HADES: High-Fidelity Adaptive Deception & Emulation System

Technology Summary

The rise in sophisticated cyberattacks has prompted businesses and organizations to seek out robust security measures with the ability to detect and respond to an adversary’s attacks in real-time. Many are using deceptive tools and tactics; however, current deception tools only provide partial solutions to full-spectrum deception. Sandia’s High-Fidelity Adaptive Deception & Emulation System (HADES) is a comprehensive cybersecurity platform that utilizes revolutionary advances in deception technologies that allow network defenders to defend and collect information on the adversary in real-time.


The HADES platform is a deception environment that utilizes Software Defined Networks (SDN), cloud computing, dynamic deception, and agentless Virtual Machine Introspection (VMI). These elements fuse to not only create complex, high-fidelity deception networks, but also provide mechanisms to directly interact with the adversary—something current deception products do not facilitate. At the onset of an attack, adversaries are migrated into an emulated deception environment, where they are able to carry out their attacks without any indication that they have been detected or are being observed. HADES then allows the defender to react to adversarial attacks in a methodical and proactive manner by modifying the environment, host attributes, files, and the network itself in real-time. Through a rich set of data and analytics, cybersecurity practitioners gain valuable information about the tools and techniques used by their adversaries, which can then be fed back to the network defender as threat intelligence. The HADES platform is the only comprehensive solution to deceive, interact with, and analyze adversaries in real-time. The unique insight gathered while using HADES can be used to implement stronger network defenses and prevent future attacks.


  • Creates high-fidelity deception environments based on real system attributes
  • Provides granular insight into attacker’s tools and tactics (malware, behavior, workflow)
  • Allows interaction with adversaries through host, network, and file modification
  • Provides varying operating and deployment modes to facilitate various network models
Technology IDSD#13370Development StageDevelopment - Sandia estimates this technology at a Technology Readiness Level 7. An actual system prototype has been demonstrated in an operational environment.AvailabilityAvailablePublished03/31/2017Last Updated03/31/2017