Interesting musings from Kat
Confound and Delay: My Journey into Running a Fake Company for Cyber Deception
Kat Fitzgerald
May, 2025
(Part 1 – Planting the Trap)
Some ideas are born from necessity. Others are born from curiosity, tequila, and a little too much time poking around in places attackers like to play. This story starts with the latter.
As someone who’s been buried in the quirky trenches of cybersecurity for longer than Sasha the Flamingo has been dancing, I found myself increasingly fascinated not just by what attackers did, but by why they did it, and what they assumed along the way. I wanted a way to observe attacker behavior without the restrictions of simulated lab environments or sanitized data. I wanted messy, chaotic, live traffic. And I wanted to make it fun. And if you know me, you know I looooove honeypots!!
So I created a company. A fake one. And naturally, I brought my flamboyant sidekick, Sasha the Dancing Flamingo, along for the ride.
The Premise: What if a Company Was Just a Honeypot in a Business Casual Hoodie?
The idea was deceptively simple: create a small company that looked real enough to be interesting but obscure enough not to raise alarms. A classic “just another startup” profile. No products to ship. No real employees. No funding. Just a web presence, a small digital footprint, and enough exposed infrastructure to make an attacker lean in.
The goal was never to entrap or provoke—but to observe. I wasn’t interested in attacking back or running countermeasures. I just wanted to give the bad actors a stage and see what they did with it.
Building the Infrastructure (Without Breaking the Bank)
I host several large servers in colocation environments (multiple – for obvious business redundancy), which became the perfect playground for this setup. Using virtualization, I sliced out a pretend small business network:
- A firewall (OPNsense, naturally) configured with VLANs to simulate real network segmentation.
- Subnets for Corporate, Dev/Test, IoT, DMZ, and a few other surprises.
- Simulated user activity: fake logins, file shares, email chatter.
- A basic but plausible website hosted on a common registrar with a generic “Coming Soon” page. That was just the starter.
- A month later, the real website—complete with all its WordPress glory and just enough imperfections to look genuine—was stood up and left quietly humming on the edge of the internet.
No bells. No whistles. No awkward all-hands meetings. Just enough realism to pass a casual scan and maybe pique some curiosity – of like a croissant that turns out to be a cleverly disguised USB keylogger.
Making It Believable
I avoided the temptation to overdo it. Many honeypots scream “fake” because they try too hard. I opted for subtlety:
- OSINT breadcrumbs in the form of fake GitHub projects.
- A low-volume mail server that receives, but rarely sends—and even then, only to a small circle of friends and a few amused friends at real companies who happen to know the joke.
- A LinkedIn profile with just enough detail to be boring.
- And LinkedIn profiles for employees that come and go.
- Internal subnets where fake employees occasionally “work” on things.
And, because no deception campaign is complete without a signature flourish, I enlisted Sasha the Flamingo as our unofficial chaos mascot. Her name surfaces just often enough in logs, usernames, and hostname aliases to confuse attackers and spark a flurry of very confused StackOverflow threads. (Note: All Sasha-themed elements you’ll see in future logs, usernames, and service names have been substituted from their real-world counterparts to preserve operational integrity. The flamingo is mischievous, not stupid.)
What Happened Next
The moment the infrastructure went live, I began seeing scans. Some generic, some oddly specific. Probes hit my webmail login page. Login attempts flowed in against my fake VPN. And the longer the site has stayed up, the more creative the traffic became.
There’s a unique thrill in watching an attacker try to reverse-engineer a fictional company’s IT posture like it’s the final round of a game show called Who Wants to Hack a Mirage?
What’s Next
In Part 2, I’ll dive into how I keep the company looking “alive,” the automation I use to simulate misconfigurations, and some of the bizarre things attackers have done inside my carefully curated trap. Spoiler: one of them tried to socially engineer my fake HR department.
And in Part 3, we’ll explore how Wazuh became my secret weapon for visibility, detection, and storytelling. Because it’s not just about catching bad actors—it’s about understanding them.
Stay tuned.
Disclaimer: No flamingos were harmed in the making of this company. Sasha was treated with the utmost respect, an occasional disco ball, and a steady supply of digital shrimp.
For over a decade, BSidesChicago has been the go-to event for professionals at all career stages. Our mission is to create an engaging environment where participants explore industry topics, network with like-minded professionals, and immerse themselves in the latest cybersecurity trends.