hosting a decoy cloud environment for a customer that contains a plurality of decoys and that is hosted and separated from a real environment of the customer, wherein the plurality of decoys are associated with a plurality of fake assets planted on one or more user devices associated with the customer;

receiving traffic from a user associated with the customer via inline monitoring for traffic inspection;

detecting whether the traffic is related to accessing a fake asset on a user device associated with the user or the traffic is unrelated to any fake asset on the user device;

responsive to the traffic being related to accessing the fake asset, rerouting the traffic to the decoy cloud environment as part of the inline monitoring, and monitoring activity associated with the fake asset in the decoy cloud environment, wherein the routing is performed based on deception policies created based on real user access policy; and

responsive to the traffic being unrelated to any fake asset, processing the traffic for threat protection and data protection and either allowing or blocking the unrelated traffic based thereon.