The Deception Redemption

The Cloud Security Alliance (CSA) recently published The “AI Vulnerability Storm”: Building a “Mythos-ready” Security Program, which is a briefing for security leaders on how AI-driven vulnerability discovery is reshaping the defender timeline, the operating model of vulnerability management, and the minimum actions required now. This briefing is designed for the CISO who needs to walk into a room Monday morning with a credible plan. It outlines immediate actions, near-term priorities, and long-term shifts required to operate in a world where AI-driven offense is the new baseline. It defines 11 priority actions for a Mythos-ready security program, and my focus immediately gravitated to the 9th priority action:

Deception technology has been a quietly respected but second-tier control for years—useful, but rarely the centerpiece of a security program. The arrival of Mythos-class capability changes that calculus in a specific and important way, and it's worth being precise about why.

What the Mythos evaluations showed—and what they didn't. When the AI Security Institute (AISI) evaluated Mythos Preview, they found it was the first model to complete a 32-step corporate-network attack simulation end-to-end, on a task estimated to take human professionals around 20 hours. It completed the full sequence in three of ten attempts and averaged 22 of 32 steps across all runs. But the crucial caveat is the one most coverage glosses over: the test ranges lacked active defenders and defensive tooling, and there were no penalties for actions that would trigger security alerts. AISI was explicit that this means the results can't confirm whether Mythos could attack a well-defended system—a mature environment with comprehensive logging, strong access controls, and an active SOC is a fundamentally different proposition.

That caveat is the entire thesis for deception. The benchmark measured an attacker operating in an environment with no tripwires. The gap between "can autonomously chain an attack in a sterile range" and "can do so against a defended network" is precisely the gap deception technology is built to widen.

The Deception Redemption is here.  The consistent finding across the analysis is that agentic systems don't replace attackers—they compress time. They shorten the interval between finding a weakness and exploiting it and adapt attack paths quickly to a target's software mix, patch level, and privilege structure. Testimonials of the post-compromise behavior have been consistent in reflection: once inside a network, a Mythos-class model can automatically map systems, move laterally, and build custom tools to extract data, all within hours.

Most of your detective stack degrades against this. Signature-based detection assumes known patterns; behavioral analytics assume a human-paced cadence and a learnable baseline; alert triage assumes an analyst has time to investigate. An agent that maps and pivots in hours, generating bespoke tooling as it goes, defeats the timing assumptions all three rely on.

This exemplifies that cybersecurity is fundamentally a problem of asymmetry, and Deception’s purpose is to make an attacker’s effort ubiquitously and economically prohibitive by forcing automated adversarial attacks to show their hand and burn zero days in an ephemeral Potemkin Village, that provides the defender mitigation intelligence (exploit code, C2, attribution, etc.) that can be propagated through cloud delivery, orchestrated response, and more importantly at cost to the attacker’s arsenal.

Modern Deception operates at machine pace – automated false attack paths, honeytokens littered in application segments, honey-trapped routes, ghost assets, synthetic credentials, etc. An Agentic attack simulation model will encounter a hall of mirrors where it can’t distinguish high value targets from shadow infrastructure.

Deception’s breadcrumbing is a tripwire. High fidelity alerting on interaction, regardless of what the attacker has weaponized, and even though we’ll concede the zero-day clock to agentic attack simulation models, Deception shifts the balance of control back to the Defender in this tilt. Deception stands alone in that it provides detective controls that do not require advanced understanding of attack methodologies. Deception doesn’t care what an attacker’s arsenal is weaponized with in this clash, because Deception’s lures, decoys, breadcrumbs, and attack canaries are pristine from legitimate touch or access. The moment this condition changes, the signal is high fidelity. This has been the Zscaler Deception value proposition since its inception.

Think about the economics here. In the Mythos-era, AI generated exploits are expensive – computationally and operationally. Every zero-day an AI agent burns on one of our Deception workflows moves from an unknown to a known threat. That exploit is now burned. We’ve gained intelligence from their TTPs. They’ve gained nothing. Deception doesn’t just detect — it degrades the attacker’s ROI in real time. 

I have been involved in conversations where the topic of Deception is broached, and I will hear conjecture such as “we aren’t interested in that, because I’m not going to instruct my team to build an MSFT 2025 Member Server and deploy it in a DMZ for us to sinkhole unknown threats.” Many Security leaders feel the attackers are far superior to their own talent and this would serve as a red carpet for attack depth into their business environment. This is simply a knowledge gap of what the technology’s capabilities are today, particularly the automation modern Deception provides defenders. Deception efficacy was never sanctioned around manually implemented technology and process.  Traditional honeypots were static, manually deployed, and easy for a sophisticated attacker to fingerprint and avoid. Modern Deception operates at machine pace — LLM-generated canaries, honeytokens embedded across cloud environments, synthetic identities in Active Directory. An AI agent probing your network in 2026 encounters thousands of plausible-looking assets it can’t distinguish from real ones. That’s not a honeypot. That’s an entirely deceptive fabric. 

A control that spent years respected but sidelined turns out to be one of the few whose value rises as the attacker gets more capable. Every other detective layer rests on assumptions that a Mythos-class adversary quietly invalidates—that attacks follow known patterns, move at human pace, and leave time to investigate. Deception rests on none of them. A decoy has no legitimate reason to be touched, so a hit is a high-fidelity signal no matter how sophisticated or fast the intruder is—and an agent whose strength is exhaustive, systematic enumeration is exactly the kind of adversary most likely to trip a well-placed trap. It won't keep an autonomous agent out, and it's no substitute for prevention. But in a landscape where the most alarming capability demos ran in environments with no defenders present, the control that turns an attacker's own automation against it stops being a quiet luxury and becomes a layer you can't responsibly leave out. Deception didn't get better. The adversary got good enough to make it matter. And there you are, the Deception Redemption.