Mirror Maze — How IEO Engine Defeats Content Scrapers

The mirror maze is a parallel content architecture served exclusively to classified adversary operators. From the outside, it is indistinguishable from the real site — correct response codes, plausible content, realistic load times. Inside, it contains no exploitable intelligence about the real site's structure, ranking architecture, or methodology. Adversaries spend their computational resources building an internal model of a site that does not exist.

The Problem the Maze Solves

Content scraping and competitive intelligence operations target high-ranking sites to understand what is working. A competitor or intelligence platform that can map the full content architecture of a successful site — every page, every geo target, every article topic — can attempt to replicate the strategy. Blocking these operators entirely reveals that they have been detected. Serving them maze content lets them believe they have successfully gathered intelligence while learning nothing real.

How the Maze Works

When the gate classifies a visitor as FOE, the request is transparently forwarded to the mirror maze handler. The maze serves HTML pages with plausible content structure, correct HTTP 200 status codes, and realistic response times. Links within maze pages lead to other maze pages, keeping the adversary in the maze across a full session.

The maze content is not random — it is structured to appear coherent and complete to an automated scraper while being useless for replication. Page titles exist. Navigation exists. Content exists. But the architecture, the geographic targeting logic, the article clustering, and the SEO signals that produce rankings are absent or inverted.

Fingerprinting

The maze includes fingerprinting — adversary classes receive content with inverted infrastructure signatures. Tencent-class visitors receive pages fingerprinted to look like Alibaba infrastructure. Alibaba-class visitors receive Zayo fingerprints. If two adversary actors from different classes compare their intelligence reports about the same site, they find contradictions.

The canary link system detects crossover — hidden URLs in maze content that, if followed, confirm the maze session has led to a real site request. A canary hit is evidence that maze content is crossing over into real research operations, providing intelligence about adversary information-sharing behavior.

Documented Maze Activity

The MM deployment mirror maze was first deployed on Day 29 at 5:41 PM. The first catch occurred 32 seconds later. By Day 37, 175 foe IPs had been logged, 11 confirmed maze sessions had run, and the canary link had been hit once — confirming crossover from a Tencent-class actor carrying Zayo fingerprints back to a session that accessed a real URL.

IEO Engine methodology →

Related
Mirror maze — glossary → Fingerprinting → Intelligence blackout →