Last week I was at the Fortinet XPerts Academy 2019 in Madrid. One of the sessions I visited was about FortiDeceptor which is quite a new product in the Fortinet ecosystem. The first version of FortiDeceptor was released end of 2018. With the upcoming release of version 2.1 the product has taken an incredible journey in just half a year. During the session we first got an overview over the product followed by a hands-on demo session.

What is it?

FortiDeceptor spins up multiple virtual machines in different segments of your network. These machine are basically honeypots which detect an attacker as soon as he interacts with the exposed services of the machine. Additionally so called Tokens are deployed to your real endpoints in the network. This Tokens are breadcrumbs which direct to the deception machines. A normal user will never find and invoke them, but an attacker who compromised the endpoint will certainly find them. As part of his lateral movement the attacker will sooner or later connect to a deception VM. At that point an incident is generated by FortiDeceptor and everything the attacker does is being reported in detail.

An incident could look like in this picture. As you can see, not only the connection itself is logged, but also anything which the attacker does on the VM.

FortiDeceptor Reporting

Deployment options

FortiDeceptor is available as virtual machine and also as hardware appliance. You need to license the box itself and also the number of virtual machines you want to run. The box can be deployed in multiple network segments via physical ports or VLANs. The network segments, where you deploy deception VMs, can be detected automatically with a sniffer port or manually.

Currently you can run Windows, Linux and Scada VM’s. The Scada VM is emulating an Industrial Control System (ICS) which can expose different services, normally seen in factory networks, like Modbus, S7COMM and more. With the new release it will also be possible to deploy your own custom VMs. This is a good thing because with the current VMs an experienced attacker will pretty fast know that he was detected. That is not necessary an issue when you block him from the network anyway, but in some cases you would prefer to gather more insight into the attack before doing that.

Currently you can deploy a maximum of 16 virtual machines, every VM has a limit of 16 interfaces. Therefore you can deploy a maximum of 256 decoys per appliance. The Tokens (or breadcrumbs) can be deployed on all major operation systems (Windows / Linux / macOS).

Eliminate the attacker

As soon as you detected the incident you will probably want to eliminate the attacker. With all the information given by FortiDeceptor this should be an easy task. But since false-positives are very rare and should never happen for normal users this should be automated. The good thing is, that FortiDeceptor got a Security-Fabric integration in the latest release. So you can configure it, to automatically isolate the compromised endpoint from your network. Depending on your network architecture you would also integrate other security devices like your NAC solution.


I think FortiDeceptor is a really nice product which helps to make a network more secure. If you consider that most cyber-attacks are detected way too late, a solution like that should be considered in many environments. For sure at some points the product still needs some work. But when I look at the road map (which I cannot disclose) and the way the product has taken, in only six months, I am really excited about this.