MITRE Engage: Denial, Deception, and Adversary Engagement Concepts for Defenders

By Debraj Basak·Jul 18, 2026·16 min readAdversary Emulation

You have full visibility, decent EDR, and an intruder still walked in. What now? Most shops answer “detect and evict” and stop there. Engage says something different: keep them in a room you built, learn everything they know, and make the whole intrusion expensive and worthless to them.

Objective: Understand MITRE Engage as a framework for cyber denial, deception, and adversary engagement. You will learn the Engage Matrix (Goals, Approaches, Activities), the SGO/EGO/SAP/EAP/SAC/EAC identifier scheme, the 10-Step Process, and the Engage-to-ATT&CK mapping workflow, then plan and run a small elicitation operation against a self-built deception lab.


1. What Is MITRE Engage (History and Rationale)

Engage is the successor to MITRE Shield. Shield was a useful idea shipped as a technique dump: lots of execution-focused deception tactics, almost no guidance on planning or on turning what you observed into intelligence. Engage keeps the tradecraft and adds the two things that actually make an operation succeed – planning up front and analysis at the end.

The core premise is blunt. Since network compromise is often inevitable, defenders can use adversary engagement to ensure that compromise does not mean loss. Instead of only trying to keep everyone out, you accept that someone will get in and you build the terrain so that their presence works for you. The goal is to drive up the cost and drive down the value of the adversary’s cyber operations.

That cost-value framing is the whole point. If the environment an attacker lands in might be fake, every action they take carries risk. Every credential might be a tripwire. Every document might be a canary. You are not just detecting; you are taxing their operation.

MITRE’s own numbers are the argument for doing this. Before adversary engagement, MITRE detected only initial IOCs, an average of about two per operation. After adopting adversary engagement, MITRE collected on average 40 new pieces of intel per operation. That is the difference between “we found a bad IP” and “we understand this actor’s toolkit and intent.”


2. The Three Pillars: Denial, Deception, and Adversary Engagement

Get the vocabulary right before touching a honeypot, because the three terms are not interchangeable.

ConceptExact Description
Cyber DenialThe ability to prevent or impair the adversary’s ability to conduct their operations. This disruption may limit their movements, collection efforts, or the effectiveness of their capabilities.
Cyber DeceptionIntentionally revealing deceptive facts and fictions to mislead the adversary, while concurrently concealing critical facts and fictions so the adversary cannot form correct estimations or take appropriate actions.
Adversary EngagementDenial and deception used together, inside strategic planning and analysis. Goals can be any combination of exposing adversaries on the network, eliciting intelligence about their TTPs, or affecting their ability to operate.

Denial blocks or degrades. Deception misleads and manipulates. On their own each is a tactic. Bolted together and wrapped in strategy, they become engagement. The wrapping matters: a decoy share with no plan is just a honeypot that generates noise. A decoy share tied to a defined goal, a narrative, rules of engagement, and an analysis phase is an operation.

One editorial note that Engage itself is careful about: “engage” has a deliberate meaning. MITRE recommends engaging with the adversary but explicitly avoiding a hack-back. You manipulate your own terrain. You do not reach into theirs.


Concentric symbolic rings representing denial as a portcullis, deception as a cracked mirror, and adversary engagement as a spider's web trap
Denial blocks, deception misleads, and engagement combines both inside strategic planning to turn an intrusion into an intelligence operation.

3. The Engage Matrix Deep Dive

The Matrix has three structural layers: Goals, Approaches, and Activities. Strategic goals, approaches, and activities bookend the operation and force strategic planning. The engagement goals, approaches, and activities in the middle are the traditional denial and deception work that drives you toward those strategic goals.

Engage deliberately uses “Approaches” and “Activities” instead of ATT&CK’s “Tactics” and “Techniques” so nobody confuses the offensive and defensive matrices. Approaches move you toward a goal. Activities are the concrete things you deploy to structure an approach.

The Five Columns

There are five columns (Goals) in the Matrix, read left to right as the arc of an operation:

GoalRole in an Operation
PrepareStrategic bookend. The inputs to an operation: objectives, narrative, environment design, RoE.
ExposeUse deceptive activities to produce high-fidelity alerts when adversaries are active in the engagement environment.
AffectHave a negative impact on the adversary’s operations, changing the cost-value proposition. Increase their cost or reduce the value they extract.
ElicitEncourage the adversary to reveal additional or more advanced capabilities, producing actionable CTI to inform your other defenses.
UnderstandStrategic bookend. The outputs: what happened, what it means, and how it feeds the next operation.

The Identifier Scheme

Every Goal, Approach, and Activity has a unique ID with a consistent prefix. Memorize the two-letter middle and the strategic-versus-engagement first letter:

PrefixMeaning
SGOStrategic GOal
EGOEngagement GOal
SAPStrategic APproach
EAPEngagement APproach
SACStrategic ACtivity
EACEngagement ACtivity

The two strategic approaches you will use constantly are SAP0001 (Planning) and SAP0002 (Analysis). Planning is where persona creation, storyboarding, and, critically, exit criteria live. Analysis is where you turn the campaign into something actionable. If your goal is to collect an actor’s TTPs, you plan a credible end to the attack path before you start, because credibility is what keeps the adversary engaged long enough to be useful.

The engagement activities you touch most in a first operation:

EAC IDActivityWhat It Does
EAC0003System Activity MonitoringCollect system activity logs that reveal adversary behavior on decoy hosts.
EAC0005LuresDeceptive systems and artifacts serving as decoys, breadcrumbs, or bait to elicit a specific response.
EAC0006Application DiversityPresent a variety of installed applications and services to establish legitimacy.
EAC0007Network DiversityUse a diverse set of devices and services to support believability.
EAC0011Pocket LitterData used to support the engagement narrative and make a decoy credible.
EAC0018Security ControlsAlter controls to make a system more or less vulnerable, for example removing authentication on a Docker daemon.

Hierarchy diagram of the MITRE Engage Matrix showing the five goal columns - Prepare, Expose, Affect, Elicit, Understand - with strategic bookends SAP0001 and SAP0002 and core engagement activities EAC0005, EAC0011, and EAC0003
The Engage Matrix flows left to right: strategic Prepare and Understand bookend the three engagement goals, each served by concrete EAC activities.

4. The 10-Step Process: Planning an Engagement Operation

The 10-Step Process is split into three categories that mirror the Matrix bookends: Prepare, Operate, Understand. It was adapted from Barton Whaley’s The Art and Science of Military Deception, which laid out a ten-step process for building military deceptions; MITRE refined it for the cyber domain.

The Prepare steps are where most first-timers fail, so they get the attention here:

  1. Define the operational objective. What decision does this operation inform? “Learn whether this actor is after our source code or our customer data” is an objective. “Catch bad guys” is not.
  2. Construct the engagement narrative. The story your environment tells. It must be consistent, coherent, and believable, and it must protect your most valuable real data.
  3. Design the engagement environment. Pick high- or low-interaction assets, decide network and application diversity, and plan the pocket litter.
  4. Identify stakeholders and define operational risk. Adversary engagement is a team sport. Loop in InfoSec and IT, and also Legal, HR, and Corporate Communications.
  5. Establish Rules of Engagement (RoE). Set RoE before the operation starts so there are no ambiguous decisions once it is underway. Define what is in scope, what triggers an abort, and hard boundaries such as “no real credentials, no reachability to production.”

The exit criteria deserve a callout. If your goal is to learn an actor’s intentions or harvest their full TTP set, you must have already planned a credible end to the attack path. Persona Creation and Storyboarding under SAP0001 exist precisely so the ending does not feel like a trap slamming shut.


5. Mapping Engage to ATT&CK: From Adversary TTP to Defensive Activity

This is the mechanism that makes Engage more than a wish list. When an adversary performs a specific behavior, they expose an unintended weakness. Walk each ATT&CK technique, ask what weakness it reveals, then pick the engagement activity that exploits that weakness. Every activity you deploy is justified by an observed adversary behavior rather than a hunch.

The canonical example from Engage’s own documentation:

  • The adversary performs Remote System Discovery (T1018). To discover systems, they must query the network and act on whatever answers.
  • That is the weakness. They will believe and act on false responses.
  • Deploy Lures (EAC0005) – decoy hosts that show up in their scan and pull them toward terrain you control.

MITRE mapped the three middle columns (Expose, Affect, Elicit) to ATT&CK and shifted the perspective to mark the moment the adversary becomes vulnerable and the defender gets an opportunity. Use the Engage Matrix Explorer at engage.mitre.org/matrix to filter by an ATT&CK technique ID and see which EAC activities apply. Build the ATT&CK side of the picture in ATT&CK Navigator so your target actor’s TTP profile and your chosen Engage activities sit side by side.


Flow diagram showing ATT&CK techniques T1018, T1135, and T1078 each revealing an adversary weakness that defenders exploit with EAC0005 Lures and EAC0011 Pocket Litter to produce high-fidelity alerts
Every Engage activity is justified by a specific adversary behavior: map the ATT&CK technique to the weakness it exposes, then select the EAC activity that exploits that weakness.

6. Deception Infrastructure: Honeypots, Lures, Pocket Litter, and Decoy Credentials

Choosing between a high-interaction and a low-interaction honeypot depends on your goal, the operation length, and the specific malware you expect. A low-interaction honeypot may be plenty to spot reconnaissance, but it will fail to hold up for prolonged threat intelligence collection because it cannot present a realistic enough environment. If you want to elicit advanced TTPs, you need interaction depth.

Where possible, move adversaries into an isolated engagement environment to observe them and gather CTI. That environment must be realistic enough to reassure them it is legitimate and interesting enough to motivate them to reveal more.

Believability engineering is the part everyone underrates. A war story: the first honeypot I stood up got zero hits for a month. When traffic finally arrived, the intruder left in seconds. The share was too clean. No user documents, no stale spreadsheets, no half-finished PowerPoint from someone in Accounting. Empty perfection screams trap. That is exactly why Pocket Litter (EAC0011) exists: some adversaries look around to confirm the environment is real before committing, so you do the work to make it look lived-in.

Two more infrastructure ideas from the brief worth internalizing:

  • Decoy credentials. Stand up decoy accounts with commonly used passwords to alert on brute-force attempts, and monitor for the use of those credentials anywhere else on the network. A decoy credential appearing in a logon event is about as high-fidelity as an alert gets.
  • Information manipulation. Decoys waste the adversary’s time; information manipulation feeds them false or misleading data such as fake design documents or schedules. This only works if the fake data fits the engagement narrative, so plan it as one coherent story.

A hard OPSEC rule: be selective about which vulnerable assets and configurations you expose. A network that is overly permissive or vulnerable is itself a red flag. EAC0018 (Security Controls) means a deliberately weakened control, like an unauthenticated Docker daemon, not a Swiss-cheese network.


7. Lab Exercise: Planning and Running a Mini Elicitation Operation

This is entirely defender-side. There is no exploit to write. The hands-on work is planning, deploying, and monitoring a deception engagement against a self-built lab, then analyzing what fired.

Lab Architecture

Everything runs on an isolated lab network with no route to production.

[ Kali Linux (simulated adversary) ] --> [ Lab LAN: 192.168.56.0/24 ]
        |
        v
[ Decoy Windows Server VM ]  -> honeypot, decoy SMB share, decoy AD credentials
[ Decoy Linux VM ]           -> SSH honeypot, deliberately open Docker daemon (EAC0018)
[ Monitoring VM ]            -> Sysmon + Winlogbeat + Elastic Stack / Splunk

Phase 1: Prepare (SAP0001 Planning)

Select an actor profile to emulate from ATT&CK CTI. For this run, a generic initial-access actor using T1078 (Valid Accounts), T1021.002 (SMB / Windows Admin Shares), and T1018 (Remote System Discovery).

  • Engagement Goal: Elicit – collect adversary TTPs in the lab.
  • Narrative (one page): “A small accounting firm’s internal Windows file server, lightly defended, with accessible SMB shares.”
  • RoE: all activity contained to the isolated lab VLAN; no real credentials anywhere.
  • Selected activities: EAC0005 (Lures), EAC0006 (Application Diversity), EAC0011 (Pocket Litter), EAC0003 (System Activity Monitoring).

Phase 2: Operate

Deploy OpenCanary on the Decoy Linux VM to stand up low-interaction lures (EAC0005):

pip install opencanary
opencanaryd --copyconfig      # edit opencanary.conf to enable SMB, HTTP, SSH modules
opencanaryd --start

Generate pocket litter (EAC0011) at canarytokens.org. Create a Word document canarytoken and drop it into a fake \\FILESERVER\Finance SMB share so any open of the file phones home:

# canarytokens.org -> select "Microsoft Word document"
# save as: Finance_Q3_Payroll.docx
# copy into the decoy share content

Create a decoy AD service account with a weak password and add it to the engagement environment. This is your intentional EAC0018 weakening, scoped only to the decoy:

New-ADUser -Name "svc_backup" -SamAccountName "svc_backup" `
    -AccountPassword (ConvertTo-SecureString "Summer2024!" -AsPlainText -Force) `
    -Enabled $true -Description "Backup service account"

Enable Sysmon on the decoy Windows VM using a SwiftOnSecurity-style config for EAC0003 monitoring:

.\Sysmon64.exe -accepteula -i sysmonconfig.xml

Watch for Event ID 1 (process creation), Event ID 3 (network connection), and Event ID 11 (file creation).

Now play the adversary from the Kali VM, executing the emulated TTPs:

nmap -sV 192.168.56.0/24               # T1018 Remote System Discovery
smbclient -L //192.168.56.10 -N        # T1135 Network Share Discovery
smbclient //192.168.56.10/Finance -N   # opens the share; triggers canarytoken on doc access

Phase 3: Understand (SAP0002 Analysis)

Pull the OpenCanary alerts. Each triggered canary writes a JSON record:

{
  "dst_host": "192.168.56.20",
  "dst_port": 445,
  "logtype": 5000,
  "logdata": {"SMB_USER": "", "SMB_SHARE": "Finance"},
  "src_host": "192.168.56.50",
  "utc_time": "2024-06-11 14:22:08.113"
}

Correlate the Sysmon and Windows Security events into the TTP chain. A share touch on the decoy produces a 5140 (network share object accessed), which for a share never advertised to real users is effectively a zero-false-positive alert. The canarytoken open shows up as a Sysmon Event ID 11 file access under WINWORD.EXE.

Record which EAC activities fired, which TTPs were revealed, and what new intel you gained, then feed that into the next operation’s Prepare phase. Build an ATT&CK Navigator layer marking T1018, T1135, and T1078 as detected by the engagement so the coverage is visible at a glance.


8. Operational Mindset: Iterative Engagement and CTI Feedback Loops

One operation is a data point. The value compounds when each Understand phase seeds the next Prepare phase. That loop is how you shift from CVE-driven defense (patch the thing, wait for the next thing) to TTP-driven defense (understand how this actor works and shape terrain against their behavior).

This is exactly why Engage bookends the deception techniques with Planning and Analysis where Shield did not. The Analysis output is not a report that dies in a wiki. It becomes tuned Sigma rules, refined narratives, better pocket litter, and a sharper actor persona for the next run. Two IOCs per operation becomes forty pieces of usable intel because you are running a program, not a one-off.


A möbius conveyor belt illustrating the iterative cycle of plan, operate, and analyze phases feeding back into each other for continuous adversary engagement improvement
Each Understand phase seeds the next Prepare phase – the feedback loop is what transforms two IOCs per operation into forty pieces of actionable intelligence.

9. Detection and Defense Integration

Because Engage is the defensive framework, “detection” here means the instrumentation you place on your decoy assets to capture adversary behavior, plus the OPSEC that keeps the deception itself safe.

Sysmon Event IDs on Decoy Hosts

Event IDEventRelevance in Engage Context
1Process CreateAdversary runs tools on the decoy host
3Network ConnectionAdversary connects to decoy services; pivot detection
7Image LoadedDLL loads fingerprint the adversary’s tooling
11File CreatedCanarytoken document opened; file dropped on decoy
13Registry Value SetPersistence attempt on the decoy
22DNS QueryC2 DNS beaconing observed from the honeypot

Windows Security Event IDs (via auditpol)

Turn on the audit subcategories on the decoy so credential and share activity is captured:

auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"File System" /success:enable /failure:enable
auditpol /set /subcategory:"Detailed File Share" /success:enable
auditpol /set /subcategory:"Process Creation" /success:enable

The high-value IDs: 4624 (successful logon with a decoy account is an instant high-fidelity alert), 4625 (brute force against decoys), 4648 (explicit-credential logon, lateral movement with decoy creds), 4663 (file object accessed), and 5140/5145 (decoy share access).

Relevant ETW Providers

ProviderGUIDUse
Microsoft-Windows-Security-Auditing{54849625-5478-4994-A5BA-3E3B0328C30D}Decoy-account logon events (4624/4625)
Microsoft-Windows-Sysmon{5770385F-C22A-43E0-BF4C-06F5698FFBD9}All Sysmon telemetry from the honeypot
Microsoft-Windows-SMBClient{988C59C5-0A1C-45B6-A555-0C62276E327D}SMB access to decoy shares

Sigma Rules for Decoy Interaction

title: Decoy SMB Share Access Detected
status: experimental
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5140
        ShareName: '\\*\Finance_Decoy'
    condition: selection
falsepositives:
    - None expected (decoy share not advertised to legitimate users)
level: critical
tags:
    - engage.eac0005
title: Canarytoken Pocket Litter Document Opened
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 11
        TargetFilename|contains: 'Finance_Q'
        TargetFilename|endswith: '.docx'
        Image|endswith: '\WINWORD.EXE'
    condition: selection
level: high
tags:
    - engage.eac0011

OPSEC for the Deception Environment

  • Deception assets must not be reachable from production. Enforce strict VLAN isolation.
  • Do not over-weaken. An overly permissive or vulnerable network is a red flag to a competent adversary.
  • Invest in pocket litter. Empty realism is a giveaway.
  • Brief non-obvious stakeholders early: Legal, HR, and Corporate Communications, not just InfoSec and IT.
  • Engage the terrain, never the adversary’s infrastructure. No hack-back.

10. Tools for Adversary Engagement

ToolDescriptionLink
MITRE Engage Matrix ExplorerSelect and document EAC activities, filter by ATT&CK IDengage.mitre.org
ATT&CK NavigatorVisualize the emulated actor TTP profile and mapped Engage activitiesmitre-attack.github.io
OpenCanaryPython low-interaction honeypot (SMB, HTTP, SSH, FTP, Telnet) for luresthinkst.com
CanarytokensHoneytoken generation for pocket litter (docs, URLs, creds)canarytokens.org
SysmonSystem activity monitoring on decoy Windows hostssysinternals.com
Wireshark / tcpdumpNetwork-level interaction loggingwireshark.org
Elastic Stack / SplunkAggregate and correlate decoy telemetryelastic.co

11. MITRE ATT&CK Mapping

ATT&CK IDTechniqueEngage Counter-Activity / Signal
T1018Remote System DiscoveryEAC0005 Lures (decoy hosts appear in scans)
T1135Network Share DiscoveryEAC0005 Lures, EAC0006 Application Diversity
T1078Valid AccountsDecoy credentials, 4648/4624 on use
T1021.002SMB / Windows Admin SharesEAC0003, Event ID 5140/5145
T1083File and Directory DiscoveryEAC0011 Pocket Litter (canarytoken on access)
T1071Application Layer Protocol (C2)EAC0003, Sysmon Event 22 DNS query
T1560Archive Collected DataObserved during Elicit-phase operations
T1005Data from Local SystemElicitation via manipulated/fake data

Summary

  • MITRE Engage turns inevitable compromise into leverage by pairing denial and deception inside strategic planning and analysis to drive up adversary cost and drive down adversary value.
  • The Engage Matrix runs Prepare, Expose, Affect, Elicit, Understand, with everything ID-tagged under the SGO/EGO/SAP/EAP/SAC/EAC scheme; SAP0001 (Planning) and SAP0002 (Analysis) are the bookends Shield lacked.
  • The 10-Step Process (Prepare, Operate, Understand) forces objectives, narrative, stakeholders, RoE, and exit criteria before a single lure goes live.
  • Map ATT&CK behavior to weakness to activity: T1018 discovery becomes an opportunity to plant EAC0005 Lures, so every deception is justified by observed adversary behavior.
  • Instrument decoys with Sysmon (Event IDs 1, 3, 11, 22) and Windows auditing (5140, 4624, 4648) for zero-false-positive, high-fidelity alerts, keep the environment isolated and believable, and engage the terrain, never hack back.

Related Tutorials

References

Get new drops in your inbox

Windows internals, exploit dev, and red-team write-ups - no spam, unsubscribe anytime.