Today, Arctic Wolf is announcing Decipio, a new community?shared cybersecurity tool designed to help defenders catch attackers while they¡¯re trying to steal credentials inside a network.
Credential theft is one of the most common ways cyber attacks begin and one of the hardest to detect early. In many cases, there¡¯s no alert, no obvious warning, and no immediate sign that anything is wrong. An attacker gains access, then quietly looks for ways to steal usernames and passwords so they can move deeper without being noticed. By the time credential misuse is found, the attacker has often already made progress.
Arctic Wolf threat research underscores this reality. In the 2026 Arctic Wolf Threat Report, our researchers found that phishing and credential abuse were responsible for the vast majority of confirmed business email compromise incidents. Credentials remain one of the most reliable and scalable entry points attackers have.
Many of the techniques used to steal credentials aren¡¯t new. They rely on built?in Windows network behaviors that still exist today because systems need them to function. What has changed is speed. Attackers are increasingly using automation and AI?driven tools to run these techniques faster, more consistently, and at greater scale making early visibility even more critical.
Decipio was built to catch credential theft early in the process. Instead of discovering stolen credentials after they¡¯ve been used, Decipio helps catch the thief in the act.
Decipio is being released as a limited community beta, giving security practitioners hands?on access to a practical, defense?first tool that helps make a common but often invisible credential?stealing technique visible.
How Decipio Works
When a computer can¡¯t find another system on a network, it asks other nearby devices for help. Attackers listen for those requests and respond as if they are the system being requested, tricking computers into handing over credential information.
Decipio flips that behavior into a giveaway. The tool sends out carefully crafted network requests for fake network resources that should never exist. Legitimate systems ignore them. Attackers can¡¯t. If someone responds, Decipio knows something suspicious is happening, with only a minimal tuning process and minimal historical context required. The signal is binary: a response means the tripwire was triggered.
Decipio then confirms the behavior, captures clear evidence, and presents it in a way defenders can easily understand and investigate.
A Different Approach to Detection
Most security tools focus on detecting the fallout of an attack: suspicious behavior, lateral movement, or misuse that appears after credentials have already been stolen.
Decipio takes a different approach. Instead of passively watching and waiting, Decipio sets a simple early?warning tripwire that attackers unknowingly trigger when they try to steal credentials. The result is a clear signal early in the process, not later during investigation or remediation.
Decipio applies automation and AI-assisted workflows defensively, creating a home field advantage for defenders by turning attacker behavior against itself.
How to Participate
Decipio is being released as a limited, gated community beta intentionally.
Fully open?sourcing tools like this can accelerate the very behavior defenders are trying to detect, especially in an era of large?scale scraping and automated reuse by AI systems. Gated access allows Arctic Wolf to share defensively useful capability with verified practitioners while limiting misuse.
Decipio is already in use by a small group of Arctic Wolf customers and community practitioners. In the coming weeks, we¡¯ll be sharing insights with the community on its usage in combatting AI-powered attacks, red-teaming tools and in-the-wild campaigns.
Decipio represents a defense?first contribution to the security community. It is practical and deliberately narrow in focus, designed to expose a persistent attack technique with minimal noise.
Interested in joining the limited beta and providing feedback? Request access here:
