MITRE Engage: Denial, Deception, and Adversary Engagement Concepts for Defenders
You have full visibility, decent EDR, and an intruder still walked in. What now? Most shops answer “detect and evict” and stop there. Engage says something different: keep them in a room you built, learn everything they know, and make the whole intrusion expensive and worthless to them.
Objective: Understand MITRE Engage as a framework for cyber denial, deception, and adversary engagement. You will learn the Engage Matrix (Goals, Approaches, Activities), the SGO/EGO/SAP/EAP/SAC/EAC identifier scheme, the 10-Step Process, and the Engage-to-ATT&CK mapping workflow, then plan and run a small elicitation operation against a self-built deception lab.
Contents
- 1 1. What Is MITRE Engage (History and Rationale)
- 2 2. The Three Pillars: Denial, Deception, and Adversary Engagement
- 3 3. The Engage Matrix Deep Dive
- 4 4. The 10-Step Process: Planning an Engagement Operation
- 5 5. Mapping Engage to ATT&CK: From Adversary TTP to Defensive Activity
- 6 6. Deception Infrastructure: Honeypots, Lures, Pocket Litter, and Decoy Credentials
- 7 7. Lab Exercise: Planning and Running a Mini Elicitation Operation
- 8 8. Operational Mindset: Iterative Engagement and CTI Feedback Loops
- 9 9. Detection and Defense Integration
- 10 10. Tools for Adversary Engagement
- 11 11. MITRE ATT&CK Mapping
- 12 Summary
- 13 Related Tutorials
- 14 References
1. What Is MITRE Engage (History and Rationale)
Engage is the successor to MITRE Shield. Shield was a useful idea shipped as a technique dump: lots of execution-focused deception tactics, almost no guidance on planning or on turning what you observed into intelligence. Engage keeps the tradecraft and adds the two things that actually make an operation succeed – planning up front and analysis at the end.
The core premise is blunt. Since network compromise is often inevitable, defenders can use adversary engagement to ensure that compromise does not mean loss. Instead of only trying to keep everyone out, you accept that someone will get in and you build the terrain so that their presence works for you. The goal is to drive up the cost and drive down the value of the adversary’s cyber operations.
That cost-value framing is the whole point. If the environment an attacker lands in might be fake, every action they take carries risk. Every credential might be a tripwire. Every document might be a canary. You are not just detecting; you are taxing their operation.
MITRE’s own numbers are the argument for doing this. Before adversary engagement, MITRE detected only initial IOCs, an average of about two per operation. After adopting adversary engagement, MITRE collected on average 40 new pieces of intel per operation. That is the difference between “we found a bad IP” and “we understand this actor’s toolkit and intent.”
2. The Three Pillars: Denial, Deception, and Adversary Engagement
Get the vocabulary right before touching a honeypot, because the three terms are not interchangeable.
| Concept | Exact Description |
|---|---|
| Cyber Denial | The ability to prevent or impair the adversary’s ability to conduct their operations. This disruption may limit their movements, collection efforts, or the effectiveness of their capabilities. |
| Cyber Deception | Intentionally revealing deceptive facts and fictions to mislead the adversary, while concurrently concealing critical facts and fictions so the adversary cannot form correct estimations or take appropriate actions. |
| Adversary Engagement | Denial and deception used together, inside strategic planning and analysis. Goals can be any combination of exposing adversaries on the network, eliciting intelligence about their TTPs, or affecting their ability to operate. |
Denial blocks or degrades. Deception misleads and manipulates. On their own each is a tactic. Bolted together and wrapped in strategy, they become engagement. The wrapping matters: a decoy share with no plan is just a honeypot that generates noise. A decoy share tied to a defined goal, a narrative, rules of engagement, and an analysis phase is an operation.
One editorial note that Engage itself is careful about: “engage” has a deliberate meaning. MITRE recommends engaging with the adversary but explicitly avoiding a hack-back. You manipulate your own terrain. You do not reach into theirs.

3. The Engage Matrix Deep Dive
The Matrix has three structural layers: Goals, Approaches, and Activities. Strategic goals, approaches, and activities bookend the operation and force strategic planning. The engagement goals, approaches, and activities in the middle are the traditional denial and deception work that drives you toward those strategic goals.
Engage deliberately uses “Approaches” and “Activities” instead of ATT&CK’s “Tactics” and “Techniques” so nobody confuses the offensive and defensive matrices. Approaches move you toward a goal. Activities are the concrete things you deploy to structure an approach.
The Five Columns
There are five columns (Goals) in the Matrix, read left to right as the arc of an operation:
| Goal | Role in an Operation |
|---|---|
| Prepare | Strategic bookend. The inputs to an operation: objectives, narrative, environment design, RoE. |
| Expose | Use deceptive activities to produce high-fidelity alerts when adversaries are active in the engagement environment. |
| Affect | Have a negative impact on the adversary’s operations, changing the cost-value proposition. Increase their cost or reduce the value they extract. |
| Elicit | Encourage the adversary to reveal additional or more advanced capabilities, producing actionable CTI to inform your other defenses. |
| Understand | Strategic bookend. The outputs: what happened, what it means, and how it feeds the next operation. |
The Identifier Scheme
Every Goal, Approach, and Activity has a unique ID with a consistent prefix. Memorize the two-letter middle and the strategic-versus-engagement first letter:
| Prefix | Meaning |
|---|---|
SGO | Strategic GOal |
EGO | Engagement GOal |
SAP | Strategic APproach |
EAP | Engagement APproach |
SAC | Strategic ACtivity |
EAC | Engagement ACtivity |
The two strategic approaches you will use constantly are SAP0001 (Planning) and SAP0002 (Analysis). Planning is where persona creation, storyboarding, and, critically, exit criteria live. Analysis is where you turn the campaign into something actionable. If your goal is to collect an actor’s TTPs, you plan a credible end to the attack path before you start, because credibility is what keeps the adversary engaged long enough to be useful.
The engagement activities you touch most in a first operation:
| EAC ID | Activity | What It Does |
|---|---|---|
EAC0003 | System Activity Monitoring | Collect system activity logs that reveal adversary behavior on decoy hosts. |
EAC0005 | Lures | Deceptive systems and artifacts serving as decoys, breadcrumbs, or bait to elicit a specific response. |
EAC0006 | Application Diversity | Present a variety of installed applications and services to establish legitimacy. |
EAC0007 | Network Diversity | Use a diverse set of devices and services to support believability. |
EAC0011 | Pocket Litter | Data used to support the engagement narrative and make a decoy credible. |
EAC0018 | Security Controls | Alter controls to make a system more or less vulnerable, for example removing authentication on a Docker daemon. |

4. The 10-Step Process: Planning an Engagement Operation
The 10-Step Process is split into three categories that mirror the Matrix bookends: Prepare, Operate, Understand. It was adapted from Barton Whaley’s The Art and Science of Military Deception, which laid out a ten-step process for building military deceptions; MITRE refined it for the cyber domain.
The Prepare steps are where most first-timers fail, so they get the attention here:
- Define the operational objective. What decision does this operation inform? “Learn whether this actor is after our source code or our customer data” is an objective. “Catch bad guys” is not.
- Construct the engagement narrative. The story your environment tells. It must be consistent, coherent, and believable, and it must protect your most valuable real data.
- Design the engagement environment. Pick high- or low-interaction assets, decide network and application diversity, and plan the pocket litter.
- Identify stakeholders and define operational risk. Adversary engagement is a team sport. Loop in InfoSec and IT, and also Legal, HR, and Corporate Communications.
- Establish Rules of Engagement (RoE). Set RoE before the operation starts so there are no ambiguous decisions once it is underway. Define what is in scope, what triggers an abort, and hard boundaries such as “no real credentials, no reachability to production.”
The exit criteria deserve a callout. If your goal is to learn an actor’s intentions or harvest their full TTP set, you must have already planned a credible end to the attack path. Persona Creation and Storyboarding under SAP0001 exist precisely so the ending does not feel like a trap slamming shut.
5. Mapping Engage to ATT&CK: From Adversary TTP to Defensive Activity
This is the mechanism that makes Engage more than a wish list. When an adversary performs a specific behavior, they expose an unintended weakness. Walk each ATT&CK technique, ask what weakness it reveals, then pick the engagement activity that exploits that weakness. Every activity you deploy is justified by an observed adversary behavior rather than a hunch.
The canonical example from Engage’s own documentation:
- The adversary performs Remote System Discovery (
T1018). To discover systems, they must query the network and act on whatever answers. - That is the weakness. They will believe and act on false responses.
- Deploy Lures (
EAC0005) – decoy hosts that show up in their scan and pull them toward terrain you control.
MITRE mapped the three middle columns (Expose, Affect, Elicit) to ATT&CK and shifted the perspective to mark the moment the adversary becomes vulnerable and the defender gets an opportunity. Use the Engage Matrix Explorer at engage.mitre.org/matrix to filter by an ATT&CK technique ID and see which EAC activities apply. Build the ATT&CK side of the picture in ATT&CK Navigator so your target actor’s TTP profile and your chosen Engage activities sit side by side.

6. Deception Infrastructure: Honeypots, Lures, Pocket Litter, and Decoy Credentials
Choosing between a high-interaction and a low-interaction honeypot depends on your goal, the operation length, and the specific malware you expect. A low-interaction honeypot may be plenty to spot reconnaissance, but it will fail to hold up for prolonged threat intelligence collection because it cannot present a realistic enough environment. If you want to elicit advanced TTPs, you need interaction depth.
Where possible, move adversaries into an isolated engagement environment to observe them and gather CTI. That environment must be realistic enough to reassure them it is legitimate and interesting enough to motivate them to reveal more.
Believability engineering is the part everyone underrates. A war story: the first honeypot I stood up got zero hits for a month. When traffic finally arrived, the intruder left in seconds. The share was too clean. No user documents, no stale spreadsheets, no half-finished PowerPoint from someone in Accounting. Empty perfection screams trap. That is exactly why Pocket Litter (EAC0011) exists: some adversaries look around to confirm the environment is real before committing, so you do the work to make it look lived-in.
Two more infrastructure ideas from the brief worth internalizing:
- Decoy credentials. Stand up decoy accounts with commonly used passwords to alert on brute-force attempts, and monitor for the use of those credentials anywhere else on the network. A decoy credential appearing in a logon event is about as high-fidelity as an alert gets.
- Information manipulation. Decoys waste the adversary’s time; information manipulation feeds them false or misleading data such as fake design documents or schedules. This only works if the fake data fits the engagement narrative, so plan it as one coherent story.
A hard OPSEC rule: be selective about which vulnerable assets and configurations you expose. A network that is overly permissive or vulnerable is itself a red flag. EAC0018 (Security Controls) means a deliberately weakened control, like an unauthenticated Docker daemon, not a Swiss-cheese network.
7. Lab Exercise: Planning and Running a Mini Elicitation Operation
This is entirely defender-side. There is no exploit to write. The hands-on work is planning, deploying, and monitoring a deception engagement against a self-built lab, then analyzing what fired.
Lab Architecture
Everything runs on an isolated lab network with no route to production.
[ Kali Linux (simulated adversary) ] --> [ Lab LAN: 192.168.56.0/24 ]
|
v
[ Decoy Windows Server VM ] -> honeypot, decoy SMB share, decoy AD credentials
[ Decoy Linux VM ] -> SSH honeypot, deliberately open Docker daemon (EAC0018)
[ Monitoring VM ] -> Sysmon + Winlogbeat + Elastic Stack / Splunk
Phase 1: Prepare (SAP0001 Planning)
Select an actor profile to emulate from ATT&CK CTI. For this run, a generic initial-access actor using T1078 (Valid Accounts), T1021.002 (SMB / Windows Admin Shares), and T1018 (Remote System Discovery).
- Engagement Goal: Elicit – collect adversary TTPs in the lab.
- Narrative (one page): “A small accounting firm’s internal Windows file server, lightly defended, with accessible SMB shares.”
- RoE: all activity contained to the isolated lab VLAN; no real credentials anywhere.
- Selected activities:
EAC0005(Lures),EAC0006(Application Diversity),EAC0011(Pocket Litter),EAC0003(System Activity Monitoring).
Phase 2: Operate
Deploy OpenCanary on the Decoy Linux VM to stand up low-interaction lures (EAC0005):
pip install opencanary
opencanaryd --copyconfig # edit opencanary.conf to enable SMB, HTTP, SSH modules
opencanaryd --start
Generate pocket litter (EAC0011) at canarytokens.org. Create a Word document canarytoken and drop it into a fake \\FILESERVER\Finance SMB share so any open of the file phones home:
# canarytokens.org -> select "Microsoft Word document"
# save as: Finance_Q3_Payroll.docx
# copy into the decoy share content
Create a decoy AD service account with a weak password and add it to the engagement environment. This is your intentional EAC0018 weakening, scoped only to the decoy:
New-ADUser -Name "svc_backup" -SamAccountName "svc_backup" `
-AccountPassword (ConvertTo-SecureString "Summer2024!" -AsPlainText -Force) `
-Enabled $true -Description "Backup service account"
Enable Sysmon on the decoy Windows VM using a SwiftOnSecurity-style config for EAC0003 monitoring:
.\Sysmon64.exe -accepteula -i sysmonconfig.xml
Watch for Event ID 1 (process creation), Event ID 3 (network connection), and Event ID 11 (file creation).
Now play the adversary from the Kali VM, executing the emulated TTPs:
nmap -sV 192.168.56.0/24 # T1018 Remote System Discovery
smbclient -L //192.168.56.10 -N # T1135 Network Share Discovery
smbclient //192.168.56.10/Finance -N # opens the share; triggers canarytoken on doc access
Phase 3: Understand (SAP0002 Analysis)
Pull the OpenCanary alerts. Each triggered canary writes a JSON record:
{
"dst_host": "192.168.56.20",
"dst_port": 445,
"logtype": 5000,
"logdata": {"SMB_USER": "", "SMB_SHARE": "Finance"},
"src_host": "192.168.56.50",
"utc_time": "2024-06-11 14:22:08.113"
}
Correlate the Sysmon and Windows Security events into the TTP chain. A share touch on the decoy produces a 5140 (network share object accessed), which for a share never advertised to real users is effectively a zero-false-positive alert. The canarytoken open shows up as a Sysmon Event ID 11 file access under WINWORD.EXE.
Record which EAC activities fired, which TTPs were revealed, and what new intel you gained, then feed that into the next operation’s Prepare phase. Build an ATT&CK Navigator layer marking T1018, T1135, and T1078 as detected by the engagement so the coverage is visible at a glance.
8. Operational Mindset: Iterative Engagement and CTI Feedback Loops
One operation is a data point. The value compounds when each Understand phase seeds the next Prepare phase. That loop is how you shift from CVE-driven defense (patch the thing, wait for the next thing) to TTP-driven defense (understand how this actor works and shape terrain against their behavior).
This is exactly why Engage bookends the deception techniques with Planning and Analysis where Shield did not. The Analysis output is not a report that dies in a wiki. It becomes tuned Sigma rules, refined narratives, better pocket litter, and a sharper actor persona for the next run. Two IOCs per operation becomes forty pieces of usable intel because you are running a program, not a one-off.

9. Detection and Defense Integration
Because Engage is the defensive framework, “detection” here means the instrumentation you place on your decoy assets to capture adversary behavior, plus the OPSEC that keeps the deception itself safe.
Sysmon Event IDs on Decoy Hosts
| Event ID | Event | Relevance in Engage Context |
|---|---|---|
1 | Process Create | Adversary runs tools on the decoy host |
3 | Network Connection | Adversary connects to decoy services; pivot detection |
7 | Image Loaded | DLL loads fingerprint the adversary’s tooling |
11 | File Created | Canarytoken document opened; file dropped on decoy |
13 | Registry Value Set | Persistence attempt on the decoy |
22 | DNS Query | C2 DNS beaconing observed from the honeypot |
Windows Security Event IDs (via auditpol)
Turn on the audit subcategories on the decoy so credential and share activity is captured:
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"File System" /success:enable /failure:enable
auditpol /set /subcategory:"Detailed File Share" /success:enable
auditpol /set /subcategory:"Process Creation" /success:enable
The high-value IDs: 4624 (successful logon with a decoy account is an instant high-fidelity alert), 4625 (brute force against decoys), 4648 (explicit-credential logon, lateral movement with decoy creds), 4663 (file object accessed), and 5140/5145 (decoy share access).
Relevant ETW Providers
| Provider | GUID | Use |
|---|---|---|
Microsoft-Windows-Security-Auditing | {54849625-5478-4994-A5BA-3E3B0328C30D} | Decoy-account logon events (4624/4625) |
Microsoft-Windows-Sysmon | {5770385F-C22A-43E0-BF4C-06F5698FFBD9} | All Sysmon telemetry from the honeypot |
Microsoft-Windows-SMBClient | {988C59C5-0A1C-45B6-A555-0C62276E327D} | SMB access to decoy shares |
Sigma Rules for Decoy Interaction
title: Decoy SMB Share Access Detected
status: experimental
logsource:
product: windows
service: security
detection:
selection:
EventID: 5140
ShareName: '\\*\Finance_Decoy'
condition: selection
falsepositives:
- None expected (decoy share not advertised to legitimate users)
level: critical
tags:
- engage.eac0005
title: Canarytoken Pocket Litter Document Opened
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 11
TargetFilename|contains: 'Finance_Q'
TargetFilename|endswith: '.docx'
Image|endswith: '\WINWORD.EXE'
condition: selection
level: high
tags:
- engage.eac0011
OPSEC for the Deception Environment
- Deception assets must not be reachable from production. Enforce strict VLAN isolation.
- Do not over-weaken. An overly permissive or vulnerable network is a red flag to a competent adversary.
- Invest in pocket litter. Empty realism is a giveaway.
- Brief non-obvious stakeholders early: Legal, HR, and Corporate Communications, not just InfoSec and IT.
- Engage the terrain, never the adversary’s infrastructure. No hack-back.
10. Tools for Adversary Engagement
| Tool | Description | Link |
|---|---|---|
| MITRE Engage Matrix Explorer | Select and document EAC activities, filter by ATT&CK ID | engage.mitre.org |
| ATT&CK Navigator | Visualize the emulated actor TTP profile and mapped Engage activities | mitre-attack.github.io |
| OpenCanary | Python low-interaction honeypot (SMB, HTTP, SSH, FTP, Telnet) for lures | thinkst.com |
| Canarytokens | Honeytoken generation for pocket litter (docs, URLs, creds) | canarytokens.org |
| Sysmon | System activity monitoring on decoy Windows hosts | sysinternals.com |
| Wireshark / tcpdump | Network-level interaction logging | wireshark.org |
| Elastic Stack / Splunk | Aggregate and correlate decoy telemetry | elastic.co |
11. MITRE ATT&CK Mapping
| ATT&CK ID | Technique | Engage Counter-Activity / Signal |
|---|---|---|
T1018 | Remote System Discovery | EAC0005 Lures (decoy hosts appear in scans) |
T1135 | Network Share Discovery | EAC0005 Lures, EAC0006 Application Diversity |
T1078 | Valid Accounts | Decoy credentials, 4648/4624 on use |
T1021.002 | SMB / Windows Admin Shares | EAC0003, Event ID 5140/5145 |
T1083 | File and Directory Discovery | EAC0011 Pocket Litter (canarytoken on access) |
T1071 | Application Layer Protocol (C2) | EAC0003, Sysmon Event 22 DNS query |
T1560 | Archive Collected Data | Observed during Elicit-phase operations |
T1005 | Data from Local System | Elicitation via manipulated/fake data |
Summary
- MITRE Engage turns inevitable compromise into leverage by pairing denial and deception inside strategic planning and analysis to drive up adversary cost and drive down adversary value.
- The Engage Matrix runs Prepare, Expose, Affect, Elicit, Understand, with everything ID-tagged under the SGO/EGO/SAP/EAP/SAC/EAC scheme;
SAP0001(Planning) andSAP0002(Analysis) are the bookends Shield lacked. - The 10-Step Process (Prepare, Operate, Understand) forces objectives, narrative, stakeholders, RoE, and exit criteria before a single lure goes live.
- Map ATT&CK behavior to weakness to activity:
T1018discovery becomes an opportunity to plantEAC0005Lures, so every deception is justified by observed adversary behavior. - Instrument decoys with Sysmon (Event IDs 1, 3, 11, 22) and Windows auditing (5140, 4624, 4648) for zero-false-positive, high-fidelity alerts, keep the environment isolated and believable, and engage the terrain, never hack back.
Related Tutorials
- APT Profiling: How to Build a Comprehensive Adversary Profile from Open-Source Intelligence
- Introduction to MITRE ATT&CK: Structure, Tactics, Techniques, and Sub-Techniques
- Adversary Emulation vs. Adversary Simulation: Definitions, Differences, and Why It Matters
- Mapping CTI Reports to ATT&CK TTPs: A Step-by-Step Methodology
- Cyber Threat Intelligence (CTI) Fundamentals: Sources, Types, and the Intelligence Lifecycle
References
- engage.mitre.org
- engage.mitre.org
- engage.mitre.org
- engage.mitre.org
- engage.mitre.org
- engage.mitre.org
- github.com
- medium.com
Get new drops in your inbox
Windows internals, exploit dev, and red-team write-ups - no spam, unsubscribe anytime.