Catching Attackers in the Cloud: Zscaler Deception Now Supports Google Cloud

The cloud continues to be a pivotal battleground in cybersecurity. Google Cloud’s Threat Horizons H1 2026 report found that identity compromise made up 83% of cloud and SaaS intrusions, and threat actors targeted data in 73% of cloud-related incidents. These aren’t signs of unsophisticated attacks–they’re signs of a threat landscape that has fundamentally reoriented itself around cloud control plane access.

At Zscaler, we’ve spent years building deception technology that catches attackers others miss. Today, we’ve extended our cloud detection capabilities to Google Cloud, and the timing couldn’t be more important.

The cloud control plane where breaches live

When an attacker gains a foothold in a cloud environment, they don’t start breaking things. They start exploring. They enumerate IAM roles, query service account permissions, and probe storage buckets through legitimate cloud APIs that leave little to distinguish malicious calls from routine operations.

Cloud environments create a unique challenge for defenders: every administrative action such as provisioning resources, assigning permissions, or accessing secrets, happens through API calls that are largely indistinguishable from normal operations. When attacks gain access to cloud credentials, they don’t need to exploit vulnerabilities or deploy malware. They can simply use the same APIs that legitimate admins use, quietly enumerate permissions, map access paths and identify high-value targets before needing to take an action that might trigger an alert. Traditional security tools weren’t built to catch this. EDR agents monitor endpoint processes, not API calls. Network detection tools watch traffic, but cloud control plane activity happens over encrypted HTTPS requests to management APIs, outside the reach of traditional sensors.

The detection gap is real and exists precisely because the cloud control plane–the layer of identities, permissions, and APIs that governs everything beneath it–is where attackers operate, and where most legacy detection tools remain blind.

AI is collapsing the time defenders have to respond

The urgency of cloud detection has increased sharply as AI has entered the attacker’s toolkit, and is now being used to orchestrate attacks at a speed and scale that outpaces traditional detection. We wrote about the first reported AI-orchestrated cyber espionage campaign, and AI-driven attacks have increased since. The Zscaler ThreatLabz 2026 VPN Risk Report found that 70% of organizations have limited or no visibility into AI-enabled threats, and only 24% have deployed AI-powered monitoring capable of detecting them. 

Additionally, Mandiant’s M-Trends 2026 report found that increased threat actor coordination has driven down the attacker “hand-off time”–the interval between initial compromise to secondary threat actor– from over eight hours in 2022 to just 22 seconds in 2025. 

When attacks move that fast, detection tools that depend on baseline modeling and alert triage are fundamentally overmatched. You need a signal that provides certainty the moment it fires.

Why deception works differently in the cloud

Deception operates on a key principle: any interaction with a decoy resource is, by definition, malicious. There is no legitimate user who has reason to access a fake service account, enumerate a decoy cloud storage bucket, or query a decoy secret manager entry. That baseline eliminates the false positive problem entirely, and in cloud environments where dynamic scaling, CI/CD pipelines, and ephemeral workloads make behavioral baselines incredibly difficult to maintain, that distinction matters.

Cloud environments are also inherently reconnaissance-heavy. Every attacker action, from discovering resources, mapping permissions, and identifying targets–requires API calls. Placing decoy resources in that API response space means attackers encounter them during the early reconnaissance phase, before they can cause more significant damage. The decoy interaction doesn’t just alert your team but tells you exactly what the attacker touched, how they got there, and what they were looking for.

Zscaler Deception, now on Google Cloud

Zscaler Deception now supports Google Cloud, enabling security teams to deploy cloud decoys that mimic legitimate Google Cloud resources: service accounts, Cloud Storage buckets, Cloud SQL instances, Secret Manager entries, and Artifact Registries. When an attacker interacts with any of these decoys–whether they’re an external threat actor or a compromised insider–Zscaler collects valuable telemetry and surfaces this activity as a high fidelity alert, ready for immediate response via notification to your security team or orchestrating a response through Zscaler Internet Access, Zscaler Private Access or integrations with EDR, SIEM and SOAR tools.

This isn’t about adding another alerting layer. It’s about getting one alert that truly matters and then acting on it immediately.

See it in action

If you’re running workloads on Google Cloud and want to know whether an attacker is already inside your environment exploring resources you can’t afford to lose, Zscaler Deception can tell you–with certainty, and without the noise. Request a demo to see how Google Cloud decoys work in practice.