The present disclosure provides an information technology security system, method and apparatus that differentiates advanced attackers from unsophisticated attackers by querying a proprietary Threat Intelligence database that houses known attack and attacker information. Advanced attackers are proxied, or filtered, into a virtual honeypot where their tools, methods, and attack procedures can be recorded and studied. Context and back story are implemented into the honeypot to make it appear as real as possible by using a hardware “host” device located at the customer site that transparently forwards all traffic it receives into the virtual honeypot where the customer's network environment is re-created. Advanced attackers are filtered into this virtual honeypot where the tools and attack strategies that they otherwise would keep secret can be logged, examined, and researched.