Make Attackers Cry -- Outsmart them with Deception (Sponsor: Fastly)

In this session, Rick Horwitz will explore how next-generation web application defense techniques use deception to disrupt account takeover attempts by returning responses that resemble invalid login credentials. Rather than outright blocking the request, this approach introduces uncertainty, making it harder for attackers to understand why their attempts are failing. This method leverages core principles of security deception raising an attacker’s cognitive load, consuming their time, and prompting them to question the reliability of their tools or assumptions. Over time, this added friction can decrease the likelihood that they continue targeting the application. Because these techniques typically require minimal configuration, they can offer immediate insight into attack patterns and behaviors. These signals help defenders analyze adversary tactics and strengthen overall protections, demonstrating how psychological and operational pressure can complement traditional security controls.