CustomersPricingResearchAboutCareersContact
Company
  • About
  • Careers
  • Contact
Book a demo
Book a demo

Book a demo

See how canaries can enhance your security

Photo of Andy Smith

Andy Smith

CEO, Tracebit

Photo of Sam Cox

Sam Cox

CTO, Tracebit

Schedule a 45 minute personalised demo of Tracebit with one of our co-founders to:

  • Discuss your specific security challenges
  • Cover the range of canaries Tracebit can deploy for your use case
  • Walk through a simple Tracebit deployment

One of our co-founders will reply to you directly as soon as they see your request. No bots here! So please be patient if it takes us a few hours to get back to you.

Thank you for contacting us; a member of our team will be in touch shortly.
Oops! Something went wrong while submitting the form.

Case study

Riot Games adopts Tracebit to help protect more than 180 million active monthly players

Riot Games' deployment of Tracebit across the vast technology ecosystem that supports hundreds of millions of users.

Business summary

Location

Los Angeles, USA

Security team

Environment

AWS, Endpoints, Okta

Canaries

10,000-100,000

Highlights

  • Fully automated canary orchestration across vast AWS footprint that supports Riot Games’ more than 180 million active players monthly
  • 2/2 separate 3rd Party Red Team exercises detected by Tracebit Canaries
  • Integration with SIEM and SOAR minimizes time to respond to Tracebit alerts
  • Minimal disruption across entire Riot Games Engineering team

"As our environment evolves and attacker behavior and knowledge evolves it’s important that we stay ahead of the game, which is why we’re excited to partner with Tracebit on even more advanced canaries as they build them out."

Chris Hymes

Chief Information Security Officer

Case study

The Challenge

The Information Security (InfoSec) team at Riot Games is responsible for protecting the vast technology ecosystem that is essential to the company’s mission of creating world-class gaming experiences from hundreds of millions from regular, active attacks.

The team had seen significant value in ‘deception’ approaches in their on-premise systems and were exploring opportunities to enable a solution in their cloud environments and elsewhere. Internally, time had been allocated to the deployment of decoys or canaries across their wider ecosystem.

The AWS environment, which provides a wide range of support to Riot’s infrastructure, was identified as a high priority target for these canaries, but given the vast scale and disparate nature of the environment, the complexity of scaling canaries was considered very high.

The Solution

The Riot team met Tracebit early on in the development of the Tracebit platform whilst considering their strategy for the upcoming year.

The pitch was simple - the automation that leveraged Terraform and read only API access could quickly and easily bring coverage across the entire AWS footprint without any manual work. The canaries would be deployed automatically and would blend in, despite the disparate nature of the environments.

Given the scale, the Riot team had naturally already invested in automation of cloud provisioning for the production pipelines, providing a perfect integration for Tracebit.

As the Tracebit platform continued to develop, a variety of ‘no brainer’ options became available that the team was able to leverage to quickly level up their detections with minimal efforts, including Canary Credentials on Workstations, Servers and Containers and Identity.

Significant time save with rollout across Riot Games’ AWS infrastructure

“We had the in-house skills and knowledge to deploy canaries ourselves, but when we considered the effort across all of our environments we estimated it could easily take a year full time to be production ready. With Tracebit we only spent an order of weeks of engineering hours to gain full coverage.”

Kevin Conley, Staff Security Engineer, Riot Games

The project began with a focus on Riot’s vast AWS environment with a goal of 100% coverage across Riot's hundreds of AWS accounts with Tracebit Canary Infrastructure. Due to the level of automation provided by Tracebit, the vast majority of this project was able to be run by a single individual on the Riot team.

The initial rollout focused on manual deployment of Tracebit into some accounts of medium level criticality and volume to prove out the integration and derisk the deployment.

Once this was verified, by integrating Tracebit into the internal cloud account factory system and making use of Tracebit’s auto on-boarding feature the team was able to rollout in batches of tens and then hundreds, scaling quickly and with minimal efforts.

Minimal impact on large Engineering Organization

“Security is here to enable the business, not create obstacles, so naturally a key part of our success criteria was not disrupting our engineering teams. I’m happy to say that the Tracebit deployment delivered on this goal.”

Pasquale Cipollone, Security Engineer, Riot Games

As expected, there were some initial concerns raised surrounding the AWS canary deployment. A significant number of AWS resources would be created that were designed to deceive attackers. It was possible that these could affect employees as well.

The approach here was to begin with a gradual rollout to assuage concerns, and targeted communication around the plans to anticipate any potential kick back. This pragmatic approach proved to be successful - there have been relatively few legitimate interactions and limited concerns flagged by AWS users.

Tracebit detections have proven the value

“While we believe that canaries are an integral part of our security posture, we felt it was important to validate our assumptions with external testing. Since our successful deployment, we’ve engaged two separate third party red teams to simulate attacks in our environment. In both cases Tracebit was able to detect them, most recently they detected them at the beginning of their engagement!”

Kevin Conley, Staff Security Engineer, Riot Games

The primary reason for the deployment of Tracebit was to extend existing strategies for detecting unauthorized behaviours. Since deployment, this goal has been met and value above and beyond existing approaches has been shown. In addition, Tracebit has been successful in detecting 2 of 2 red team exercises that have been executed in environments in which it was present. The Tracebit platform offers additional stealth features that give the Riot team confidence that future attempts at evasion will present challenges.

Further Investment

“As our environment evolves and attacker behavior and knowledge evolves it’s important that we stay ahead of the game, which is why we’re excited to partner with Tracebit on even more advanced canaries as they build them out.”

Chris Hymes, Chief Information Security Officer, Riot Games

Tracebit has been fully functional for some time now and has been well integrated into Riot Games’ Security Operations team’s workflows, leveraging Tracebit Alert integrations for SIEM and SOAR automation.

Tracebit has delivered on the promise of a canary platform that’s lightweight, a quick set up, low noise and with a low total cost of ownership. New Tracebit features and modules - including Canary Credentials and Identity Canaries - often stand out as ‘no-brainers’ for the team at Riot which continues to be excited early adopters of the latest canary technologies from Tracebit.

‍

AboutBlogContactCareersStatusTrust & Security
Subscribe for research and product updates
By subscribing you agree to our Privacy Policy
Thank you! Check your inbox for your first edition
Oops! Something went wrong while submitting the form.
Subscribe
By subscribing you agree to our Privacy Policy
Thank you! Check your inbox for your first edition
Oops! Something went wrong while submitting the form.
© 2025 Tracebit. All rights reserved.
Privacy PolicyTerms of Service
AWS Qualified SoftwareSOC 2 Type 2