Operations

Operational Best Practices

Lure placement, realism, monitoring, investigation workflows, and threat escalation.

Last updated May 2026

Lure placement strategies

Mirror real assets: if you run Fortinet VPN in production, deploy Fortinet VPN lures on adjacent naming patterns. Place high-value personas (GitHub Enterprise mimic, Grafana) where APT campaigns target your sector—not random unused subnets.

Realism and avoiding detection

Use DNS hostnames, valid TLS, and crawled clone content. Avoid obvious strings (honeypot, test-decoy) in titles and certificates. Rotate stale personas before scanners fingerprint them as unchanged bait.

High-value deployment

One believable VPN lure in the right DNS zone outperforms ten generic SSH ports on RFC1918 addresses nobody scans.

Monitoring recommendations

Review dashboard D/W/M trends daily; assign owner per workspace. Alert on Critical via Slack; weekly review suppression rules and top scanner groups.

Investigation workflows and escalation

Standard escalation path

1Triage

Dashboard → threat details → copy IP

2Enrich

Investigation profile → analysis actions → C2 check

3Contain

WAF block or campaign export to SIEM

4Improve

Deploy/adjust lures via Automation from exploit trends