Attackers don’t knock. They lurk. They probe. They brute force their way through your defenses quietly testing accounts until something cracks. That’s why Cayosoft Guardian now arms you with two powerful new threat detections purpose-built to expose these early-stage intrusions before they become full-blown compromises. Honey account detection is a powerful strategy to expose intruders before they break in.
CTD-000185: Failed Logon Attempts Targeting Honey Accounts
What it Detects:
Multiple failed logon attempts against decoy (honey) accounts signals of brute-force attempts, account enumeration, or unauthorized access probes.
Why it Matters:
These accounts should never be accessed. If someone is targeting them, you’re likely looking at a real intrusion attempt, often the first step of an attack chain.
CTD-000183: Kerberos Pre-Authentication Attempts on Honey Accounts
What it Detects:
Kerberos pre-auth failures specifically targeting honey accounts, typically associated with password spraying or reconnaissance tactics.
Why it Matters:
Attackers often use Kerberos to quietly test accounts in bulk. This detection lets you intercept that activity before credentials are cracked.
Note: These Threats Are Disabled by Default. Here’s Why
To Prevent false positives in sensitive environments, both detections are off by default as each of these threats require you to define your target honey accounts. After configuring your target honey account Cayosoft suggests turning these on to give you early warning against stealthy attackers using real-world tactics like:
- Brute-force attacks
- Credential Stuffing
- Active Directory Reconnaissance
To enable these new threats, review our guide: Threats disabled by default in Cayosoft Guardian
Identity Deception Meets Real-Time Detection
Honey accounts are one of the best traps in identity security. With Cayosoft Guardian, you now get live alerts when the attacker takes the bait (honey) across your favorite channels including email and Teams.
Want help enabling honey account detection or setting up honey accounts the right way?
Our specialists can help you configure decoy accounts and activate real-time alerts.
FAQs
Honey account detection focuses on accounts that should never be accessed, unlike traditional monitoring that tracks activity across all users. This targeted approach minimizes noise and highlights true threats faster.
Yes. Since honey accounts are decoys with no legitimate use, any interaction with them is inherently suspicious. Honey account detection provides high-confidence alerts with very low false positives.
Absolutely. Insider threats often bypass perimeter defenses. Honey account detection can expose rogue behavior from internal users attempting unauthorized access or running reconnaissance.
While there’s no one-size-fits-all number, most organizations benefit from 3 to 5 well-placed honey accounts. This helps broaden the coverage of honey account detection without overwhelming your monitoring system.
Yes. Modern honey account detection, like that in Cayosoft Guardian, can be configured for hybrid AD and cloud-only setups, making it versatile for today’s distributed IT environments.