🕯️ Farewell to Microsoft Defender Deception
Microsoft has officially announced the end of life for the Deception feature in Defender XDR. The product will be discontinued on the 31st of October 2025.
We’re genuinely sad to see it go.
Even if it was only in preview, lightweight and limited to the Microsoft ecosystem, it was still a step in the right direction.
Built mostly around honeytokens, it offered a simple setup, though at the cost of frequent false positives (after all, any user could trigger a token).
What made it stand out wasn’t its complexity, but its potential.
We’ve heard great things from some of the largest enterprises in Italy that used it:
🔹 Teams that took time to customize tokens and make them realistic.
🔹 Security engineers who used it to monitor internal red team exercises that had previously gone undetected.
🔹 Leaders who, for the first time, could actually see attacker movement inside their own network.
For those who fine-tuned and invested time, Defender’s Deception delivered real detection value.
However, this decision doesn’t come as a surprise.
Microsoft has clearly chosen to focus its efforts on Automatic Attack Disruption, a fully automated containment approach within Defender XDR, aligned with its broader Zero Trust strategy.
Here’s an extract from Microsoft’s own article explaining that shift:
“Microsoft Defender XDR correlates millions of signals to identify active ransomware campaigns or other sophisticated attacks…
While an attack is in progress, Defender XDR disrupts the attack by automatically containing compromised assets that the attacker is using through automatic attack disruption.This game-changing capability limits a threat actor’s progress early on and dramatically reduces the overall impact of an attack, from associated costs to loss of productivity.”
This makes sense for Microsoft’s ecosystem, automated containment is powerful when you control the full stack.
But it also assumes one thing: that your XDR setup is bulletproof and that your organization is fully verticalized on Microsoft’s ecosystem.
In reality, Zero Trust remains difficult to fully implement.
Blind spots persist. Human error still happens.
And that’s exactly where deception shines.
Deception is about freedom, visibility, and control.
It thrives when it’s agnostic, adaptive, and scalable, across any network, any endpoint, any cloud.
It’s unfortunate Microsoft wasn’t willing to push it further.
Because deception deserves more than just a preview.
Sometimes even the smallest traps catch the biggest threats.
If you’re being left behind by this discontinuity reach out, our team is ready to help!
