Canaries In The Wild

Kevin Conley - Thinking Like an Attacker and the Psychological Power of Deception

Tracebit — Tue, 10 Feb 2026 11:30:00 +0000

Our latest episode features Kevin Conley, Team Lead and Principal Security Engineer of the Deception Technology team at Riot Games, who has built their canary program from the ground up over the past few years.

Kevin has spent years deploying and running deception at massive scale - protecting one of the world's largest gaming platforms with hundreds of millions of players. He brings practical experience from building the program and operating it day-to-day.

In this episode, Kevin breaks down why thinking like an attacker is fundamental to effective canary placement, how to measure deception program success, and the psychological impact of deception on attackers.

Timestamps:

00:00 Intro
01:32 Defining terms: canaries, decoys, honeypots, and deception
03:40 Kevin's journey to leading deception at Riot Games
05:40 Adopting an attacker's perspective: the fundamental mindset shift
07:46 Why benign positives validate your canary placement
08:50 Catching malicious activity and discovering unexpected environment usage
15:06 Measuring success: coverage and validation
17:59 Blind red team exercises and attacker awareness
20:02 The psychological power of deception on attackers
24:29 Catching attackers early in the attack chain
25:51 The ROI case: deploying where traditional tools can't reach
29:57 What to communicate internally about your deception program
38:35 Why the honeypots misconception hurts deception teams
39:46 Making the case: why every security team should use canaries
41:48 When to adopt deception in your security journey
43:58 The future of deception: redefining it as active defense
46:47 Closing

Mandy Andress: Assume Breach, High Fidelity Alerts and Guardrails for AI Agents

Tracebit — Tue, 18 Nov 2025 12:00:00 +0000

Andy sits down with Mandy Andress (CISO, Elastic) who has been working with deception technology since the early days of honeypots and honeynets.
Mandy brings a CISO's perspective on why canaries deserve a much larger role in modern security programs, and shares her views on how the fundamentals of detection are shifting as environments become more complex and threats evolve.

Timestamps:
00:00 Intro
02:05 Honeypots vs canaries—different objectives, different priorities
05:22 Why assume breach is foundational in modern security
10:45 High fidelity alerts: reducing time to investigation
15:50 Practical canary deployments—S3 buckets, file shares, and cloud accounts
18:30 No-code vulnerabilities and the coming security challenges
19:55 AI agents going rogue—using canaries as guardrails
22:11 What to communicate internally about your canary program
26:16 Best advice: just get started—it's simpler than you think (edited)

Josh Yavor: High Signal, Low Noise - The Case for Early Canary Deception

Tracebit — Mon, 13 Oct 2025 12:00:00 +0100

Andy sits down with Josh Yavor (CEO, Credible Security) to discuss his experience of a decade of deploying deception technology. From building complex malware analysis environments to protecting sensitive IP during third-party data sharing, Josh explains why canaries deliver high-value signals early in your security journey and shares creative use cases including using canaries during active incident response.

=================
🔍 IN THIS EPISODE
=================

🪶 Why deception isn’t just for “mature” security programs
📡 Real signals vs. industry reports — what matters more
🔇 Why absence of alerts doesn’t mean absence of value
💡 Creative deployments — from protecting IP to incident response
🧭 Lessons from a decade of making deception work in the real world

============================================================

00:00 Intro
02:05 Why deception isn’t just for mature programs
06:40 Real signals vs. industry reports
10:20 “If it doesn’t fire, is it working?” — why absence of signal doesn’t mean absence of value
15:50 Creative deployments — canaries for IP protection & incident response
22:10 Lessons from a decade of deception

Didier Vandenbroeck: Catching Red Teams, Insider Threat and the ROI of Canaries

Tracebit — Sun, 07 Sep 2025 17:02:33 +0100

Andy sits down with Didier Vanderbroeck (VP Security & IT, Oleria) to discuss the value he's seen from canaries as a detection mechanism over a 25 year career in security.

Ranging from getting caught by Salesforce's honeypots while running red-teaming post-Slack acquisition, to what AI means for the future of deception technology; Didier shares his insights on what it means to Assume Breach with canaries.