This work addresses the optimal honeypot deployment problem in large-scale directed networks under resource constraints and concurrent multi-adversary threats in dynamic lateral movement scenarios. We propose the first Bayesian Stackelberg game framework tailored for multiple attackers, integrating heterogeneous attacker profiling with an intrusion detection system (IDS)-driven dynamic belief updating mechanism to enable online, adaptive defense optimization. Our method combines multi-follower Stackelberg equilibrium computation, dynamic probabilistic inference, and compact integer programming to achieve millisecond-scale decision-making. Evaluated on a real-scale network with 500 nodes and over 1,500 edges, it effectively disrupts coordinated lateral movement within several rounds, significantly outperforming static deployment and single-attacker baseline approaches. Key contributions include: (i) theoretical modeling innovation—multi-attacker Bayesian Stackelberg games; (ii) mechanism design advancement—IDS-feedback-driven belief evolution; and (iii) empirical validation of engineering scalability.

Defending against sophisticated cyber threats demands strategic allocation of limited security resources across complex network infrastructures. When the defender has limited defensive resources, the complexity of coordinating honeypot placements across hundreds of nodes grows exponentially. In this paper, we present a multi-attacker Bayesian Stackelberg framework modeling concurrent adversaries attempting to breach a directed network of system components. Our approach uniquely characterizes each adversary through distinct target preferences, exploit capabilities, and associated costs, while enabling defenders to strategically deploy honeypots at critical network positions. By integrating a multi-follower Stackelberg formulation with dynamic Bayesian belief updates, our framework allows defenders to continuously refine their understanding of attacker intentions based on actions detected through Intrusion Detection Systems (IDS). Experimental results show that the proposed method prevents attack success within a few rounds and scales well up to networks of 500 nodes with more than 1,500 edges, maintaining tractable run times.