtual switch from the drop-down menu.

        Expand Security and enable the following options:

        • Security -> Promiscuous mode
        • Accept Security -> MAC address changes
        • Accept Security->Forged transmits

        Click Add.

        Your port group is created.

      • Power on your VM

        You can now power on your VM.

      • Starting the Decoy Server

        Now that the server is running, we'll set up networking inside the decoy server image. The default freemium credentials are

        XXXXXXXXXX Sign up to view the password

        user: [decoy-server-user], password: [decoy-server-password]

        sudo su [password]

        Run our networking script inside the decoy server image to auto-setup networking:

        /opt/aves/avestool -d

        Check what IP address was set up for your decoy server. It will look something like the following:

        ip a


        This is the address where you can access your decoy server's management interface. Before logging into the GUI, reboot the decoy server to ensure it has configured correctly:


        Your decoy server networking is now set up. It may a minute to reboot.

        You can now jump over to the section Logging into the Local Server.

        Defused VM - Hyper-V


        This guide assumes you have the Hyper-V Manager installed.

        Create the Decoy Server Virtual Machine

        Open Hyper-V Manager and create a new virtual machine with the following settings:

        • Specify Name and Location

          Give your virtual machine a name of choosing. (e.g. DefusedVM1)

        • Specify Generation

          Select Generation 1.

        • Assign Memory

          We suggest a minimum of 2048MB for the VM. You can keep dynamic memory checked.

        • Connect Virtual Hard Disk

          Select “Use an existing virtual hard disk” and set it to the Defused virtual hard disk file provided to you.

        • Finish

          You can now click “Finish” and complete the install.

        Before Powering on Your Defused Server

        There’s a few extra configurations needed before powering on the Defused Server.

        Networking – Test Setup

        For testing purposes, a simple NAT network setup will be sufficient. In the Hyper-V Manager, go to “Virtual Switch Manager” and create a new External virtual switch. Then, connect this to your network adapter of choice.

        This setup will make both the management UI and the decoys available in the same network as your host machine (i.e. the machine running your Hyper-V Manager.)

        Networking – Production Setup

        For production deployments, we highly recommend setting up the decoy interface and the management interface into separate network. For Defused customers, we offer complementary networking help over Zoom - please consult with us for suggestions how to set your decoys up in the most safe manner.

        Boot Order

        Set “IDE” to be on the top of the boot order list.

        Connecting your Defused Server to the network

        If you did not already have a ready virtual network switch when creating the virtual machine, right click on your Defused VM on the main screen of Hyper-V Manager and click “Settings.”

        Under the list of hardware, find “Network Adapter” and change the virtual switch from “not connected” to the new virtual switch created in the above step.

        Before clicking “Apply”, make sure to also enable MAC address spoofing under the “Advanced Features” tab (see image below):

        Click apply and your networking setup will be done.

        You can now power on the VM.

        Starting the Decoy Server

        Now that the server is running, we'll set up networking inside the decoy server image. Log in with your supplied credentials:

        user: [decoy-server-user], password: [decoy-server-password]

        sudo su [password]

        Run our networking script inside the decoy server image to auto-setup networking:

        /opt/aves/avestool -d

        Check what IP address was set up for your decoy server. It will look something like the following:

        ip a


        This is the address where you can access your decoy server's management interface. Before logging into the GUI, reboot the decoy server to ensure it has configured correctly:


        Your decoy server networking is now set up. It may a minute to reboot.

        You can now jump over to the section Logging into the Local Server.

    Post-install Actions (Defused VM)

    Logging into the Defused VM

    From your host computer or server, log into your decoy server's management interface - using the setup example IP address here as an example, your local decoy server would be accessed at Remember your GUI IP address may be different! You should be presented with a login screen.


    Log in with the default credentials:

    XXXXXXXXXX Sign up to view the password

    Linking into the Cloud

    You don't have an API key yet. Generate it in Settings under "API Access".

    Connecting the decoy server to the cloud is a quick and easy process.

    On the left hand navigation, under Server Configuration, click Cloud.

    Here, give your local decoy server a location name (like "DMZ") and set the Poll Frequency (how often the local server should check for configuration updates from the cloud).


    Now, click "Save" and then click "Poll".

    Your decoy server is now registered with the cloud management interface and transmits alert activity into the cloud. Well done! You should be able to see your newly registered decoy server in the cloud management interface under Decoy Management --> Decoy Servers:


    Defused VM - Deploying your First Decoy

    This section is undergoing an update. Please check back later, we appreciate your patience.

    Let's spin up your first decoy!

    For a trial decoy, we will use the local server deploy function. On the side navigation menu, click "Decoy" (the plus sign) and simply use one of the Quick Templates to set up a test decoy. Select one of the quick templates and give it a name - then click "Quick Deploy."


    Your decoy is now configured but not live yet. To deploy it onto the network, go to Settings, then Decoy Configuration and click Apply Config:


    Once the apply finishes, your local decoy server is now armed with it's first decoy - and ready to capture attacks!

    Testing and Updating

    Testing Instructions

    You can now test your local decoys by, for example, scanning them and doing test attacks against them.

    Example: scanning my decoys

    To view how a decoy looks on your network, you can use Nmap tool to scan the decoy. See Nmap web pages (https://nmap.org/) on installing NMAP.

    After installing Nmap, use the command

    $ nmap -Sv IP_ADDR

    where IP_ADDR is the IP address of the decoy, to determine service/version information. On console, you should see something like the following ouput after Nmap has been executed. Exact values depend on what services/emulations you have running on the decoy's IP address.

    Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-26 12:04 EET Nmap scan report for IP_ADDR Host is up (0.00012s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 25/tcp open smtp Exim smtpd 4.69 Service Info: Host: smtp.WINNT.com
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 0.45 seconds

    Example: doing a test attack

    To test an exploit decoy, you can use Metasploit Framework. See the Metasploit web pages about installing instructions for Metasploit.

    After installing Metasploit Framework, use following command sequence. This example is for vulnerability CVE-1999-0512 "A mail server is explicitly configured to allow SMTP mail relay, which allows abuse by spammers." Substitute IP_ADDR with your decoy's IP address.

    $ msfconsole msf5 > use auxiliary/scanner/smtp/smtp_enum
    msf5 auxiliary(scanner/smtp/smtp_enum) > set rhosts IP_ADDR
    rhosts => IP_ADDR
    msf5 auxiliary(scanner/smtp/smtp_enum) > run

    On console, you should see something like this when Metasploit runs the exploit sequence:

    [*] - Banner: 220-smtp.WINNT.com ESMTP Exim 4.69 #1 Thu, 26 Mar 2020 09:59:56 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
    [+] - Users found: , 4Dgifts, Debian-exim, Debian-snmp, EZsetup, OutOfBox, _apt, abrt, adm, admin, administrator, anon, arpwatch...
    [*] - Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed

    An alert for exploit attempt should now pop up on your local and cloud server (if the cloud server is connected.)

    Example: Testing a Windows Honey File

    Open a honey file, such as C:\unattend.txt, to activate the event logger.

    Defused continuously scans the event logger, forwarding pertinent events to the Defused cloud dashboard as alerts.

    Note: Event detection latency for honey files may extend up to 1 minute. This is because the monitoring agent prioritizes lightweight operation and checks for new events at specific time intervals.

    Updating a Connected Server

    Updating a cloud-connected decoy server is incredibly easy.

    If updating from the local server, simply go to settings and under 'Decoy Configuration', click the 'Update Decoys' or 'Update GUI' button.

    Note: the update may take a couple of minutes to complete.

    Once the package install completes, the new decoy definitions in the update are ready for use.

    If updating from the cloud, go to Decoy Servers and flag the "Update Decoy Engine" action on the server(s) you wish to be updated. The update will commence on the next poll cycle.

    Updating a Standalone Server

    Updating a standalone server (for example, a server placed into a network without internet connectivity) is also relatively straightforward.

    Per the delivery mechanism chosen, you will receive a new decoy package file from us.

    First, use a method of choice to transfer the new decoy package file onto the decoy server host. For example, using scp as the transfer method:

    scp /path/to/image/file.tgz user@address:/opt/aves/images

    Now that the new decoy package file is on the local decoy server, go to Decoy Packages and select the active "default" package.

    Under the package information screen, click 'Refresh' and you should see the new decoy package file under the header 'List of installable image packages'.

    Click on the link to the new decoy package file and you should be presented with a overview of the new decoy package contents.

    Then, simply click on "Install Package to Server" which will install the new decoy package onto the server.

    Note! This may take a minute to complete.

    Once the package install completes, the new decoy definitions in the package file are ready for use.


    Deploy How-To

    If you followed the documentation on your first deployment, you'll already be aware that you can deploy decoys both from the local Decoy Server as well as from the Capabilities page (if the local Decoy Server is connected to Defused Cloud.)

    Detection Logic

    The detection logic of decoys matches incoming attack traffic with the appropriate label best suited to gauge its severity.

    Detection events are mapped on the decoy side to match the best hit within the decoy detection parameters. Alerts like 'Vulnerability Exploited' and 'Service Scan' can be generally considered to be highly accurate.

    If a decoy has a vulnerability emulator enabled, traffic that does not exploit the vulnerability fully but is still recognized by the decoy is generally labelled as 'Possible exploit attempt.' Note that this is not a direct guarantee that the traffic was aiming to exploit, as sometimes e.g. a network scanner may trigger this in a vulnerability emulation.

    Dynamic Sandbox

    The Dynamic Sandbox creates a post-exploit sandbox environment where an attacker can be dropped into for further analysis of their actions.

    The sandbox environments monitor and record attacker actions in real time, and also collect any files dropped by the attacker into the shell environment.

    Not all decoy types currently contain sandbox environments - the Sandbox label denotes decoys with embedded sandbox environments when deploying via Capabilities.


    Cloud Integration

    The cloud enables management of the local decoy servers without having to actively log into the local servers.

    Currently, you can remotely manage the following actions from the cloud:

    • Alert Aggregration (collect all alerts from all servers into the cloud)
    • New decoy deployment
    • Decoy deletion from local environments
    • Updating decoy definitions
    • Updating the GUI (coming on the next update)

    The local server uses your API key to communicate into the cloud. If you haven't already, generate yourself a key in Settings. Note that the key is only visible to you when generating it, so remember to store it somewhere, e.g. a password manager or a similar solution.

    When the Cloud Integration is enabled, depending on the Poll Interval variable set on the local server, the local server checks the cloud for new actions to be done based on this interval. It is recommended to set the poll interval at a fairly low number, e.g. 120 seconds.


    The Capabilities page in Defused Cloud contains ready-made templates for quickly deploying new decoy types into your local environments. A prerequisite for using Capabilities is enabling the Cloud Integration.

    Capabilities contains both individual decoy templates that can be selected for deployment one-by-one and, as a developing functionality, Decoy Bundles which deploy multiple decoy types to cover a specific capability set on the network.


    Adding team members to the Defused platform enhances collaboration by enabling users to share incidents, manage them, and communicate via the incident view.

    To begin the process, go to the Settings tab on your dashboard.

    Inside Settings, click on the Team submenu.

    Creating a Team

    If you are not in a team yet and wish to create one, you can create a team by clicking the "Create Team" button. This will create a team for you and make you the administrator of the team.

    Adding Members

    Here you can add new team members by entering their email addresses. If the email is not found on the platform, an invitation is sent to them to sign up, and on signup the user is automatically added to your team.

    Only team admins can add and delete new teammembers.

    Sharing Incidents

    Team members can share incidents with one another. This is useful for coordinating responses to issues.

    Once team members are added, they can manage incidents and communicate with each other directly in the incident view.


    Automation helps you discover and automate how to structure your decoy operations, for example by highlighting and automatically deploying relevant new decoy types to your decoy servers.

    Automation is a beta feature and available only for Defused Enterprise Accounts.


    Upcoming feature - full documentation coming soon.

    Incidents & Alerts


    Alerts are generated when a decoy is attacked. Each alert is contextually labelled with useful details like CVE numbers denoting which attack vector was used, MITRE ATT&CK tactics, attacker source IP and further information where applicable, like a raw representation of the network data. This ultimate is designed to make it easier for the defender to make decisions on the alerts.

    Defused has two ways to show you these alerts: 'Verbose' and 'Condensed.' In 'Verbose,' you see a detailed list of every single alert. In 'Condensed,' alerts from the same attacker and close in time are grouped together for quick review.

    Incident View

    You can group many alerts into one Incident. This lets you see related alerts together. You can also easily share this Incident with teammates using a special link.

    If sandbox events occur, 'Incident Mode' activates automatically. This groups related alerts for you, no extra steps needed.

    Alert Integrations

    Defused subscription users have full access alert integrations capability. You can set up alert forwarding into external tooling, e.g. email, SIEM, ticketing, etc. via the integrations tab on the side navigation.

    Email integrations can also be set up to be forwarded to multiple parties in your organization, so that your team can each receive an alert summary on any attack activity into your inbox.

    Forensics files

    Decoys with the shell emulator enabled can collect files transferred into them by the attacker. The files become available for download for the user in the incident view tab. Files also persist on the decoy server in case the attacker attempts to delete the artifacts on the machine.


    A Capabilities template is disabled and says "Available after decoy engine update."

    The Decoy Server VM you're trying to deploy into doesn't have a new enough decoy engine. You can update the engine in the local server by setting the "Update Decoy Engine" action to trigger on the next update cycle.

    The top navigation bar says I have "unapplied decoys."

    In Defused Cloud, if you use Capabilities to deploy a decoy type into a location (or a Decoy Bundle), you need to set the "Send new decoys" action onto the server you have deployed the decoys into.

    In Defused Standalone, if you use the "New Decoy" menu to deploy decoys, you need to run "Apply Config" under Settings whenever you have created new decoy configurations.


    Processing. Please wait...