Active Defense & Deception

Mansfeld-Südharz, Germany - October 26, 2025

Sovereign honeypots that rewrite the economics of breach discovery

The first time we watched a live ransomware affiliate stumble through a fake Siemens STEP-7 project, the feeling was less triumph than anthropology: here was a stranger burning eight hours of human life inside a fabrication we had spun up the night before. He typed, scrolled, cursed in Cyrillic, then uploaded a locker binary that immediately found itself running inside a Wasm sandbox whose only exit was a telemetry pipe straight to our SIEM. That moment distilled the entire philosophy of the Cyber Resilience Alliance: defence is no longer a wall but a stage, and every performance must cost the adversary more than it costs us. We call the stage “deception grid”; the actors are containers; the script is policy-as-code; and the ticket revenue is threat intelligence we never had to steal from someone else’s breach.

The grid starts with authenticity, not technology. We begin by cloning real OT networks that already exist inside member factories—same PLC models, same firmware hashes, same ladder-logic comments—then mutate only the secrets: passwords, certificates, SSH keys. Because the deception stack runs on a separate dark-fibre segment, the real plant continues humming while its doppelgänger answers every scan, every brute-force, every stolen cookie that would otherwise hit production. The cloning is done with open-source tools we extended (CloneMaster-OT, released under MIT), but the critical ingredient is voluntary data donation: SMEs share packet captures under a GDPR-safe protocol that strips MAC addresses and employee names yet keeps protocol semantics intact. The result is a library of 340 industrial network topologies that would have taken a red-team years to enumerate, now available as reusable stage sets.

Once the set is live, we do not wait; we invite. The Alliance operates a modest but well-placed presence on paste sites, code repositories and certificate-transparency logs where we seed synthetic credentials that point back to the grid. Each credential is unique, salted with an invisible beacon (a 128-bit UUID baked into the NT-hash), so the moment it is used we receive a DNS callback that contains both origin AS and timestamp. This is legal, passive and transparent: we never solicit intrusion, we simply place bait where intrusion is already shopping. The uptake rate is sobering—on average a seeded credential is reused within 42 hours, proving that the criminal supply chain is faster than most patch cycles. More importantly, the callback gives us a first-mover advantage: we begin recording TTPs before the same actor pivots to a genuine target somewhere else.

Inside the grid, every action is transformed into structured intelligence. Commands are fork-exec’ed inside an eBPF sandbox that captures syscall arguments, file hashes and network egress destinations; the telemetry is converted to STIX 2.1 objects and forwarded to the Alliance’s federated MISP instance within 300 milliseconds. Because the deception hosts are instrumented at the kernel level, we see not only what the attacker typed but what the locker attempted to encrypt, which registry keys were queried, and which C2 domains were contacted before DNS-over-HTTPS kicked in. That depth of context is impossible to obtain from a production endpoint without violating worker privacy, yet it emerges naturally inside a fabricated environment where no human employee ever logs in. Last quarter the grid produced 1 400 unique IoCs that were absent from commercial feeds, including a new ransomware family we nicknamed “Schwarzer Kater” now tracked under CVE-2025-48017.

"We do not lure attackers; we simply give their greed a stage, then charge admission in the currency of intelligence."

Economics is the final layer. Traditional SOCs measure success by mean-time-to-detect; we measure by mean-cost-to-deter. Every hour an attacker spends inside the grid is an hour they cannot spend inside a hospital, a municipal archive or a regional bank. By pricing our deception nodes at €0.03 per hour per container—cheaper than a single cloud CPU—we make it rational for defenders to stretch the engagement. We can afford that because the same container image serves training, certification and audit scenarios during daylight hours; at night it flips to deception mode, amortising infrastructure across three separate budget lines. The result is a moving-target surface that costs us pennies and the attacker irreplaceable human time, tilting the classic offence-defence cost ratio in our favour for the first time since the dial-up era.

Sovereignty remains non-negotiable. All deception traffic is processed in a sovereign cloud built on OpenShift hosted inside the county’s former civil-defence bunker, 18 metres underground and EMP-shielded by 1.2 metres of reinforced concrete. The bunker is connected to the national research network via two diverse fibre paths that never traverse commercial backbones, ensuring that even if geopolitical tension forces a sovereign internet split, the deception grid can still share threat objects with German federal authorities without leaving national soil. Export-controlled IoCs are filtered through an automated dual-use classifier that we open-sourced last month; anything above ECCN 4A994 is hashed with a one-way secret so partners outside the EU can benefit from the indicator without receiving the underlying exploit sample. The classifier itself was trained on data sets donated by Alliance members, proving again that local knowledge scales when properly anonymised.

We are often asked whether honey-trapping crosses an ethical line. The answer is baked into architecture: we never alter attacker binaries, we never entrap casual visitors, and we never interact beyond the scope of the deception environment. The grid is a theatre with clearly marked exits; anyone who walks on stage does so voluntarily by using stolen credentials or launching exploits. Our code of conduct, signed by every Alliance member, forbids “enticement of minors, political organisations, or security researchers conducting good-faith disclosure.” Those boundaries are logged and audited by the independent ethics seat on our steering committee, ensuring that the power to deceive is itself transparent. In twelve months of operation we have received zero abuse complaints and one thank-you letter—from a penetration-testing firm that used our grid to train junior staff without endangering client assets.

The long-term bet is that deception becomes a communal utility, like water or DNS. Once enough regions run compatible grids, we can federate them into a pan-European moving-target surface where an attacker who learns the layout of one node immediately faces a different topography somewhere else. Think of it as a Schengen for cyber terrain: open internal borders, hardened external perimeter. The protocol specification is already under review at ETSI CYBER, and three commercial providers have pledged to support the federation API once it is ratified. If that happens, the county that began by defending itself will have quietly built the continent’s largest civilian sensor grid—without ever asking for permission to peer into someone else’s traffic.

The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.

Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.