The artificial intelligence (AI)-driven cyber espionage campaign recently reported by Anthropic is yet more proof that AI is successfully being leveraged to power sophisticated cyberattacks. Experts say that without preemptive cybersecurity solutions, agencies risk severe mission impacts from rapidly evolving cyber threats.
They say traditional defense strategies that rely on alert analysis and reactive measures are no longer enough, especially as adversaries use AI to launch faster and more sophisticated exploits. That’s where preemptive, AI-powered cyber deception comes in.
MeriTalk recently sat down with two cybersecurity experts at Acalvio, Suril Desai, vice president of engineering, and Ralph Kahn, general manager for federal, to discuss how AI-powered cyber deception works, why it offers a preemptive defense advantage, and how it supports federal cybersecurity priorities, including zero trust and layered defense strategies.
MeriTalk: Let’s start by defining cyber deception. What is it, and how does it work?
Desai: Cyber deception is based on the concept of setting traps for the attacker – decoys, deceptive credentials, or honey tokens – that are placed throughout the IT environment. They can be placed on endpoints, in identity stores, and across on-premises and cloud workloads. The key is to place traps where attackers expect to find high-value assets. These traps don’t serve any legitimate business purpose, so any interaction with them is a clear sign of malicious activity.
To move through the environment, attackers need to do reconnaissance. When they probe the environment, these decoys appear realistic, attractive, and believable. The moment they engage with one, an alert is generated. This gives defenders early visibility into an intrusion well before the attacker can cause harm. It’s a preemptive security strategy: assume compromise, deploy deception, and detect early.
MeriTalk: How does cyber deception use AI?
Desai: While the concept of cyber deception isn’t new, it’s always been difficult to deploy effectively. You have to place the right type of deception in the right place and make it look completely authentic to the attacker. That’s where AI comes in.
First, AI helps recommend relevant deceptions. For example, when creating a honey account in Active Directory, there are over 100 attributes to configure. AI can generate realistic values for these attributes, making the account look legitimate to even the most skilled attacker.
Second, AI-powered cyber deception improves triage. Instead of SOC analysts combing through fragmented alerts, AI can correlate signals from decoys across the environment, generate high-fidelity alerts, and map them to the MITRE ATT&CK framework. This gives analysts a clear picture of attacker tactics and helps them respond quickly.
Finally, AI-powered cyber deception helps create realistic content in high-interaction decoy environments. Attackers exploring these decoys believe they’ve found real assets and continue their activities, giving defenders time to observe and gather intelligence.
MeriTalk: Federal agencies are focused on cyber defense and already use a variety of technologies to counter increasingly sophisticated attackers. Why would they want to add cyber deception to the mix?
Kahn: One of the biggest problems in security operations today is the signal-to-noise ratio. SOC analysts are buried under alerts – many of them false positives. Deception changes that. The alerts you get from a deception system are high-confidence. If someone interacts with a decoy, it’s 99.99% likely that something’s wrong.
Cyber deception also identifies malicious insiders who are doing things they shouldn’t be doing. It doesn’t matter who interacts with the trap – external attacker or insider – the response is the same: The SOC team is immediately alerted. That’s a powerful capability at a time when insider threats are growing.
Deception fundamentally flips the cyber defense equation. Today, attackers only need to be right once, while defenders must be right 100% of the time. With deception, the defender only needs to be right once, and the attacker always has to be right.
MeriTalk: What role do AI-based cyberattacks have in shaping new cyber defensive tools and techniques like cyber deception?
Desai: AI is accelerating the offensive side of the cyber arms race. Attackers are using large language models to generate new ransomware variants and perform static code analysis to find zero-day vulnerabilities. A recent Anthropic report showed how generative AI is democratizing access to sophisticated cyberattack capabilities.
These aren’t fundamentally new exploits, but AI makes them easier and faster to execute. And that shifts the threat landscape dramatically. Traditional, reactive defense strategies can’t keep up.
Defenders need a paradigm shift. Instead of waiting for an exploit to unfold and matching it against known signatures, we need preemptive defenses – like cyber deception – that anticipate attacker behavior and catch them in the act before any damage is done.
MeriTalk: Agency chief information security officers (CISOs) and chief information officers (CIOs) are striving to meet zero trust and other cybersecurity mandates. How would cyber deception help them?
Kahn: CISOs and CIOs have one of the hardest jobs in the world. They’re dealing with staffing challenges, and they have to make sure their workforce is continually trained. They’re dealing with increasing volumes of attacks that are increasing in complexity and speed.
Cyber deception is a technology they can rely on to help with their greatest challenge: detection. It boosts the productivity of SOC analysts and threat hunters, reduces risk, and helps agencies meet zero trust by improving visibility and reducing dwell time.
There’s another underappreciated benefit: Deception can shape attacker behavior. When attackers can’t trust what they’re seeing, because even real assets might be disguised as fake, they hesitate, make mistakes, and question their data.
That uncertainty is powerful. If an attacker lands on a real database but thinks it’s a decoy, they may fail to complete their objectives. It’s a subtle but strategic way to degrade the adversary’s confidence and control the engagement.
MeriTalk: Are cyber deception solutions comprehensive? Or would an organization that adopts one need to combine it with a variety of other cyber defense technologies?
Desai: Cybersecurity requires a defense-in-depth approach, with layers of prevention and layers of detection. Cyber deception is a critical detection layer, working alongside prevention tools like firewalls and multifactor authentication, and detection technologies like endpoint detection and response and log analytics.
Increasingly, cyber deception is viewed as a foundational component of the defense-in-depth approach because it’s exceptionally good at detecting identity-based exploits, insider threats, and sophisticated attacks that traditional tools often miss.
To be effective, cyber deception and other layers must work together – not operate in silos. That’s why it’s important to have platforms that are pre-integrated and share intelligence across layers. Only then can agencies build a truly comprehensive, coordinated defense.
MeriTalk: Acalvio’s cyber deception technology was recently tested at the Navy’s Advanced Naval Technology Exercise (ANTX). Tell us a little bit about that challenge and how Acalvio fared.
Kahn: The Navy held an ANTX exercise to test deception technologies. After an initial screening, five companies were selected to face off against a real red team in a lab environment. Acalvio won that challenge. We’re very proud of it.
It’s a strong validation of our approach. And more importantly, it shows that cyber deception isn’t theoretical. It’s real, it’s proven, and it’s ready for federal missions.