Canaries In The Wild

Kevin Conley - Thinking Like an Attacker and the Psychological Power of Deception

Our latest episode features Kevin Conley, Team Lead and Principal Security Engineer of the Deception Technology team at Riot Games, who has built their canary program from the ground up over the past few years. Kevin has spent years deploying and running deception at massive scale - protecting one of the world's largest gaming platforms with hundreds of millions of players. He brings practical experience from building the program and operating it day-to-day. In this episode, Kevin breaks down why thinking like an attacker is fundamental to effective canary placement, how to measure deception program success, and the psychological impact of deception on attackers. Timestamps: 00:00 Intro 01:32 Defining terms: canaries, decoys, honeypots, and deception 03:40 Kevin's journey to leading deception at Riot Games 05:40 Adopting an attacker's perspective: the fundamental mindset shift 07:46 Why benign positives validate your canary placement 08:50 Catching malicious activity and discovering unexpected environment usage 15:06 Measuring success: coverage and validation 17:59 Blind red team exercises and attacker awareness 20:02 The psychological power of deception on attackers 24:29 Catching attackers early in the attack chain 25:51 The ROI case: deploying where traditional tools can't reach 29:57 What to communicate internally about your deception program 38:35 Why the honeypots misconception hurts deception teams 39:46 Making the case: why every security team should use canaries 41:48 When to adopt deception in your security journey 43:58 The future of deception: redefining it as active defense 46:47 Closing

Mandy Andress: Assume Breach, High Fidelity Alerts and Guardrails for AI Agents

Andy sits down with Mandy Andress (CISO, Elastic) who has been working with deception technology since the early days of honeypots and honeynets. Mandy brings a CISO's perspective on why canaries deserve a much larger role in modern security programs, and shares her views on how the fundamentals of detection are shifting as environments become more complex and threats evolve. Timestamps: 00:00 Intro 02:05 Honeypots vs canaries—different objectives, different priorities 05:22 Why assume breach is foundational in modern security 10:45 High fidelity alerts: reducing time to investigation 15:50 Practical canary deployments—S3 buckets, file shares, and cloud accounts 18:30 No-code vulnerabilities and the coming security challenges 19:55 AI agents going rogue—using canaries as guardrails 22:11 What to communicate internally about your canary program 26:16 Best advice: just get started—it's simpler than you think (edited)

Josh Yavor: High Signal, Low Noise - The Case for Early Canary Deception

Andy sits down with Josh Yavor (CEO, Credible Security) to discuss his experience of a decade of deploying deception technology. From building complex malware analysis environments to protecting sensitive IP during third-party data sharing, Josh explains why canaries deliver high-value signals early in your security journey and shares creative use cases including using canaries during active incident response.  ================= 🔍 IN THIS EPISODE ================= 🪶 Why deception isn’t just for “mature” security programs 📡 Real signals vs. industry reports — what matters more 🔇 Why absence of alerts doesn’t mean absence of value 💡 Creative deployments — from protecting IP to incident response 🧭 Lessons from a decade of making deception work in the real world ============================================================ 00:00 Intro 02:05 Why deception isn’t just for mature programs 06:40 Real signals vs. industry reports 10:20 “If it doesn’t fire, is it working?” — why absence of signal doesn’t mean absence of value 15:50 Creative deployments — canaries for IP protection & incident response 22:10 Lessons from a decade of deception

Didier Vandenbroeck: Catching Red Teams, Insider Threat and the ROI of Canaries

Andy sits down with Didier Vanderbroeck (VP Security & IT, Oleria) to discuss the value he's seen from canaries as a detection mechanism over a 25 year career in security. Ranging from getting caught by Salesforce's honeypots while running red-teaming post-Slack acquisition, to what AI means for the future of deception technology; Didier shares his insights on what it means to Assume Breach with canaries.