PHANTOM: Polymorphic Honeytoken Adaptation with Narrative-Tailored Organisational Mimicry

TL;DR

PHANTOM is a framework that creates highly convincing, organisation-specific honeytokens to improve cyber deception by encoding contextual knowledge and resisting detection methods.

Contribution

It introduces a novel multi-component pipeline for generating contextually convincing honeytokens tailored to organisational specifics.

Findings

PHANTOM outperforms template-based methods in believability scores.

Human acceptance of honeytokens increases from 6.2% to 100%.

Detection resistance improves significantly across multiple scanner models.

Abstract

Honeytokens, decoy digital assets planted to detect and attribute unauthorised access, are a well-established primitive in cyber deception. Existing generation tools produce static, template-based tokens that lack organisational specificity and are identifiable by statistical, syntactic, and semantic analysis. We introduce PHANTOM (Polymorphic Honeytoken Adaptation with Narrative-Tailored Organisational Mimicry), a framework that generates contextually convincing honeytokens by encoding organisation-specific knowledge: domain names, service naming conventions, technology-stack idioms, and realistic secret-value distributions, into a multi-component generation pipeline. We formalise honeytoken quality through a four-component Believability Score that captures syntactic validity, semantic coherence, statistical plausibility, and human acceptance. We use this metric to evaluate PHANTOM across 8 token types and 4 organisational contexts against a template-based baseline. PHANTOM achieves B = 0.778 +/- 0.057 versus B = 0.576 +/- 0.058 for templates (Delta = +0.203, t = 14.07, p < 0.001, Cohen's d = 3.52). Human-evaluator acceptance rises from 6.2% to 100%, and detection resistance (DR = 1 - Pd) improves from 0.609 to 0.870 across three simulated scanner models (regex, entropy analysis, and ML classifier), each with p < 0.001. The semantic coherence gap (Delta Sc = +0.309, d = 4.52) is the dominant driver, confirming the hypothesis that organisational context is the critical missing ingredient in current approaches. All results are reproduced without external API calls, making the pipeline fully deployable in air-gapped environments.