Active Cyber Defence Platform & Persistent Threat Detection

The ACD platform warns entities – individuals, companies, governments – about inbound external cyberattacks and responds automatically.


ACD establishes highly vulnerable servers on the client’s network to attract attacks away from critical information locations. Human Cyber defenders and the ACD platform will be alerted when an active attack is taking place on the client network. The system will then respond automatically, and the analysts can review to understand what has happened, what the nature of the attack was and the source of the attack.


Honeypot servers can be set up across different countries, attack vectors and specific vulnerabilities. The information from attacks across this broad range of honeypots will greatly increase the accuracy of attribution of attacks.


The honeypot/vulnerable servers are set in such a way as to require an attack to breach the honeypot in an active manner. For example, attempt to login to the server with a default password, scanning the server for specific vulnerabilities, attempt to upload malicious code, etc. There are a range of tripwire levels that can be set within the vulnerable/honeypot server. At a level predetermined by the client or cyber team, the ACD platform will be notified and actively defend against the specifically attacked vectors.


The active nature of the breach that occurs means that counter-attack either through automatic response to through human intervention including law enforcement can then take place.

Methods used to defend against the attack can be some of the following;


Passive methods:


Collection of IP/attribution information for analysis

Collection of modus operandi of an attacker

Report attacker IP to relevant government bodies such as RIPE, ICANN, Nominet, abuse accounts of ISP

Feed collected evidence to the national cyber entity, NSCS for example

Post information about the attack in a white paper exposing attacker and methods


Active methods:


Launch virtual machines to stress test the attackers’ internet connection

VPN piercing methods

Pass collected evidence to a cyber response team

Increase defence measure on the attacked system, improve firewall rules, reduce IP connections, etc

Place enticing files on the honeypot server with malware, call-home software to enable a counter attack

Add IP/IP-range to firewall rules for a set period of time, deny all connections

All active measures in the above platform would need to be approved by the nation-state or law enforcement body