Active Defense
What is Active Defense?
Active DefenseA defensive strategy that goes beyond passive monitoring to engage, mislead, and disrupt adversaries inside the defender's own network and assets.
Active defense covers techniques that increase the cost and risk for attackers without crossing into illegal hack-back. It includes deception (honeypots, honeyfiles, decoy accounts), threat hunting, in-network engagement, tarpits, beacon-tainted documents, and intelligence gain/loss operations. The MITRE Engage framework formalised the discipline, replacing the older Shield project, and groups techniques such as collection, detection, disruption, reassurance, and motivation. Active defense is performed entirely on assets the defender owns or controls. It complements traditional detection and response by shaping attacker behaviour, generating high-quality telemetry, and producing actionable threat intelligence.
A useful way to scope the discipline is the "annoyance, attribution, and attack" spectrum popularised by the SANS-associated Active Defense Harbinger Distribution (ADHD): only the first two are lawful for most organisations, while "attack" — hacking the adversary's own infrastructure — generally violates the US Computer Fraud and Abuse Act and equivalent laws abroad. Practical, defensible tools include canary tokens (Thinkst Canarytokens), SSH tarpits such as Endlessh, the historical LaBrea tarpit, and decoy credentials planted in LSASS or the browser to trip credential-theft tooling. Each fires a high-fidelity alert because a legitimate user has no reason to ever touch them, which slashes false positives compared with signature-based alerts.
Engagement also yields intelligence: a honeyfile beacon can reveal an exfiltration endpoint, and a decoy Active Directory account that suddenly authenticates exposes lateral movement in progress. Defenders must weigh "intelligence gain/loss" — the risk that interacting with an adversary tips them off and burns the deception — and keep every action inside owned infrastructure to remain on the right side of the law.
flowchart LR
A[Adversary inside network] --> B{Touches decoy?}
B -- Yes --> C[High-fidelity alert]
B -- No --> D[Routine monitoring]
C --> E[Engage: tarpit / observe]
E --> F[Collect TTPs and IOCs]
F --> G[Disrupt and evict]
G --> H[Feed threat intelligence]● Examples
- 01
Tarpitting a scanner by holding its TCP connections open for minutes.
- 02
Seeding a honeyfile with a beacon to identify exfiltration destinations.
● Frequently asked questions
What is Active Defense?
A defensive strategy that goes beyond passive monitoring to engage, mislead, and disrupt adversaries inside the defender's own network and assets. It belongs to the Defense & Operations category of cybersecurity.
What does Active Defense mean?
A defensive strategy that goes beyond passive monitoring to engage, mislead, and disrupt adversaries inside the defender's own network and assets.
How do you defend against Active Defense?
Defences for Active Defense typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Active Defense?
Common alternative names include: Defensive cyber operations, Adversary engagement.