Microservice-oriented cyber deception platform with containerized honeypots and real-time telemetry

The growing reliance on cyber deception as a defensive mechanism has revealed persistent limitations in existing deception infrastructures, particularly in their ability to scale, adapt, and provide continuous observability under realistic adversarial workloads. Conventional honeypot deployments are predominantly monolithic and statically configured, which constrains their responsiveness to dynamic attack conditions and limits their applicability in contemporary distributed environments. This work presents a microservice-oriented cyber deception platform that reconceptualizes deception infrastructure as a composition of loosely coupled, independently deployable services. The platform integrates containerized honeypots, a lightweight API-driven orchestration layer, and a centralized telemetry pipeline to enable rapid instantiation, dynamic re-configuration, and high-resolution monitoring of attacker interactions. Unlike prior approaches that treat deployment, orchestration, and monitoring as separate concerns, the proposed design explicitly unifies these components within a single, measurable system architecture. To support principled reasoning about system behaviour, the paper introduces first-order analytical models that characterize deployment latency, resource utilisation, telemetry throughput, and operational cost as functions of attacker concurrency. These models are not intended as exact predictors, but as tractable abstractions that enable interpretation of system performance and guide capacity planning. Model parameters are empirically derived and validated through controlled experimentation. Evaluation is conducted within a reproducible cyber-range environment using scripted adversarial workloads that emulate reconnaissance, authentication attempts, and sustained interactive sessions. Results indicate that containerised deployment reduces instantiation latency to approximately 1.2 s under warm-start conditions, compared to tens of seconds for virtual machine-based baselines. Resource utilisation exhibits approximately linear scaling under moderate concurrency, while the telemetry pipeline sustains ingestion rates exceeding 18,000 events per minute without observable loss. Stress testing further reveals that telemetry processing, rather than orchestration, constitutes the primary scalability bottleneck. These findings suggest that microservice-based architectures can provide a viable and extensible infrastructure substrate for cyber deception, supporting both operational deployment and integration with higher-level adaptive and learning-based defence mechanisms. The contribution of this work lies not in introducing new deception strategies, but in enabling their practical realisation through a scalable and observable system design.