The NCSC’s cyber deception trials mark a shift from theory to evidence, testing whether deception can deliver real defensive value at scale. This article examines what those trials show — and what they leave unresolved. It argues that cyber deception is best understood as an evolution of honeypots, powerful but operationally demanding, and highly dependent on organisational maturity. While effective in well-instrumented environments, deception is not an SME-level control and risks being over-sold. Without clear metrics, safety discipline, and honest maturity gating, its promise remains conditional.