Logo of Acalvio, a leading company in cyber deception technology
Identity threats are involved in 80% of all cyberattacks, according to the CrowdStrike 2023 Global Threat Report. These are serious threats that compromise corporate and personal information and put organizations at grave risk. Sophisticated attackers like APTs and ransomware actors typically start their campaign with an attack on identities. Attackers can exploit identities on endpoints, applications, and identity stores.

An identity threat is difficult to detect with traditional cybersecurity approaches.

Existing security controls are not sufficient to protect enterprises from identity compromise. Attackers target identities of privileged users (such as Helpdesk Admins, and Domain Admin accounts), as well as machine or service accounts. Service accounts represent a significant attack surface as they cannot be easily secured using existing prevention-based security mechanisms. These credentials cannot be protected using MFA techniques, giving the attacker opportunities for Lateral Movement and Privilege Escalation.

Deception technology is a novel way of detecting identity threats with high fidelity. Acalvio ShadowPlex honeytoken accounts and honeytokens are purpose-built deceptions that offer a new layer in the Defense-in-Depth offering for Identity Protection – for all credential and account types.

ShadowPlex containment for active directory security emphasizing that attackers cannot disable this containment
Use of Crowdstrike honeytoken accounts and honeytokens in cybersecurity for identity protection

About Honeytoken Accounts and Honeytokens

Honeytoken accounts are deceptive user accounts, service accounts, and application identities created in Active Directory (AD). They are specifically designed to lure attackers away from critical resources. Honeytokens are deceptive credentials and data that are embedded in legitimate assets such as Falcon-managed endpoints and cloud workloads. Together, they are extremely effective at detecting identity threats.

CrowdStrike Falcon® Identity Protection has in-built support for monitoring honeytoken accounts and a policy-based identity threat containment and response mechanism. Any access or alterations of honeytoken accounts trigger a dedicated high-fidelity detection, giving SOC analysts visibility into the detailed insights and adversary attack path.

Benefits of Honeytoken accounts and Honeytokens for Identity Protection

In a recently published blog by CrowdStrike on Identity Security Innovations, the new Honeytokens capability is highlighted as a key capability for Identity Protection (https://www.crowdstrike.com/blog/crowdstrike-extends-identity-security-innovations).

As covered in the blog, Identity-driven attacks are extremely hard to detect with traditional approaches. When a valid user’s credentials have been compromised and an adversary is masquerading as that user, it’s often very difficult to differentiate between the user’s typical behavior and that of the hacker using traditional security measures and tools.

Advanced Identity attack techniques are stealthy and do not leave any evidence on the AD logs or on existing security controls. They use well-established authentication protocols that are difficult to distinguish through AD login interception or authentication protocol interception approaches.

Deception has been widely recognized by leading AD researchers and AD experts as a powerful mechanism for the detection of identity threats (ref: Active Directory Security https://adsecurity.org/?tag=service-account-honeypot).

Acalvio Honeytoken Accounts and Honeytokens are designed to detect even zero-day threats and are the perfect solutions to deploy in Zero Trust environments for Identity Protection.

Operationalizing Honeytoken Accounts and Honeytokens

For effective utilization of Honeytoken Accounts and Honeytokens, there are several factors to consider during the creation and deployment phase. Manually defining these would be cumbersome and challenging to make them attractive and effective.

Acalvio’s proven expertise in Advanced Deception Technology helps CrowdStrike Identity customers to operationalize this capability by automating the design, definition, and deployment of effective Honeytoken Accounts and Honeytokens.

Acalvio's advanced AI solution to quickly operationalize Honeytoken accounts
Effective honeytokens and honeytoken accounts


  • Domain selection for deploying Honeytoken Accounts & Honeytokens
  • Automated Al-driven recommendation of Honeytoken Accounts
  • Appropriate count of Honeytoken Accounts per Domain
  • Honeytoken Account Types & Variety
  • Honeytoken Account Attributes
  • Automated creation & Deployment of Honeytokens
  • Wide variety of Honeytokens
  • Designed to be hidden from legitimate users
  • Visible to attackers via tools & scripts
  • Blended based on endpoint characteristics

Seamless Integration: Acalvio ShadowPlex and CrowdStrike Falcon® Identity Protection

Acalvio ShadowPlex is pre-integrated with CrowdStrike Falcon® that provides immediate value:

  • Acalvio’s integration with CrowdStrike Identity Protection is powered by the Acalvio SaaS Service
  • No software installation on the enterprise network
  • Scalable architecture protects multiple Active Directory Domains & thousands of endpoints
  • Single console solution – managed using the CrowdStrike Falcon® console
  • Administrators can control the variety and count of Honeytoken Accounts & Honeytokens.
Integration of Acalvio ShadowPlex and CrowdStrike Falcon® for enhanced monitoring of honeytoken accounts and honeytokens

Next Steps

Explore our patented technologies to enable Active Defense and Identity Security in your enterprise.