Product modules
| Module | Purpose | Primary users |
|---|---|---|
| Dashboard | Real-time KPIs, Deception Surface Map, recent threats | SOC, managers |
| Lure Center | Create, start, stop, and configure decoys | Deception engineers |
| Automation | Autonomous Deception Engine—intel-driven deployments | Detection engineering |
| Research | Analytics, trends, IP investigation profiles | Threat hunters |
| Integrations | DNS, WAF, Slack, KE-LA, Hidden Hand | Platform / SecOps |
| Admin | Teams, users, scanner groups, detection rules | Platform owners |
Workspaces and teams
H1VE scopes lures, statistics, and integrations to workspaces. Enterprise deployments typically map a workspace per business unit or customer (MSSP model). Users switch workspaces from the profile menu; API tokens inherit workspace context.
Data flow at a glance
Attacker → DNS/edge → Traefik → lure container → batch telemetry export → H1VE backend queue → classification & storage → Dashboard / Research / exports. Internal telemetry (process, file, outbound) follows a parallel ingest path documented under Logs & Telemetry.