Defused IB - Internal Breach Detection (generally available soon)
Defused IB helps organizations discover and mitigate the blast radius of internal breaches using fast, low-friction deception components. It provides early visibility into attacker movement inside the network, protecting critical systems and closing visibility gaps with minimal setup.
Overview
Defused IB empowers defenders to deploy internal deception assets - decoys and interconnected lures - that detect malicious activity and influence the attackers actions once an attacker has breached the perimeter. It’s built to protect high-value systems, improve detection maturity, and produce actionable internal threat intelligence which can be ingested directly by security automation pipelines.
Key Benefits
-
Protect Crown Jewels Detect, defuse, and generate intelligence on attacks targeting critical internal assets such as ERP systems, virtualization environments, manufacturing networks, and custom business applications.
-
Close Visibility Gaps Replicate bespoke internal assets or applications to build detection and response-like visibility into hard-to-monitor areas of your environment.
-
Increased Detection Maturity High-quality plug-and-play alerting directly usable by your security automation workflows.
Core Capabilities
- Internal Deception Components - Deploy decoy files, decoy assets, and fake credentials within your network and endpoints.
- Crown Jewel Protection - Improvie security of business-critical infrastructure (ERP, virtualization, OT, databases).
- Incident Acceleration - Gather rich but trustworthy internal telemetry to close investigations faster and improve detection engineering.
- Low-Friction Deployment - Lightweight, agentless options for rapid rollout across corporate and industrial networks.
Example Use Cases
1. Crown Jewel Protection
- Deploy deceptive assets adjacent to core systems (SAP, vSphere, MES, SQL servers).
- Detect credential theft, lateral movement, exploitation or enumeration attempts.
- Generate threat intelligence on TTPs targeting high-value systems.
2. Internal Reconnaissance Detection
- Plant believable decoys across internal subnets.
- Capture unauthorized discovery, scanning, and privilege escalation attempts.
- Gain early warning before attackers reach production systems.
3. Attacker Sandbox and Intel Collection
- Divert attackers into an isolated sandbox.
- Observe live post-compromise behavior (scripts, tooling, commands).
- Automatically generate internal threat intel and feed it to SIEM/SOAR workflows.
4. Detection Engineering Enablement
- Use collected attacker telemetry to tune EDR, XDR, and SOC detections.
- Build rules to detect insider threats, credential abuse, and malicious scripting activity.
Integration Options
- Web Console: Visualize detections & sandbox sessions
- API: Pull events, correlate IOCs, and enrich SOC workflows
- SIEM Connectors: Forward detections to Splunk, Elastic, Sentinel, and Chronicle
- Webhooks: Stream deception events in real time to SOAR playbooks
- Export Formats: CSV, PCAP for analysis and reporting
Getting Started
- Sign up for Defused IB
- Connect Defused VM instances and deploy deception components with one click
- Optionally add agent-based deception support to VM environments
- Monitor events and sandbox sessions via the console, API or in 3rd party platforms
- Integrate detections into existing SOC tooling and playbooks
Example Detection Event
Best Practices
- Deploy near high-value targets - ERPs, virtualization, databases, and domain controllers
- Use realistic decoys - mirror configurations of real assets to enhance believability
- Supplement with high-value targets - add decoy assets that are highly targetted for baiting purposes
- Enable sandboxing - capture and analyze attacker actions without risk
- Automate response - trigger containment workflows when high-severity deception events fire
- Continuously refine - use collected data to evolve detections and close visibility gaps
Summary
Defused IB gives organizations the power to detect and analyze internal threats before they escalate, and build new visibility in areas that are out of coverage.