In a recent webinar, Stav Sitnikov, Chief Product Officer at Stream Security, and Tushar Kothari, Former CEO and Board Member of Attivo Networks, explored how organizations can turn the tables on cyber attackers using Stream Traps—deceptive cloud decoys designed to detect and delay malicious actors.

Here's our webinar summary that dives into how Stream Traps can be a part of a dynamic, real-time Cloud Detection & Response strategy

What Are Cloud Traps?

At the start of the webinar, Stav and Tushar introduced the concept of cloud traps, which have been a critical tool in cybersecurity for over a decade in on-prem. environments.  

These deceptive assets are planted within an organization’s infrastructure to mislead attackers, tricking them into engaging with false targets instead of real, high-value assets. In on-prem. settings, however, deceptive assets came with high overhead and unsustainable maintenance. Unlike on-prem. environments, where decoys can be costly and complex to manage, cloud traps are easier to deploy, scale, and maintain.  

Stav highlighted that cloud environments are dynamic and automated by design, making it possible to deploy traps without significant operational overhead.  

“In on-prem., setting up traps often requires manual intervention and dedicated hardware, but in the cloud, we can automate and place traps strategically without adding extra burden,” he explained.

Tushar added, “Cloud decoys can be projected at scale without consuming real infrastructure resources. Attackers don’t know what’s real and what’s not, and in a vast cloud environment, that uncertainty works in our favor.”

Stav described the purpose of Stream Traps in two key aspects:

1. Delaying the Attacker – When attackers engage with a Stream Trap, they focus on false assets, buying security teams valuable time to track and stop the attack.
2. Strengthening Alert Fidelity – Traps will never be triggered by legitimate users, meaning that any interaction with them provides an undeniable signal of an attempted breach.  

Why Are Cloud Decoys Essential for Modern Security?

Traditional cybersecurity strategies aim to minimize mean time to response (MTTR), but Stav and Tushar argued in the webinar that slowing attackers down is just as important.  

Cybercriminals are increasingly well-funded and trained in traditional security tools. However, deception disrupts their tactics and forces them to second-guess every move.

Tushar used an analogy to highlight the advantage of deception: “If you’re trying to catch a mouse in your house, the best method isn’t chasing it with a rifle—it’s placing a trap with some bait. This shifts the effort onto the attacker.”

How Stream Traps Slow Down and Contain Attackers

Stream Traps are uniquely positioned to slow down and contain cyber threats. Once an attacker interacts with a traps, organizations have multiple options to neutralize the threat:

• Quarantine the Attacker – Once an attacker touches a trap, security teams can isolate the associated endpoint, so the attacker never reaches real assets.  

• Redirect to a Sandbox – Instead of expelling attackers outright, traps can redirect them into a sandbox environment, giving them false assets to interact with while security teams investigate and prepare a response.  

One of the most powerful deception techniques discussed was sandboxing. Stav and Tushar explained how attackers can be led into a controlled, isolated cloud environment where they unknowingly interact with fake data.

“The trap exists in the customer’s real environment," Stav explained, "but once the attacker engages with it, we can move them to a cloud account that we control. From their perspective, they’re still moving laterally—but in reality, they’re just wasting time.”

Strategic Placement of Stream Traps

Most deception-based security solutions fail because they lack environmental awareness. Many existing canary solutions randomly deploy traps without understanding where attackers are most likely to strike.

“It's important to place decoys where attackers will naturally go, not just anywhere,” Stav noted. “The key is placing them as close as possible to the perimeter, where threats originate, so they act as early-warning beacons.”

Recommended cloud trap placement includes:

• Perimeter Entry Points – Entry points can catch attackers as soon as they breach the environment.

• Vulnerable Cloud Resources – Misconfigured S3 buckets or overly permissive IAM roles.

• Reconnaissance Hotspots – Locations that attackers might scan for exploitable data.

• Crown Jewels – High-value assets that attackers might target.

Optimizing Decoy Deployment with AI

Stream. Security leverages AI to automate deception deployment, reducing the friction between security and DevOps teams.

“We use AI to scan your environment and identify where the riskiest places are,” Stav explained. “Then we generate decoys that match your environment, ensuring they look real enough to fool attackers.”

Stream’s AI deployment benefits include:

• AI Naming Conventions – Stream Security uses LLMs to understand how organizations name their assets, generating realistic decoys accordingly.  

• Ready-to-Deploy Templates – Infrastructure-as-Code (IaC) templates allow DevOps teams to deploy traps seamlessly.

Traditional approaches rely on manual deployment, which often leads to delays and inconsistencies. Stream’s automation eliminates these inefficiencies.

How SecOps Teams can Utilize Stream Traps

Tushar explained how Stream Traps alleviate the burden of overwhelming security alerts, making life easier for security operations teams.

• High-Fidelity Alerts – Legitimate users don’t interact with decoys, so any engagement is a confirmed threat.

• Reduced False Positives – Unlike traditional behavior analytics, which generate noisy alerts, deception-based security provides certainty.

• Attack Delays – Deception creates strategic delays that give security teams the upper hand to investigate and respond. With more time to strategize, the impact an attack can be minimized.  

Key Takeaways

Stream Traps shift the balance of power from attackers to defenders by using deception to delay and expose threats. With Stream Traps, organizations can strategically and seamlessly deploy cloud decoys, reducing manual effort while increasing detection accuracy. By embedding Stream Traps into cloud environments, security teams gain a proactive, high-impact defense strategy that ensures attackers work against themselves while defenders stay ahead.

Want to watch the full webinar on Stream Traps with Stav and Tushar? Click here.  

For more information on how your security team can integrate Stream Traps into your cloud security strategy, book a demo with our team.  

‍