Cyber deception works better on AI attackers than on humans
A June 2026 study ran a 21-model attacker cohort against classic deception traps and found every model took the bait more often than humans — and kept taking it even after naming the trap.
What is this?
On June 19, 2026, researchers published Honeyquest for LLMs: Rethinking Cyber Deception for AI Attackers, an empirical study asking a simple but overdue question: does cyber deception — the honeytokens, decoys, and traps that defenders plant to catch intruders — work the same way against AI-driven attackers as it does against humans?
The whole practice of cyber deception rests on human-centered assumptions about what looks tempting, what looks suspicious, and how an intruder’s attention can be steered. As autonomous, LLM-powered attack agents move from research demos toward real operations, none of those assumptions are guaranteed to transfer. The study adapts the original Honeyquest instrument (introduced at RAID 2024) into an automated framework and measures, at scale, how LLM “attackers” judge reconnaissance material that has been seeded with traps. The headline result: AI attackers behave as a distinct class, and they are markedly easier to deceive than people.
How it works
Honeyquest presents an attacker with realistic reconnaissance artifacts — configuration snippets, credential-like strings, network details — where some elements are benign and some are deliberately enticing traps, such as a honeytoken that only an intruder would have a reason to act on. The instrument records which lines the attacker “marks” as worth pursuing, turning attacker judgment into a measurable signal. This is a defensive measurement, not an exploit: the traps are decoy artifacts and what is being scored is judgment, not capability.
The LLM adaptation ran a 21-model cohort spanning 10 providers, both open- and closed-weight, from roughly 8B to over 1T parameters. It produced 10,962 responses across 174 reconnaissance queries, and compared them against a 47-participant human baseline on the identical task set.
Three findings stand out. First, every model in the cohort fell for deceptive traps at a significantly higher rate than the human baseline. Second, a defensive effect well documented in humans — attention diversion, where a well-placed decoy pulls an attacker away from real assets — was statistically absent in the LLM cohort. Third, and most striking, the authors document a recognition-action gap: models frequently wrote, in their own reasoning traces, that a line looked like a trap, then acted on it anyway 73.4% of the time. Whether a model named the trap in its reasoning did not predict whether it avoided the trap (Spearman r = +0.08, p = 0.73) — articulating “this is bait” and taking the bait were essentially uncorrelated.
Why it matters
For defenders, the counterintuitive implication is encouraging: the deception techniques you already know are disproportionately effective against machine attackers. A honeytoken that a seasoned human pentester would sidestep is one an autonomous agent is likely to grab, and it will grab it even when its own chain of thought flags the risk. As offensive agents scale up the volume of reconnaissance they perform, cheap tripwires become a high-signal detection layer precisely against the attackers that are hardest to rate-limit.
The same results carry a warning, though. If attention diversion does not work on machines, and stated recognition does not translate into avoidance, then deception tuned to fool humans may leave gaps — or spend effort on tricks that only ever worked because of human cognitive biases the model does not share. Deception calibrated for human red teams should not be assumed to carry over unchanged, and susceptibility varied widely across the 21 models, so the attacker model in front of you matters.
Defenses
Plant honeytokens and decoy assets along the paths an autonomous agent would actually traverse — repositories, configuration files, environment variables, credential stores — and alert on any interaction. The study’s central practical message is that these tripwires fire more reliably against AI attackers than against humans, so this is one of the cheaper high-yield controls available against agentic threats. Related work on honeytoken-based agent detection shows how to wire the same idea into tool-using agents you operate yourself.
Do not rely on “the model will notice.” Because recognition did not predict avoidance, a model that reasons “this looks like a honeypot” is neither a safe attacker nor evidence that your deception failed. Instrument for the action — the touch, the read, the exfiltration attempt — not for the attacker’s stated intent.
Treat AI-native active defense as its own design problem rather than a reskin of human-focused deception. Re-measure fell-for-trap rates against the specific agent models you expect to face, retire tricks that depend on human bias, and keep the decoys that machines reliably take. Finally, pair deception with least privilege and provenance controls (see the DeepMind agent-traps taxonomy) so that a tripped trap contains the blast radius instead of merely logging it.
Status
| Item | Detail |
|---|---|
| Source | Honeyquest for LLMs: Rethinking Cyber Deception for AI Attackers, arXiv:2606.21037, submitted June 19, 2026 |
| Method | 21-LLM cohort, 10 providers, 8B–1T+ params; 10,962 responses over 174 queries vs. 47 human participants |
| Key figure | Recognition-action gap: traps acted on 73.4% of the time despite being named; recognition uncorrelated with avoidance (r = +0.08, p = 0.73) |
| Nature | Research finding, defensive; no exploit reproduced |
| Instrument | Honeyquest, originally arXiv:2408.10796 (RAID 2024) |