I wonder if there are tried and tested guides about _documenting_ deceptive technologies deployed in a system?
Trivially this would be something like "srv01:443 is a canary, don't decommission", but of course if the attacker sees this first, that's a problem.
/cc
@haroonmeer