pith. sign in

arxiv: 2606.27966 · v1 · pith:IEMA4UCOnew · submitted 2026-06-26 · 💻 cs.CR

Decoys Cannot Go Everywhere: Mapping the Deception Surface in MITRE ATT&CK

Veronica Valeros , Carlos Catania , Viliam Lis\'y , Harm Griffioen This is my paper

Pith reviewed 2026-06-29 04:01 UTC · model grok-4.3

classification 💻 cs.CR
keywords cyber deceptionMITRE ATT&CKdecoy placementdeception surfaceattack techniquesinfrastructure deceptionsweep and seek patterns
0
0 comments X

The pith

Only 32% of MITRE ATT&CK techniques allow a reachable defender decoy.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper tests the assumption that cyber deception via decoys can be applied wherever attacker behavior occurs. It develops a four-criterion rubric assessing whether a defender can place a decoy, whether an attacker would interact with it, what intelligence the interaction yields, and whether the interaction reliably signals malice. Applying the rubric to all 250 techniques in ATT&CK version 18.1 shows that only 80 techniques admit such a decoy. The remaining 170 lack any defender-controlled asset in the attacker's path that could be turned into a plausible decoy. Feasible decoys fall into two placement patterns called Sweep and Seek.

Core claim

The deception surface is sparse: only 80 techniques (32%) admit a decoy the attacker could plausibly reach. For the remaining 170 techniques, there is no defender-controlled asset in the attacker's path that can be fabricated as a decoy. Decoy placement across those 80 techniques falls into two patterns called Sweep, where the attacker moves broadly through assets, and Seek, where the attacker looks for a specific kind of asset.

What carries the argument

The four-criterion rubric for infrastructure deception that checks placement feasibility, attacker interaction likelihood, intelligence value, and malice indication.

If this is right

  • Decoy placement must follow either a sweep path or imitation of a sought asset.
  • Infrastructure decoys cannot cover most attacker techniques in ATT&CK.
  • Intelligence potential from decoys is usually present but interaction likelihood and malice indication vary across techniques.
  • The released rubric, decision rules, and per-technique assessments provide a baseline for future deception work.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Defenders should concentrate limited resources on the 80 feasible techniques instead of pursuing broad coverage.
  • The identified sparsity may account for why deception tools see limited real-world use against diverse attacks.
  • Applying the same rubric to other attack frameworks could show whether the 32% limit is specific to ATT&CK or more general.

Load-bearing premise

The four criteria correctly identify when a defender-controlled decoy is feasible and the authors' judgments about attacker behavior and defender capabilities are accurate.

What would settle it

An observed attacker interaction with a fabricated decoy in one of the 170 techniques the rubric classifies as having no reachable defender asset.

Figures

Figures reproduced from arXiv: 2606.27966 by Carlos Catania, Harm Griffioen, Veronica Valeros, Viliam Lis\'y.

Figure 1
Figure 1. Figure 1: How the paper fits together. Starting with the problem, the figure traces [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: The four-criterion rubric. Each criterion is assessed only if the previous [PITH_FULL_IMAGE:figures/full_fig_p006_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Deception surface across the ATT&CK matrix. Techniques that admit a [PITH_FULL_IMAGE:figures/full_fig_p010_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Downstream score breakdown by tactic (percent of techniques), for the [PITH_FULL_IMAGE:figures/full_fig_p012_4.png] view at source ↗
read the original abstract

Cyber deception research often assumes that a decoy can be placed wherever there is attacker behavior. This work tests that assumption across MITRE ATT&CK v18.1. We introduce a four-criterion rubric for infrastructure deception and apply it to all 250 ATT&CK techniques. The rubric evaluates whether a defender-controlled decoy can be placed, whether an attacker is likely to interact with it, what intelligence that interaction can yield, and whether the interaction reliably indicates malice. The resulting deception surface is sparse: only 80 techniques (32%) admit a decoy the attacker could plausibly reach. For the remaining 170 techniques, there is no defender-controlled asset in the attacker's path that can be fabricated as a decoy. Decoy placement across those 80 techniques falls into two patterns we call Sweep and Seek. In Sweep, the attacker moves broadly through assets in range and encounters the decoy as part of that activity. In Seek, the attacker looks for a specific kind of asset and interacts with a fabricated version of it. These patterns give a simple placement rule: a decoy must either sit on a sweep path or imitate a sought asset. We also show that decoys usually have useful intelligence potential, but whether an attacker interacts with them at all, and whether that interaction reliably indicates malice, both vary. We release the rubric, decision rules, and per-technique assessment as an auditable baseline for future deception research and deployment planning, and show that infrastructure decoys cannot be assumed to apply to all attacker behavior.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 2 minor

Summary. The manuscript applies a four-criterion rubric (defender-controlled asset, plausible attacker interaction, intelligence yield, reliable malice indication) to all 250 MITRE ATT&CK v18.1 techniques. It concludes that only 80 techniques (32%) admit a reachable decoy, with the remaining 170 having no defender-controlled asset in the attacker's path. The feasible cases fall into two placement patterns (Sweep: decoy encountered during broad asset traversal; Seek: decoy imitates a specifically sought asset), and the full rubric, decision rules, and per-technique assessments are released as an auditable artifact.

Significance. If the rubric judgments hold, the work supplies an empirical baseline showing that infrastructure deception is not universally applicable across ATT&CK, directly challenging a common assumption in cyber-deception research. The public release of the complete decision rules and assessments is a clear strength, enabling external verification and reuse as a reference for deployment planning and future studies.

major comments (1)
  1. [Rubric definition and results section] The 80/170 split and the two placement patterns rest entirely on the authors' application of the four rubric criteria to each technique. The manuscript should explicitly describe the assessment process (single author, multiple raters, resolution of edge cases) in the section presenting the rubric and results, as subjective elements in criteria such as 'likely to interact' and 'reliably indicates malice' directly affect the central claim.
minor comments (2)
  1. [Placement patterns discussion] Provide counts or a breakdown of how many of the 80 techniques fall into Sweep versus Seek to make the pattern claim more quantitative.
  2. [Abstract] Ensure the abstract states that the per-technique assessments are released, to match the body text and improve standalone readability.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the constructive comment and the recommendation of minor revision. We address the point below.

read point-by-point responses

  1. Referee: [Rubric definition and results section] The 80/170 split and the two placement patterns rest entirely on the authors' application of the four rubric criteria to each technique. The manuscript should explicitly describe the assessment process (single author, multiple raters, resolution of edge cases) in the section presenting the rubric and results, as subjective elements in criteria such as 'likely to interact' and 'reliably indicates malice' directly affect the central claim.

    Authors: We agree that the assessment process must be described explicitly because the central claims depend on the application of criteria that contain subjective elements. The rubric was applied by the lead author through systematic review of each of the 250 techniques against the four criteria and the ATT&CK documentation; edge cases and borderline judgments (particularly on 'likely to interact' and 'reliably indicates malice') were then discussed by the full author team until consensus was reached, with final decisions recorded in the released artifact. We will insert a new paragraph in the Rubric Definition and Results section that states this process, notes the absence of formal inter-rater reliability statistics, and explains how the released per-technique assessments allow external verification. revision: yes

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper defines an explicit four-criterion rubric for infrastructure deception and applies it exhaustively to all 250 ATT&CK techniques, releasing the full decision rules and per-technique assessments as an auditable artifact. The resulting 80/170 split follows directly from this classification process using an external framework (MITRE ATT&CK v18.1) and newly stated criteria; no step reduces by construction to a fitted parameter, self-referential definition, or self-citation chain. The two placement patterns (Sweep/Seek) are derived as an observational summary of the rubric outcomes rather than an input. The derivation is self-contained against external benchmarks with no load-bearing internal reductions.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The claim depends on the external ATT&CK framework as a complete representation of attacker techniques and on the authors' newly introduced rubric as the evaluation instrument; no free parameters or invented entities are introduced.

axioms (2)
  • domain assumption MITRE ATT&CK v18.1 provides a complete enumeration of relevant attacker techniques.
    The paper applies the rubric to every technique in this version.
  • ad hoc to paper The four criteria of the rubric are sufficient and appropriate for determining decoy feasibility.
    The rubric is defined by the authors for this study.

pith-pipeline@v0.9.1-grok · 5819 in / 1327 out tokens · 80990 ms · 2026-06-29T04:01:59.552988+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

27 extracted references · 16 canonical work pages · 1 internal anchor

  1. [1]

    In: 2022 Winter Simulation Conference (WSC)

    Al Amin, M.A.R., Shetty, S., Kamhoua, C.: Cyber Deception Metrics For Inter- connected Complex Systems. In: 2022 Winter Simulation Conference (WSC). pp. 473–483 (2022).https://doi.org/10.1109/WSC57314.2022.10015347

    work page doi:10.1109/wsc57314.2022.10015347 2022

  2. [2]

    ACM Comput

    Al-Sada, B., Sadighian, A., Oligeri, G.: MITRE ATT&CK: State of the Art and Way Forward. ACM Comput. Surv.57(1), 12:1–12:37 (2024).https://doi.org/ 10.1145/3687300

    work page doi:10.1145/3687300 2024

  3. [3]

    2021.3052837

    Anwar, A.H., Kamhoua, C.A., Leslie, N.O., Kiekintveld, C.: Honeypot Alloca- tion for Cyber Deception Under Uncertainty. IEEE Transactions on Network and Service Management19(3), 3438–3452 (2022).https://doi.org/10.1109/TNSM. 2022.3179965

    work page doi:10.1109/tnsm 2022

  4. [4]

    IEEE Communications Sur- veys & Tutorials pp

    Beltrán-López, P., Pérez, M.G., Nespoli, P.: Cyber Deception: Taxonomy, State of the Art, Frameworks, Trends, and Open Challenges. IEEE Communications Sur- veys & Tutorials pp. 1–1 (2025).https://doi.org/10.1109/COMST.2025.3594788

    work page doi:10.1109/comst.2025.3594788 2025

  5. [5]

    USENIX Conference p

    Bill Cheswick: An Evening with Berferd In Which a Cracker is Lured, Endured, and Studied. USENIX Conference p. 11 (1992) Mapping the Deception Surface in MITRE ATT&CK 17

    1992

  6. [6]

    Bridges, R.A., Mitchell, T.R., Muñoz, M., Henriksson, T.: SoK: Honeypots & LLMs, More Than the Sum of Their Parts? (2025).https://doi.org/10.48550/ arXiv.2510.25939

    Pith/arXiv arXiv 2025

  7. [7]

    10615759

    Chouhan, P., Aujla, G.: Deception Technology for Active Defence: Background and Opportunities (2024).https://doi.org/10.1109/ICCWorkshops59551.2024. 10615759

    work page doi:10.1109/iccworkshops59551.2024 2024

  8. [8]

    In: 2025 5th Intel- ligent Cybersecurity Conference (ICSC)

    Chouhan, P.K., Colombo, M., Asal, R., Cui, Z.: CATCH: A Tool to Automatic Deploy Decoys and Breadcrumbs Based on Network Analysis. In: 2025 5th Intel- ligent Cybersecurity Conference (ICSC). pp. 147–154 (2025).https://doi.org/ 10.1109/ICSC65596.2025.11140200

    work page doi:10.1109/icsc65596.2025.11140200 2025

  9. [9]

    Clifford Stoll: Stalking the wily hacker. Commun. ACM31(5), 484–497 (1988). https://doi.org/10.1145/42411.42412

    work page doi:10.1145/42411.42412 1988

  10. [10]

    IEEE Communications Surveys & Tutorials23(4), 2351–2383 (2021)

    Franco, J., Aris, A., Canberk, B., Uluagac, A.S.: A Survey of Honeypots and Hon- eynets for Internet of Things, Industrial Internet of Things, and Cyber-Physical Systems. IEEE Communications Surveys & Tutorials23(4), 2351–2383 (2021). https://doi.org/10.1109/COMST.2021.3106669

    work page doi:10.1109/comst.2021.3106669 2021

  11. [11]

    ACM Comput

    Han, X., Kheir, N., Balzarotti, D.: Deception Techniques in Computer Security: A Research Perspective. ACM Comput. Surv.51(4), 80:1–80:36 (2018).https: //doi.org/10.1145/3214305

    work page doi:10.1145/3214305 2018

  12. [12]

    Communication Methods and Measures1(1), 77–89 (Apr 2007).https://doi.org/10.1080/19312450709336664

    Hayes, A.F., Krippendorff, K.: Answering the Call for a Standard Reliability Mea- sure for Coding Data. Communication Methods and Measures1(1), 77–89 (Apr 2007).https://doi.org/10.1080/19312450709336664

    work page doi:10.1080/19312450709336664 2007

  13. [13]

    dtic.mil/sti/html/tr/ADA002169/

    Hollingworth, D.: Enhancing Computer System Security (1973),https://apps. dtic.mil/sti/html/tr/ADA002169/

    1973

  14. [14]

    Kahlhofer, M., Rass, S.: Application Layer Cyber Deception without Developer Interaction (2024),http://arxiv.org/abs/2405.12852

    arXiv 2024

  15. [15]

    Kohnfelder, L., Garg, P.: The threats to our products. Tech. rep., Mi- crosoft Corporation (1999),https://shostack.org/files/microsoft/ The-Threats-To-Our-Products.docx

    1999

  16. [16]

    IEEE Security & Privacy4(6), 85–89 (2006)

    Mell, P., Scarfone, K., Romanosky, S.: Common vulnerability scoring system. IEEE Security & Privacy4(6), 85–89 (2006)

    2006

  17. [17]

    MITRE Corporation: MITRE ATT&CK.https://attack.mitre.org/(2024)

    2024

  18. [18]

    MITRE Corporation: MITRE D3FEND.https://d3fend.mitre.org/(2024)

    2024

  19. [19]

    MITRE Corporation: MITRE Engage.https://engage.mitre.org/(2024)

    2024

  20. [20]

    Mongardini, A.M., Cordeiro, A., Elzer, K., Giacometti, I., Maddaloni, D., Safar- galieva, A., Yaben, R., Vasilomanolakis, E.: A Systematic Meta-Survey of Cyber Deception: Unified Taxonomy and Research Directions (2026).https://doi.org/ 10.36227/techrxiv.176800929.95140503/v1

    work page doi:10.36227/techrxiv.176800929.95140503/v1 2026

  21. [21]

    findings-emnlp.765/

    Pittman, J.M., Hoffpauir, K., Markle, N., Meadows, C.: A Taxonomy for Dynamic Honeypot Measures of Effectiveness (2020).https://doi.org/10.48550/arXiv. 2005.12969

    work page internal anchor Pith review doi:10.48550/arxiv 2020

  22. [22]

    In: Annual Computer Security Applications Conference

    Sajid, M.S.I., Wei, J., Abdeen, B., Al-Shaer, E., Islam, M.M., Diong, W., Khan, L.: SODA: A System for Cyber Deception Orchestration and Automation. In: Annual Computer Security Applications Conference. pp. 675–689. ACM, Virtual Event USA (2021).https://doi.org/10.1145/3485832.3485918

    work page doi:10.1145/3485832.3485918 2021

  23. [23]

    In: Fu, J., Kroupa, T., Hayel, Y

    Sayed, M.A., Anwar, A.H., Kiekintveld, C., Kamhoua, C.: Honeypot Allocation for Cyber Deception in Dynamic Tactical Networks: A Game Theoretic Approach. In: Fu, J., Kroupa, T., Hayel, Y. (eds.) Decision and Game Theory for Security. pp. 195–214. Springer Nature Switzerland, Cham (2023).https://doi.org/10. 1007/978-3-031-50670-3_10 18 Valeros et al

    2023

  24. [24]

    In: 2025 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)

    Sladić, M., Valeros, V., Catania, C., Garcia, S.: VelLMes: A high-interaction AI- based deception framework. In: 2025 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). pp. 671–679 (2025).https://doi.org/10. 1109/EuroSPW67616.2025.00082

    arXiv 2025

  25. [25]

    In: Proceedings of the 8th International Conference on Security of Information and Networks

    Vasilomanolakis, E., Karuppayah, S., Kikiras, P., Mühlhäuser, M.: A honeypot- driven cyber incident monitor: lessons learned and steps ahead. In: Proceedings of the 8th International Conference on Security of Information and Networks. pp. 158–164. SIN ’15, Association for Computing Machinery, New York, NY, USA (2015).https://doi.org/10.1145/2799979.2799999

    work page doi:10.1145/2799979.2799999 2015

  26. [26]

    Computers & Security148, 104144 (2025).https://doi.org/10.1016/j.cose.2024.104144

    Zambianco, M., Facchinetti, C., Siracusa, D.: A Proactive Decoy Selection Scheme for Cyber Deception using MITRE ATT&CK. Computers & Security148, 104144 (2025).https://doi.org/10.1016/j.cose.2024.104144

    work page doi:10.1016/j.cose.2024.104144 2025

  27. [27]

    Zhang, L., Thing, V.: Three decades of deception techniques in active cyber defense - Retrospect and outlook. Computers & Security106, 102288 (2021).https:// doi.org/10.1016/j.cose.2021.102288 A Asset Inventory and Decoy-Targetable Assets Thisappendixlistsexampleclientassettypesidentifiedduringtechniquescoring, along with example decoys and example attack...

    work page doi:10.1016/j.cose.2021.102288 2021