Deception & Decoy Environments (Knossos)

What It Does

Knossos procedurally generates realistic decoy cloud environments designed to waste attackers' time against fake infrastructure instead of letting them invest it in your real environment. It produces complete, deployable Terraform plans — VPCs, subnets, EC2 instances, RDS databases, Lambda functions, S3 buckets, IAM roles, secrets, and security groups — all wired together with realistic dependencies, breadcrumb trails, and live alert instrumentation.

Every generated environment is seeded from a style profile that mirrors your organization's actual cloud fingerprint: naming conventions, tag patterns, region preferences, resource distributions, and security posture. The result is a decoy that looks, feels, and behaves like your real infrastructure — indistinguishable to an attacker who has gained lateral access.

Why It Matters

Attackers who breach a perimeter spend hours — sometimes days — mapping internal infrastructure, escalating privileges, and moving laterally toward high-value targets. Every minute of that effort is an investment they expect to pay off.

Knossos flips the economics. By seeding your cloud environment with decoy infrastructure that is structurally identical to the real thing, you force attackers into a labyrinth where:

  • Every hour spent in the decoy is an hour not spent in production — attackers burn their operational budget navigating fake resources while your real environment stays untouched

  • Every action generates intelligence — decoy resources are instrumented with alerts that fire the moment anything is touched, giving you real-time visibility into adversary TTPs

  • Discovery is indistinguishable from real infrastructure — breadcrumb trails planted in realistic locations (S3 objects, secret values, EC2 user data, Lambda environment variables) lead attackers from one decoy resource to the next, making the fake environment feel like a legitimate discovery

  • There is no legitimate reason to touch a decoy — any interaction with decoy infrastructure is, by definition, malicious. Zero false positives.

"The attacker doesn't know it's fake. Every secret they read, every role they assume, every bucket they enumerate — it's all wasted effort generating alerts for you."

How Knossos Works

Knossos operates as a three-stage pipeline: infer your cloud patterns, generate a decoy environment from those patterns, and emit deployable Terraform.

1. Style Profile Inference

Point Knossos at your real infrastructure data and it reverse-engineers a style profile — a statistical summary of how your organization does cloud:

Profile Section

What It Captures

Organization

Account/project structure, region usage patterns

Networking

VPC/VNet CIDR patterns, subnet strategies, DNS zones

Naming Conventions

Per-resource-type naming grammars (e.g. prod-web-us-east-1a-001)

Tagging

Tag schema, required keys, per-key vocabularies

Compute

Instance families, sizes, container orchestration, spot usage

Storage

Bucket lifecycle rules, database engines, table patterns

Security

IAM style, key rotation cadence, security group naming

Behavioral

Deploy cadence, API call distributions, scaling patterns

Toolchain

IaC tool, CI/CD, monitoring, secret management

The style profile stores patterns and vocabularies, never actual resource identifiers or ARNs. It is safe to store, version, and share across teams.

2. Environment Generation

Once you have a style profile, Knossos generates a decoy environment manifest. You control the generation via:

  • Attack paths — Define the deception scenarios you want: credential theft chains, lateral movement paths, privilege escalation ladders, or data exfiltration routes

  • Camouflage scale — Control how many extra resources pad the topology. 0.0 = bare minimum for the attack paths, 0.25 = default, 1.0 = match real infrastructure density

  • Resource caps — Set upper bounds on resource counts and sizes (e.g. max RDS instance class, max EC2 count) to control cost

  • Reproducibility — Pass a PRNG seed for deterministic generation. Same seed + same profile = same environment every time

3. Terraform Emission

The manifest is translated into provider-specific Terraform HCL through the emitter pipeline:

  1. Resource translation — Canonical types map to Terraform resources via a provider registry

  2. Reference resolution — Cross-resource dependencies are resolved into proper Terraform references

  3. Breadcrumb injection — Attack-path cross-references are planted into resource attributes

  4. Alert wiring — CloudWatch alarms, EventBridge rules, and API destination callbacks are generated for every decoy resource

  5. Permission boundary generation — IAM roles are constrained by a generated boundary policy that prevents lateral escape into real infrastructure

  6. HCL rendering — The final Terraform plan is rendered and ready for the operator to review, cost-estimate, and deploy to their own cloud account

Breadcrumb Trails

Breadcrumb trails are Knossos's core deception mechanism. Each trail is a chain of cross-references planted across decoy resources, forming a discoverable attack path that leads the attacker deeper into the labyrinth.

Source Resource

Breadcrumb Type

What the Attacker Finds

Secrets Manager

Secret value rewrite

Database credentials, role ARNs, API keys pointing to the next resource

S3 Bucket

Planted objects

.env files, Terraform state snippets, SSH configs, deployment scripts

EC2 Instance

User data scripts

Bootstrap scripts that reference downstream secrets, databases, or buckets

Lambda Function

Environment variables

SECRET_NAME, DATABASE_HOST, DATA_BUCKET, ASSUME_ROLE_ARN

IAM Role

Inline policies

Scoped permissions revealing what the role can access next

DynamoDB Table

Config items

Service configuration entries with secret names, role ARNs, endpoints

Security Group

Ingress rules

Open ports that lead the attacker to the next compute resource

API Gateway

Stage variables

Backend hosts, credential secrets, handler functions

Every breadcrumb is designed to look like a real operational artifact — the kind of thing attackers routinely find in misconfigured environments. No suspicious filenames, no obvious traps.

Alert Wiring & Ingest

Every decoy resource is instrumented to generate alerts on interaction. When an attacker touches a decoy resource, the alert pipeline fires:

  1. CloudWatch Alarm / EventBridge Rule triggers on the resource interaction

  2. API Destination sends the event to Guard's ingest endpoint with a scoped JWT

  3. Guard ingests the event and surfaces it as a decoy interaction alert for triage and response

  4. Token rotation — On first apply, a bootstrap JWT is exchanged for a permanent credential stored in the client's secret manager, ensuring long-lived secure connectivity

Alert data includes the resource touched, the action performed, and the actor identity — giving defenders immediate, high-confidence signal with zero false positives.

Permission Boundary Isolation

All IAM roles in a Knossos decoy environment are constrained by a generated permission boundary policy. This is a critical safety mechanism:

  • From the attacker's perspective — Roles appear fully permissive. Policies list broad access to decoy resources, trust policies allow assumption, and inline policies reference realistic ARNs.

  • From the infrastructure's perspective — The boundary policy restricts every role to only the resources within the decoy environment. An attacker who assumes a decoy role cannot pivot into real infrastructure.

This means decoy environments are safe to deploy alongside production — the blast radius is contained by design.

Cost Estimation

Before deploying, Knossos estimates the monthly cost of the generated environment using live AWS pricing data. Operators can:

  • Preview costs before committing to a deploy

  • Force-refresh pricing from the AWS Pricing API

  • Tune resource caps (max instance class, max resource counts) to stay within budget

  • Use cached estimates for fast iteration during environment design

Activity Simulation

Knossos can generate optional simulator roles that produce background API activity against decoy resources. This makes the environment appear actively used — a critical detail for convincing sophisticated attackers that the infrastructure is real.

Simulated activity includes API calls consistent with the resource types deployed (S3 reads, DynamoDB queries, Lambda invocations), making the environment's CloudTrail footprint indistinguishable from a live workload.

Knossos Workflow

A typical deception deployment follows these steps:

  1. Infer a style profile — Feed your real infrastructure data to Knossos and receive a style profile that captures your cloud fingerprint

  2. Design attack paths — Define the deception scenarios: what resources, what chains, what the attacker should discover

  3. Generate the environment — Knossos produces a full environment manifest with resources, breadcrumbs, and alert wiring

  4. Emit Terraform — The manifest is translated into deployable HCL for your target cloud provider

  5. Estimate cost — Review the projected monthly cost and adjust resource caps if needed

  6. Review and deploy — Download the Terraform plan, review it, and deploy it to your cloud account using your existing IaC pipeline

  7. Monitor — Decoy interaction alerts flow into Guard in real-time, providing high-confidence indicators of compromise

  8. Iterate — Update the style profile as your real infrastructure evolves, regenerate environments, and redeploy

Provider Support

Provider

Status

Resources Supported

AWS

Generally Available

VPC, Subnet, EC2, RDS, Lambda, S3, IAM, Secrets Manager, DynamoDB, Security Groups, API Gateway, EKS, SQS, SNS

GCP

In Development

Follows the same registry pattern — emitter architecture is provider-pluggable

Azure

In Development

Follows the same registry pattern — emitter architecture is provider-pluggable

Why Knossos?

In Greek mythology, Daedalus built the Labyrinth beneath the palace of Knossos on Crete — an inescapable maze designed to contain the Minotaur. Those who entered could not find their way out. The labyrinth was not a prison for the monster alone; it was a trap for anyone who dared enter uninvited. King Minos used it as the ultimate defensive architecture: a structure so complex that the threat eliminated itself.

Knossos brings the same principle to cloud security — decoy environments so realistic that attackers walk in willingly, and every step they take becomes intelligence for the defender.

What's Next

  • Style Profile Deep-Dive — Advanced profile customization, manual overrides, and multi-account inference strategies

  • Attack Path Recipes — Pre-built deception scenarios for common attack chains (credential theft, lateral movement, privilege escalation, data exfiltration)

  • Integration with Guard Alerts — How Knossos decoy alerts appear in Guard's risk and event dashboards

See the complete Knossos User Guide.