Skip to content
PRODUCTS
ShadowPlex Advanced Threat Defense
Deception for early detection of cyber threats with precision and speed
ShadowPlex Identity Protection
Visibility of identity attack surface and comprehensive detection of identity threats
ShadowPlex Cloud Security
Multi-cloud Security Built on Enterprise-scale honeytokens
ShadowPlex Threat Intel
Targeted Threat Intel Providing Preemptive Cyber Security
ShadowPlex Preemptive Cybersecurity Platform
Comprehensive and Award-winning Distributed Deception Platform
What is Preemptive Cybersecurity?
Preemptive Cybersecurity detects and diverts attacks.
SOLUTIONS
Technology
Active Directory Protection
Cloud Detection and Response (CDR)
Early Threat Detection
Honeytokens for CrowdStrike
Identity Threat Detection & Response
Insider Threats
OT Security
Ransomware
Red Teaming
Threat Hunting
Zero Trust
SOLUTIONS
Industry
Healthcare
Financial Services
Public Sector
RESOURCES
Blog
Events
Cyber Deception Glossary
RESOURCE CENTER
Analyst Reports
Case Studies
Data Sheets
E-Books
Solution Briefs
Webinars
Whitepapers
COMPANY
About Acalvio
Leadership
Investors
Press Center
In The News
Why Preemptive Cybersecurity
Contact
PARTNERS
Strategic Partners
Technology Partners
Partner Program
Become a Partner
Falcon® Identity Protection maps access. Acalvio adds what’s missing—early detection of credential misuse, privilege abuse, and identity-based movement.
Identity-Centric Honeytokens
  • Deploy decoy accounts and credentials across AD and cloud
  • Detect misuse, lateral movement, and privilege escalation
Built for Falcon® Identity Protection
  • Pre-integrated for deployment, monitoring, and alerting
  • Aligns with Falcon risk insights to deliver early detection
Expose Identity Threats Falcon Misses
  • Detect misuse through decoy interaction, not just policies
  • Reveal attacker intent early in the identity kill chain
Expand Falcon Coverage Easily
  • Deploy at scale with no agents or tuning
  • Add high-fidelity signals from identity-focused deception

What the Research Shows

CrowdStrike’s own analysis highlights honeytokens as a key innovation for detecting identity-based threats. These types of attacks often evade traditional monitoring, especially when adversaries reuse legitimate credentials.
When attackers masquerade as real users, their behavior blends in with normal activity. Techniques like AD login interception and protocol manipulation don’t leave logs or obvious evidence.

Acalvio’s honeytoken accounts and tokens add a high-fidelity layer that reveals stealthy movement—giving SOC teams early warning even for zero-day threats. That’s why CrowdStrike Falcon® Identity Protection includes native support for honeytoken monitoring and response.

Advanced Honeytokens for CloudStrike Falcon® Customers

See how Acalvio ShadowPlex strengthens Falcon Identity Protection with early detection of identity misuse—privileged access abuse, service account threats, and lateral movement. Fast to deploy, easy to integrate.

Schedule a Demo
Why are Honeytoken Accounts and Honeytokens Important?

ShadowPlex surfaces threats that bypass traditional access and behavior monitoring.

  • Detect credential theft using planted honeytokens in memory, endpoints, and cloud stores
  • Identify misuse of service, machine, and privileged accounts before escalation
  • Correlate identity misuse across hybrid AD and cloud identity systems
  • Reveal attacker behavior that evades behavioral or policy-based detection
Built for Falcon® Identity Protection

Extend CrowdStrike’s access controls with layered, intent-based detection.

  • Augment Falcon Identity with real-time alerts on honeytoken engagement
  • Deploy deception accounts that appear legitimate to adversaries
  • Detect privilege abuse, credential harvesting, and identity traversal
  • Deliver enriched signals to Falcon for faster, more accurate response
Expose Identity Threats Falcon Misses

Catch stealthy identity misuse early—before traditional tools alert.

  • Monitor for credential use that should never happen
  • Expose lateral movement masked as legitimate access
  • Detect Kerberoasting and other stealthy AD enumeration
  • Flag threats without relying on baselines or user behavior models
Expand Falcon Coverage Easily

Scale intent-based detection across identity systems—without added complexity.

  • Deploy deception without agents or impact to users
  • Cover on-prem AD and cloud identities, including Azure AD
  • Integrate natively via Falcon Identity Protection APIs
  • Automatically refresh decoys to stay ahead of attacker discovery
Why Honeytoken Accounts and Honeytokens are Important
Why Honeytoken Accounts and Honeytokens Matter Falcon® Identity Protection excels at monitoring access—but attackers don’t always play by the rules.

Modern threats don’t just authenticate—they steal, reuse, and abuse credentials that slip past policy-based defenses. Privileged accounts, service identities, and machine credentials remain exposed, even in well-configured environments. These are the gaps adversaries exploit for lateral movement and privilege escalation—often without triggering Falcon’s policy alerts.

Acalvio ShadowPlex closes that gap. By deploying deceptive honeytoken accounts and credentials across your hybrid identity fabric, it exposes credential misuse with high-fidelity, intent-based detection. These decoys seamlessly integrate with CrowdStrike Falcon Identity Protection, providing an early warning system for identity threats that bypass conventional controls.

Seamless Integration: Acalvio ShadowPlex and CrowdStrike Falcon® Identity Protection
Seamless Integration: Acalvio ShadowPlex and CrowdStrike Falcon® Identity Protection

Acalvio ShadowPlex is pre-integrated with CrowdStrike Falcon® that provides immediate value:

  • Acalvio’s integration with CrowdStrike Identity Protection is powered by the Acalvio SaaS Service
  • No software installation on the enterprise network
  • Scalable architecture protects multiple Active Directory Domains & thousands of endpoints
  • Single console solution – managed using the CrowdStrike Falcon® console
  • Administrators can control the variety and count of Honeytoken Accounts & Honeytokens.

How Honeytokens Work

CrowdStrike has identified honeytokens as a critical capability for Identity Protection in their recent research on security innovations. Acalvio honeytokens are designed to surface this activity with high-fidelity deception, providing visibility even into zero-day threats and adding an essential layer for Zero Trust-aligned Identity Protection strategies.

Operationalizing Honeytoken Accounts and Honeytokens

Acalvio makes deploying Honeytoken Accounts and Honeytokens with Falcon fast, scalable, and effective:

  • AI-Driven Design: Automatically recommends token types, volume, and placement based on Active Directory structure and endpoint characteristics.
  • Flexible Deployment: Supports broad coverage across domains, cloud workloads, and hybrid environments without agent sprawl.
  • Hidden from Users, Visible to Attackers: Tokens blend into live environments but trigger immediate alerts on adversary engagement.
  • Aligned to Falcon Policies: Integrates cleanly with CrowdStrike Falcon® Identity Protection to extend detection and response workflows.

Real Use Cases with CrowdStrike Falcon®

Catch Privilege Escalation Before It Spreads

Use Case: An attacker compromises a low-privilege endpoint and begins enumerating service accounts to escalate privileges.

How It Works:
Acalvio deploys deceptive service accounts and credentials that are indistinguishable from real ones. When an attacker interacts with them, Falcon Identity Protection triggers a policy-driven response to isolate the endpoint.

Detect Credential Theft Without Waiting for Abuse

Use Case: Credentials are dumped or harvested but not yet used—leaving no signal for traditional tools.

How It Works:
Honeytokens are embedded in memory and system artifacts that should never be accessed in normal workflows. When touched, they trigger high-fidelity alerts within Falcon before credentials are exploited.

Expose Identity-Based Lateral Movement

Use Case: Adversaries move laterally using valid credentials and legitimate tools like RDP or PsExec.

How It Works:
Deceptive accounts placed across hybrid identity systems are monitored for use. Any interaction—logon, query, or enumeration—exposes traversal that would otherwise blend into normal activity. Falcon takes action based on these verified signals.

Trigger Actionable, High-Fidelity Identity Alerts

Use Case: Analysts are buried in alert fatigue with little context for prioritization.

How It Works:
Deception-generated alerts are based on active engagement—no speculation, no guesswork. When Falcon ingests these alerts, it enriches them with contextual telemetry, enabling focused investigation and faster remediation.

Seamless Integration: Acalvio ShadowPlex + CrowdStrike Falcon® Identity Protection

Acalvio ShadowPlex is fully integrated with CrowdStrike Falcon® Identity Protection, delivering immediate operational value without complexity:

  • Built-in Honeytoken Support: Falcon natively monitors Acalvio-deployed honeytoken accounts and triggers high-fidelity detections on access or modification, exposing adversary behavior with precision.
  • Unified Console Management: Honeytokens are deployed and managed directly from the CrowdStrike Falcon® console, giving SOC teams centralized visibility and control.
  • Enterprise Scalability: No software to install. Supports large, distributed environments across multiple Active Directory domains and thousands of endpoints.
  • Granular Control: Admins can define the type, volume, and placement of honeytoken accounts and tokens to align deception with their identity protection strategy.

Benefits for CrowdStrike Falcon® Identity Protection Customers

Close Gaps Falcon Alone Can’t See?

Detect threats that evade policy-based detection, like credential misuse and lateral movement using valid accounts.

Enhance Falcon with High-Fidelity Identity Signals

Add intent-based alerts to Falcon’s visibility, reducing noise and giving analysts precise indicators of compromise.

Extend Falcon’s Reach with Stealth Defenses

Deploy deceptive identities directly into Falcon-managed environments to expose attackers without disrupting authentication flows.

Frequently Asked Questions

Honeytoken accounts are deceptive accounts (representing human and service accounts, and application identities) created in the Active Directory (AD), that are specifically designed to blend into the domain.
Honeytokens are deceptive credentials and data that are embedded in legitimate assets such as OS caches, application configuration files, Windows registry entries, Falcon-managed endpoints, and cloud workloads. Any usage or manipulation of these deception artifacts is a very reliable indicator of an identity threat.

A canary token is a simple deceptive artifact that acts as a tripwire, providing an alert when an attacker accesses one.

Acalvio Honey Accounts and Honeytokens is a much more comprehensive and effective solution based on deception technology. Acalvio automates the recommendation of Honey Accounts and deployment of Honeytokens so that they blend in with the environment and appear attractive to attackers. Unlike in the case of canary tokens, where deployment is usually manual, Acalvio Honey Accounts and Honeytokens can be easily deployed at an enterprise scale with minimal effort. In addition, unlike in the case of canary tokens, that usually only provide alerts for suspicious activity, the Acalvio solution integrates with Crowdstrike identity Protection to provide response actions.

Acalvio ShadowPlex Honeytoken accounts and Honeytokens for CrowdStrike Falcon® Identity Protection are based on Deception Technology and provide a new layer in the Defense-in-Depth offering for identity protection. They are a class of Deception Technology techniques that are proven to be extremely powerful and efficient in detecting a variety of identity threats.

Acalvio ShadowPlex leverages the Falcon® Identity Protection Honey Account monitoring and containment policy to provide a scalable and effective deception-based identity threat detection solution.

Honeytoken accounts and Honeytokens are unique, attractive and are carefully designed. They are invisible to normal users, but visible through the lens of attacker tools.

ShadowPlex gives honeytoken accounts properties that are like the properties of existing accounts in Active Directory. In other words, when a honeytoken account is created in Active Directory, its properties would enable it to blend with the existing accounts in Active Directory. At the same time, ShadowPlex also gives a honeytoken account properties that make it look attractive to an adversary.

Manually creating honeytoken accounts and honeytokens is a laborious process, and it is extremely challenging to make them attractive to attackers.

The Honeytoken fulfillment capability from Acalvio is completely automated, pre-integrated into the Falcon® platform, and does not require any additional Acalvio software to be installed. Acalvio provides a single console solution to CrowdStrike Falcon® customers.

Schedule a Call with Us Today
Schedule a Call with Us Today
Enterprise-scale Honeytokens for CrowdStrike Identity Protection
Watch the Webinar
ShadowPlex Honeytoken Integration with CrowdStrike Falcon®
Read the Brief
Book a quick 15-minute call with our team—no sales pitch, just answers.
Schedule a Demo
Acalvio is the leader in autonomous cyber deception technologies, arming enterprises against sophisticated cyber threats including APTs, insider threats and ransomware. Its AI-powered Active Defense Platform, backed by 25 patents, enables advanced threat defense across IT, OT, and Cloud environments. Additionally, the Identity Threat Detection and Response (ITDR) solutions with Honeytokens enable Zero Trust security models. Based in Silicon Valley, Acalvio serves midsize to Fortune 500 companies and government agencies, offering flexible deployment from Cloud, on-premises, or through managed service providers.
© Acalvio Technologies, Inc. All rights reserved.