cloud-active-defense deploys decoys within cloud applications to detect, divert, and deter cyber attackers in real time.
Add a layer of active defense to your cloud applications.
This tool is designed for cloud application security teams who want to add an active defense layer by embedding decoys that detect unauthorized interactions and alert defenders instantly. It helps identify malicious activity early, including compromised user accounts, by triggering alerts when attackers engage with decoys. Security engineers and threat hunters can leverage it to automate intrusion detection and threat hunting in cloud environments.
Requires Docker and Docker Compose for easy deployment; rebuilding the plugin requires Go 1.19+ and TinyGo. Best practice is to customize decoy configurations to fit your application environment and threat model. The tool is designed to minimize false positives by using decoys that only trigger alerts upon interaction, making it suitable for production cloud environments.
Clone the repository: git clone https://github.com/SAP/cloud-active-defense.git
Navigate into the directory: cd cloud-active-defense
Start the tool in demo mode using Docker Compose: docker-compose up --build
Visit http://localhost:8000 in a web browser to verify the tool is active
Optional: Install Go 1.19+ and TinyGo if you want to rebuild the plugingit clone https://github.com/SAP/cloud-active-defense.git
Clone the repository locally.
cd cloud-active-defense
Change directory to the cloned repository.
docker-compose up --build
Start the tool in demo mode with Docker Compose.
Visit http://localhost:8000
Access the demo web interface to confirm the tool is running and injecting the x-cloud-active-defense header.
Modify cloud-active-defense/configmanager/cad-default.json
Configure decoy filters to define detection and alerting rules.
Visit http://localhost:8000/forbidden
Trigger a decoy alert by accessing a forbidden URL to test detection.