Apparatus and method for data security using adaptive selection of intrusion traps in relation to workload. In some embodiments, a data storage device has a non-volatile memory (NVM). A device controller circuit services data transfer commands received from a host device to transfer data between the host device and the NVM. A security controller circuit monitors the received data transfer commands and enacts a change in security policy to implement one or more intrusion traps associated with the NVM in response to the received data transfer commands. The intrusion traps constitute memory locations that are configured to normally store user data, but are not normally accessed during the servicing of the currently received data transfer commands.