Cyber Deception Playground
Open-source lab for adversary and defender perspectives on cyber deception. Deploy a fictitious financial environment (Andesfinance) with configurable deception levels, monitoring (Elastic Stack), and built-in attacker simulation—all via Docker Compose.
This project disseminates both adversary and defender perspectives on cyber deception. It deploys a fictitious production environment with monitoring, multiple deception levels, and an attacker container. The environment simulates a financial organization with intentionally vulnerable web services, SSH honeypots, decoy APIs, fake activity generators, and optional high-fidelity deception (banners, tampered executables).
Objective
Show how an environment looks with:
Multiple deployed deception activities
Activity monitoring
An adversary facing increasing decision-making difficulty
Features
Configurable deception levels: None, Basic, Complete, Impossible (progressive honeypots, decoys, and anti-forensics).
Full stack: Node.js frontend/backend, MySQL, custom SSH honeypot, fake activity generator, Elastic Stack (Filebeat, Elasticsearch, Kibana).
Attacker container: Preloaded with recon and attack scripts (reconnaissance, port scanning, SQL injection, command injection, SSH brute force, data exfiltration).
Observability: Centralized logs and Kibana dashboards for events, source IPs, and executed commands.
Cross-platform: Docker Compose; startup scripts for Linux (
startup.sh) and Windows (startup.bat).
Schematic
The lab is organized in networks: External (attacker container), DMZ (frontend), Server (backend, SSH honeypot, fake activity), Database (MySQL), and Monitor (Filebeat, Elasticsearch, Kibana). See Architecture for the full diagram and security layout.
License
This project is licensed under the MIT License. See the repository LICENSE file for the full text.
Changelog
See CHANGELOG.md in the repository for version history and notable changes.
Contents
Project