Active Defense
What is Active Defense?
Active DefenseA defensive strategy that goes beyond passive monitoring to engage, mislead, and disrupt adversaries inside the defender's own network and assets.
Active defense covers techniques that increase the cost and risk for attackers without crossing into illegal hack-back. It includes deception (honeypots, honeyfiles, decoy accounts), threat hunting, in-network engagement, tarpits, beacon-tainted documents, and intelligence gain/loss operations. The MITRE Engage framework formalised the discipline, replacing the older Shield project, and groups techniques such as collection, detection, disruption, reassurance, and motivation. Active defense is performed entirely on assets the defender owns or controls. It complements traditional detection and response by shaping attacker behaviour, generating high-quality telemetry, and producing actionable threat intelligence.
● Examples
- 01
Tarpitting a scanner by holding its TCP connections open for minutes.
- 02
Seeding a honeyfile with a beacon to identify exfiltration destinations.
● Frequently asked questions
What is Active Defense?
A defensive strategy that goes beyond passive monitoring to engage, mislead, and disrupt adversaries inside the defender's own network and assets. It belongs to the Defense & Operations category of cybersecurity.
What does Active Defense mean?
A defensive strategy that goes beyond passive monitoring to engage, mislead, and disrupt adversaries inside the defender's own network and assets.
How does Active Defense work?
Active defense covers techniques that increase the cost and risk for attackers without crossing into illegal hack-back. It includes deception (honeypots, honeyfiles, decoy accounts), threat hunting, in-network engagement, tarpits, beacon-tainted documents, and intelligence gain/loss operations. The MITRE Engage framework formalised the discipline, replacing the older Shield project, and groups techniques such as collection, detection, disruption, reassurance, and motivation. Active defense is performed entirely on assets the defender owns or controls. It complements traditional detection and response by shaping attacker behaviour, generating high-quality telemetry, and producing actionable threat intelligence.
How do you defend against Active Defense?
Defences for Active Defense typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Active Defense?
Common alternative names include: Defensive cyber operations, Adversary engagement.
● Related terms
- defense-ops№ 293
Deception Technology
A defensive approach that deploys decoys, breadcrumbs, and fake assets across the environment to detect, mislead, and study attackers with high fidelity.
- network-security№ 485
Honeypot
A decoy system or service deliberately exposed to attract attackers, observe their techniques, and divert them from production assets.
- defense-ops№ 483
Honeyfile
A decoy document planted in storage to trigger an alert if an attacker or insider reads, copies, or exfiltrates it.
- defense-ops№ 1147
Threat Hunting
Proactive, hypothesis-driven search through telemetry to uncover threats that have evaded existing detections.
- defense-ops№ 456
Hack-Back
Offensive retaliatory action by a private victim against an attacker's infrastructure, generally illegal under most national computer-misuse laws.
- compliance№ 687
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.
● See also
- № 482Honey Account