I. Introduction
Defenders typically introduce additional artifacts, called honeypots, in the network to lure attackers away from legitimate assets and to understand their techniques and motivations. Honeypots can range in fidelity from low-interaction, such as a simple listener, to high-interaction, such as a full webserver. The choice in fidelity is largely influenced by available resources. For this reason, previous works have looked at how to strategically place these honeypots to maximize their utility [1]. However, it is infeasible to calculate every move an attacker may take; due to the possibility of there being multiple attackers or changes in intentions.