This is why I'm unsure of the value. And to be clear, by "unsure of the value" I don't mean "unsure whether it has any value." It certainly has value. I'm just not sure how much, as, say, a dollar figure.
"No false positives" is fine marketing, but in practice you aren't replacing anyone's firewalls, endpoint agents, sandboxes, SIEMs, etc. All those false positives will still be there, along with many legitimate detections your system never sees.
If money were no object, then absolutely I'd buy. But given that money is usually a factor, that you're limited to detection, that you're only effective in scenarios where attackers touch your decoy systems, and that you're competing for dollars against products that detect more, detect it sooner, and often prevent it automatically, I don't know.
When you get one alert that you realize isn't false and has the forensic data tied to it, you can use it as a harness against the loads of information from all the other sensors (firewall, endpoints, sandboxes etc) to give you a definitive picture you're certain in.
> will not catch everything in any way
This is why I'm unsure of the value. And to be clear, by "unsure of the value" I don't mean "unsure whether it has any value." It certainly has value. I'm just not sure how much, as, say, a dollar figure.
"No false positives" is fine marketing, but in practice you aren't replacing anyone's firewalls, endpoint agents, sandboxes, SIEMs, etc. All those false positives will still be there, along with many legitimate detections your system never sees.
If money were no object, then absolutely I'd buy. But given that money is usually a factor, that you're limited to detection, that you're only effective in scenarios where attackers touch your decoy systems, and that you're competing for dollars against products that detect more, detect it sooner, and often prevent it automatically, I don't know.