Automations

Automations

Autonomous Deception Engine—intel-driven deployments, auto-blocking, notifications, and scheduled lure operations.

Last updated May 2026

Autonomous Deception Engine

The Automation module implements H1VE's Autonomous Deception Engine—rules that deploy or adjust lures based on external signals rather than manual clicks. Use it when threat intel or attack surface data consistently outpaces operator capacity.

H1VE Autonomous Deception Engine dashboard
Threat Intelligence Automation status, lure creation metrics, feed tracking, and auto-lure deployment statistics.

Threat intelligence driven deployments

Ingest feeds (including KE-LA) to spawn lures matching emerging CVEs, actor TTPs, or sector-specific tooling. Pair with suppression so intel-driven floods do not exhaust Docker hosts.

Attack surface based deployment

Hidden Hand integration maps customer attack surface assets to lure deployment plans in the Simulator. Gaps in external visibility become targeted deception coverage—align naming and DNS with real asset patterns.

Automated response actions

  • Auto-blocking — Push malicious IPs to configured WAF providers after threshold rules
  • Notifications — Slack/Teams/webhook on Critical threats or campaign detection
  • Scheduled deployment — Rotate lure personas on calendar or cron
  • Campaign-driven — Spin up lure types matching active campaign TTPs