Deception for the AI-Attack Era
AI-powered attacks are accelerating – enabling even less-skilled adversaries to perform rapid reconnaissance, exploit vulnerabilities, and move laterally deep inside networks. At the same time, organizations simply cannot patch every bug in time. Traditional defenses that wait for indicators of compromise will miss advanced attacks (often remaining undetected for months). Proactive cyber deception provides a complementary strategy: by planting realistic decoys (fake servers, databases, credentials, OT devices, documents, etc.) throughout the network, every attacker interaction becomes a verified alert of intent. Sarab, a Qatari sovereign deception appliance, leverages these principles to give Gulf organizations early warning and forensics on intruders before real assets are harmed. This article explains how AI-enabled attacks are changing the game, why defenders need independent detection methods, and how Sarab’s decoys, telemetry capture, and integrations turn attacker behavior into actionable intelligence (mapping to MITRE ATT&CK, scoring alerts, and guiding SOC response).
AI-Empowered Threats: Attackers use AI to automate phishing, reconnaissance, malware development, credential harvesting and post-compromise actions. Notably, recent analyses found that AI use has shifted deeper into attacks (e.g. AI-assisted account discovery and lateral movement are rising). AI allows even unsophisticated actors to execute advanced techniques and pivot quickly through networks, making attack speed and complexity outpace traditional detection.
Limitations of Patching: The vulnerability backlog is growing rapidly (CVEs exploded by 38% in 2024), and most organizations cannot deploy fixes fast enough. “51% of security teams say patching is a bigger challenge than finding vulnerabilities,” notes Adaptiva. In practice, weeks or months can elapse before critical patches are applied, while adversaries armed with AI strike faster than ever. The result is a persistent window of exposure where zero-day and slow-patch attacks thrive.
Deception as Active Defense: Deception technology addresses this gap by assuming intruders will enter and focusing on detecting their actions, not specific exploits. Modern NIST guidance explicitly recommends deception for critical infrastructure (NIST SP 800-172, 800-160 Vol.2, 800-82 Rev.3) as a proactive measure. Deception “wastes” the adversary’s time and resources and reveals their TTPs (tactics, techniques, and procedures) as soon as they interact with a decoy. Unlike signature or anomaly alerts, any engagement with a fake asset is verified proof of malicious intent, yielding high-confidence alarms with minimal false positives.
In the AI-attack era, defenders must therefore shape the battlefield by planting decoys and breadcrumbs throughout IT and OT. Sarab is built on this strategy. In the sections that follow, we detail Sarab’s architecture and operation, including decoy varieties, placement tactics, captured telemetry, MITRE ATT&CK mapping, and SOC workflows. We then illustrate detection flows in sample scenarios (ransomware reconnaissance, data-theft hunting, and OT probing). Finally, we discuss how Sarab’s alerts integrate into SIEM/SOAR systems, feed detection engineering, and contribute to shared threat intelligence.
AI-Empowered Attacks: Speed, Scale, Autonomy
Recent research confirms that attackers are harnessing AI to become dramatically more dangerous. For example, a 2026 analysis of 832 AI-enabled threat accounts showed: 67% used AI to write malware, and attackers are increasingly deploying AI for post-compromise activities like account discovery and lateral movement. In one year’s time, the share of actors using AI in reconnaissance (e.g. valid account discovery) grew by ~9 percentage points, while AI-assisted phishing (initial access) actually declined. In short, AI tools let adversaries automate the tedious, technical tasks once reserved for experts.
This shift has two key impacts on defenders:
Faster Reconnaissance: AI can rapidly scan networks, enumerate assets, and identify vulnerabilities. Every host, network share, or IoT/OT interface can be probed by automated scripts or LLM agents within seconds. Attackers can use AI chatbots to craft bespoke spear-phishing, generating convincing lures at scale. Experiments have shown AI recommending high-value pivot paths once inside, effectively replacing hours of manual research.
Escalated Sophistication: The barrier to advanced techniques is lowered. AI-driven agents can chain together multiple TTPs (e.g. compromise → privilege escalation → lateral moves → data exfiltration) with little human input. As a result, even “low-skill” threat actors now carry out complex campaigns involving dozens of techniques (comparable to high-tier attackers). Traditional risk heuristics (e.g. counting unique tools or techniques) no longer reliably gauge threat level.
Implication: With AI accelerating the entire kill chain, security teams face far less reaction time. Detection tools that rely on matching known signatures or slow behavioral analytics fall behind. The time from breach to damage can shrink from months to days or hours. The only way to regain defensive advantage is to actively engage adversaries early – for example, with deception traps that turn attacker speed against them.
The Patching Bottleneck: More Exploits, Less Time to Fix
Recent vulnerability trends exacerbate this problem. In 2024, over 30,000 new CVEs were reported – a 38% jump from 2023. Although most vulnerabilities can be discovered (via scanning and research) relatively quickly, patch deployment lags far behind. A survey found that 51% of practitioners see patching as a bigger challenge than detection. Many organizations require a week or more to roll out critical fixes, with complex environments sometimes taking months. In practice, this leaves most networks containing known vulnerabilities at any given time.
Meanwhile, adversaries with AI can weaponize zero-days or unpatched flaws faster than ever. Adaptiva notes that “threat actors leverage AI to execute attacks quicker than ever, [and] manual patching is a hindrance”. Attackers can generate exploit code in minutes or create tailored malware with LLM assistance. No matter how vigilant, defenders simply cannot harden every component instantaneously. There will always be a gap.
Conclusion: Because prevention (patching and blocking) cannot fully eliminate risk, organizations need detection- and deception-based layers that do not depend on a specific vulnerability. Rather than chasing every exploit, a proactive approach is to assume breaches will occur and focus on spotting malicious movement and intent. Deception technology provides exactly that “independent of TTP” detection: an adversary, whether using AI-generated malware or a stock pen-test tool, ultimately must do something in the environment, and if that “something” hits a decoy, it can be caught immediately.
Deception as Active Defense
In this context, deception is not merely passive “honeypots” in the corner. It is a full-spectrum strategy to mislead attackers, delay their progress, and expose them to monitoring. NIST now endorses deception explicitly: recent publications (SP 800-172, 800-160v2, 800-82) highlight that active deception can “waste adversary resources and reveal TTPs, intent, and targeting,” and that it “impedes the adversary’s ability to conduct meaningful reconnaissance”. CounterCraft observes that deception is especially crucial in critical infrastructure (utilities, energy, OT), where live systems can’t be patched easily and downtime is unacceptable.
The core idea is that every fake asset is a sensor. Common decoys include:
Servers & Services: Dummy file servers, backup servers, email servers, web apps, or cloud resources that look legitimate.
Databases: Stand-ins for finance, HR, or customer databases.
File Shares/Documents: Decoy shares containing bogus documents (like false financial spreadsheets or credentials).
Active Directory/Accounts: Honey user accounts and fake admin accounts placed in AD or LDAP, with no legitimate activity.
Credentials & Tokens: Fake passwords, API keys, or access tokens planted in systems or code (canary tokens that only attackers use).
OT/ICS Devices: Emulated ICS/SCADA controllers, PLCs, HMIs in an OT network (e.g. fake SCADA workstations for energy/grid).
Breadcrumbs/Honeytokens: Fake registry entries, configuration files, or small bait files scattered on hosts.
When an attacker browses the network or tries stolen credentials, any access to these traps generates an alert of high fidelity. For example, if a decoy finance database named HR_Salary_Archive receives a query, the system knows instantly that a human should never have tried that (a normal user never sees this database). In the Acalvio analysis, “every deceptive asset acts as a silent sensor, turning attacker actions into verified alerts with minimal false positives”. Unlike signature alerts, decoy alerts do not depend on knowing the attacker’s malware – they are triggered by any interaction. This means even zero-day exploits or AI-modified tools will trip the sensor if the attacker reaches a fake asset.
Because Sarab is virtual and software-defined, it can emulate many decoy types across networks and VLANs. In typical deployment, Sarab (or similar platforms) will:
Place decoy servers/VMs on user and server subnets, with realistic hostnames, services, and dummy data.
Mirror Active Directory objects, creating fake user accounts or administrative portals that attackers might target.
Scatter fake credentials in “honey” config files or token caches; for example, placing a dummy service account password in a web.config.
Inject artifacts on endpoints, such as a “password.txt” honeytoken that yields an alert on open.
Emulate OT gear on industrial VLANs (e.g. a virtual PLC or HMI on a reserved IP) to catch ICS attackers.
Placement strategy is key: decoys should appear in paths attackers would use. Best practices (endorsed by vendors like Acalvio) suggest seeding decoys throughout high-risk zones – e.g. department shares, backup networks, identity domains – rather than only at the perimeter.
Periodically refreshing decoys and credentials also maintains authenticity. Importantly, Sarab decoys are “non-intrusive”: they do not serve real production traffic, so even if heavily scanned or attacked, they pose no risk to live systems.
Captured Telemetry: When an adversary hits a Sarab decoy, the appliance logs rich data in real time. Typical telemetry includes:
Source Host/IP: which compromised endpoint or IP attempted the connection.
Timestamp & Timeline: exact time of each interaction, and sequence of steps (did the attacker try one decoy then another?).
Service/Port Accessed: e.g. SSH to decoy-server, SQL query to fake DB, or API call to dummy cloud service.
Credentials/Accounts Used: which username/password or token was presented (if any) – e.g. attacker tried fake Admin credentials.
Commands Executed: the exact commands or queries issued, scripts dropped, or payloads delivered in the decoy environment.
Tools/Processes: any malware or tools run on the decoy (often the decoy will allow a sandboxed execution of attacker code to see what it does).
Files Accessed: decoy files or directories the attacker browsed or exfiltrated.
All this is captured without endangering real assets. It effectively turns each decoy into a “black box recorder” of the attack. For instance, if a ransomware group attempts to catalog all network drives, their scans on the fake drives would be fully logged. If an attacker phishing account uses AI to try LDAP queries, Sarab captures the exact query sequence.
Once captured, Sarab maps the behavior to MITRE ATT&CK tactics and techniques. Deception platforms are known for exposing lateral movement and credential abuse under the ATT&CK framework. For example, a failed login using a decoy credential can be mapped to “Valid Accounts” (TA0006), and a decoy file shares access to “Discovery” (TA0007). By reporting the associated ATT&CK IDs, Sarab helps SOC analysts understand what phase of the kill chain was hit and what likely objectives the attacker had.
High-Confidence Alerts and Scoring: Unlike noisy anomalies, Sarab alerts have very high fidelity. Most vendors report near-zero false positives, because only malicious actors should ever touch the decoys. Sarab can assign confidence scores or severity levels based on the type of interaction (for example, successful credential use might score higher than just a probe). In practice, a Sarab alert triggers immediate SOC attention. Acalvio notes that “deception provides immediate, actionable alert” (with “extremely high” fidelity) compared to traditional behavioral alerts. The SAC (Security Advisory Center) can prioritize these intent-driven alerts to investigate.
SOC Actions: Upon a Sarab alert, recommended steps typically include:
Isolate the Source: Quickly contain or isolate the compromised host or user account that touched the decoy.
Gather Evidence: Use Sarab’s logs to see exactly what was attempted (commands, tools, and credentials) and correlate with other telemetry.
Hunt Related Activity: Search for similar behavior on other hosts (e.g. same credentials or scanning patterns).
Lock or Reset Credentials: If fake credentials were attempted, determine where the real equivalent exists and secure it (e.g. rotate that admin password).
Protect Real Assets: Focus protection on the real asset that the decoy was imitating (e.g. if a decoy backup server was targeted, ensure the production backup servers are isolated and monitored).
Update Detection Rules: Feed Sarab’s attacker-specific data back into the organization’s detection engineering. For example, if attackers ran a custom PowerShell script in the decoy, SOC can create a SIEM rule to flag that script if it appears elsewhere.
Threat Intel Sharing: Export Sarab’s indicators (IPs, TTPs, malicious payload hashes) via STIX/IoC feeds to SIEM or regional intel-sharing platforms. The Gartner description notes Sarab supports “IoC/STIX sharing” for threat-intelligence-driven response.
<table> <thead> <tr><th>Decoy Type</th><th>Example Use</th><th>Captured Telemetry</th></tr> </thead> <tbody> <tr><td>Fake Database Server</td><td>Ransomware trying to find database backups</td><td>Source host; SQL queries run; credentials tried; timestamp; any data pattern requested</td></tr> <tr><td>Honey File Share</td><td>Insider/exfiltration on network share</td><td>Access path; files opened/downloaded; user/account name used; file hashes</td></tr> <tr><td>Fake Admin Account</td><td>Credential dumping / privilege escalation</td><td>Account names tried; commands attempted under that account (e.g. net user, Get-ADUser); source IP</td></tr> <tr><td>Honey API Token</td><td>Cloud account reconnaissance</td><td>API call logs; permissions enumerated; attempted cloud actions; token value (fake)</td></tr> <tr><td>Document Honeytoken</td><td>Lateral movement/insider threat (e.g. “Confidential_Plan.docx”)</td><td>Document open event; reading application used; user and host interacting</td></tr> <tr><td>Emulated OT/ICS Device</td><td>Industrial sabotage attempts</td><td>Protocol commands (e.g. Modbus requests); device-specific queries; source network segment</td></tr> </tbody> </table>
Detection Flow Scenarios
Ransomware Preparation: An employee machine is phished and compromised. Attacker tries to map drives and finds a fake backup server (backup-vault-node.sarab.local). When the attacker mounts this decoy and lists files, Sarab logs every action. It captures the folder names, copies of dummy backup files the attacker attempts to exfiltrate, and any encryption command they run. Immediately, Sarab issues an alert “Lateral Movement – decoy backup server accessed.” The SOC notices this before any real backup is encrypted. They isolate the source endpoint and confirm the real backup systems were untouched, thanks to the decoy acting as an early tripwire.
Data-Theft Reconnaissance: A corporate network scan (perhaps AI-driven) discovers a decoy finance database HR_Salary_Archive. The scanner attempts a SQL login using an apparently valid credential. Sarab logs the username and failed password attempt. It then sees the attacker try a different dummy account. It records the exact SQL commands and responses. Because no legitimate process ever uses that database, the Sarab alert “Reconnaissance – fake finance DB access” is sent to the SOC. Investigators use the captured SQL queries to fingerprint the attacker’s toolkit and create SIEM rules. The real finance DB is prioritized for extra monitoring.
OT Network Probing: In a power plant network, an attacker (perhaps via a phishing that hit an HMI workstation) starts querying devices. Sarab has emulated a PLC (PLC-01-ICS) on the network. The attacker polls this device using industrial protocols. Sarab captures the Modbus/OPC commands and sees the attacker attempt to write to a “Coil” on the fake device. It immediately alerts “OT intrusion: device write attempt.” Since Sarab logs the exact protocol commands and source IP, the OT SOC team traces back to the HMI workstation and quarantines it. In this air-gapped environment, the decoy gave precious seconds to act before a real PLC was tampered with.
mermaid
Copy
flowchart LR
subgraph Attacker Flow
A(Initial Compromise e.g. Phishing) --> B(Internal Reconnaissance/Scanning)
B --> C(Interaction with Decoy Asset)
end
subgraph Sarab Capture
C --> D[Capture Commands, Creds, Tools, Source IP, Timestamp]
D --> E[Generate High-Confidence Alert (e.g. "Fake DB access")]
end
subgraph SOC Response
E --> F{SOC Investigation}
F --> G(Isolate Source Host)
F --> H(Containment & Hunt: Check Other Signs)
F --> I(Update Rules & Playbooks)
end
Integration with SIEM/SOAR and Threat Intelligence
Sarab is designed to augment existing security operations rather than replace them. Verified deception alerts and telemetry can be forwarded to SIEM/XDR platforms for correlation and automated response. As Acalvio notes, deception telemetry “feeds actionable data into analytics, hunting, and SIEM/SOAR workflows, accelerating response across the network, endpoint, and cloud”. For example, a Sarab alert can be sent via syslog or API to a SIEM (e.g. Microsoft Sentinel) where it triggers a playbook: auto-isolating the compromised endpoint and flagging the event in incident tracking. Sarab’s support for standards like STIX/TAXII means indicator artifacts (malicious IPs, hashes, attacker profiles) can also be shared with broader threat-intel platforms.
Crucially, Sarab closes the loop for detection engineering. All captured attacker behavior is raw material for improving defenses. A decoy login attempt yields new IAM rules; a novel script run in the honeypot yields new detection signatures; repeated lateral scans highlight network segments needing microsegmentation. Over time, Sarab enables a feedback loop: each deception “event” feeds visibility into previously blind spots. The platform effectively empowers a Lean SOC: instead of sifting through thousands of generic alerts, analysts receive a handful of intent-centric incidents complete with context, ready for direct response and rule creation.
Conclusion
AI is transforming cyber threats making them faster, more automated, and harder to spot. In this environment, Gulf organizations need more than firewalls and EDR agents; they need active defense layers that catch intruders after they bypass perimeter controls. Deception provides a proven method to do just that. By using Sarab’s advanced decoys and honeytokens across IT and OT networks, Qatar’s SOC teams gain early warning of malicious movement, low-noise high-confidence alerts, and detailed attacker intelligence before any real assets are harmed. In effect, Sarab turns every fake target into a real sensor, giving defenders the time and insight to stay ahead of AI-driven adversaries.
