NIST 800-53 r5 · Controls catalogue · Family SC

SC-26Decoys

Include components within organizational systems specifically designed to be the target of malicious attacks for detecting, deflecting, and analyzing such attacks.

Last updated: 09 May 2026 03:25 UTC

Implementations targeting this control (0)

No implementations targeting this control yet.

ATT&CK techniques this control mitigates (3)

T1210 Exploitation of Remote Services Lateral Movement
T1211 Exploitation for Stealth Stealth
T1212 Exploitation for Credential Access Credential Access

Weaknesses this control addresses (9)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE	Name	CVEs	Why this control addresses it
`CWE-200`	Exposure of Sensitive Information to an Unauthorized Actor	10,204	Decoys supply misleading data and log access attempts, directly detecting and deflecting unauthorized information exposure.
`CWE-862`	Missing Authorization	8,680	Decoys expose and log missing authorization flaws by serving as monitored targets for unauthorized function access attempts.
`CWE-284`	Improper Access Control	4,832	Decoy resources detect and deflect attempts to bypass access controls by attracting and monitoring attackers on fake assets.
`CWE-287`	Improper Authentication	4,730	Decoy authentication surfaces detect bypass attempts and deflect real credential attacks through observable malicious interactions.
`CWE-863`	Incorrect Authorization	3,234	Decoys detect incorrect authorization decisions through attacker interactions with deliberately misprotected decoy objects.
`CWE-306`	Missing Authentication for Critical Function	2,567	Decoy implementations of critical functions without authentication lure and record attackers probing for missing auth checks.
`CWE-285`	Improper Authorization	1,230	Decoys identify and block exploitation of improper authorization by providing monitored targets that mimic protected functions.
`CWE-552`	Files or Directories Accessible to External Parties	540	Decoy files and directories detect external access attempts and deflect attackers away from actual accessible resources.
`CWE-425`	Direct Request ('Forced Browsing')	255	Decoy endpoints catch forced browsing and direct requests, deflecting attackers from legitimate resources while enabling analysis.

Top CVEs where this control is the strongest mitigation

CVE	Risk	CVSS	EPSS	Match
No CVEs annotated to this control yet — the per-CVE backfill is in progress.

Other controls in family SC

SC-1 SC-10 SC-11 SC-12 SC-13 SC-14 SC-15 SC-16 SC-17 SC-18 SC-19 SC-2 SC-20 SC-21 SC-22 SC-23 SC-24 SC-25 SC-27 SC-28 SC-29 SC-3 SC-30 SC-31 SC-32 SC-33 SC-34 SC-35 SC-36 SC-37 SC-38 SC-39 SC-4 SC-40 SC-41 SC-42 SC-43 SC-44 SC-45 SC-46 SC-47 SC-48 SC-49 SC-5 SC-50 SC-51 SC-6 SC-7 SC-8 SC-9