MITRE Engage
What is MITRE Engage?
MITRE EngageAn adversary engagement framework from MITRE that codifies deception, denial, and engagement activities for defenders, superseding the earlier MITRE Shield knowledge base.
MITRE Engage is a framework released by MITRE in 2022 that replaces the experimental MITRE Shield matrix and aligns defensive deception, denial, and adversary-engagement operations with MITRE ATT&CK. The framework organises defensive activities under three top-level goals — Expose, Affect, Elicit — supported by approaches such as Plan, Prepare, and Understand. Each activity (for example Decoy Account, Lures, Network Diversity, Behavioral Monitoring) is mapped to ATT&CK techniques to enable defenders to design honeypots, decoys, deceptive credentials, and high-fidelity tripwires against documented adversary behaviors. Engage is openly licensed and intended for red, blue, and CTI teams that want to move beyond passive detection toward planned engagement.
● Examples
- 01
Deploying decoy Active Directory service accounts whose use triggers a MITRE ATT&CK T1078 alert and feeds an Engage Elicit goal.
- 02
Designing a deception lure on a public file share to detect adversaries performing T1083 File and Directory Discovery.
● Frequently asked questions
What is MITRE Engage?
An adversary engagement framework from MITRE that codifies deception, denial, and engagement activities for defenders, superseding the earlier MITRE Shield knowledge base. It belongs to the Defense & Operations category of cybersecurity.
What does MITRE Engage mean?
An adversary engagement framework from MITRE that codifies deception, denial, and engagement activities for defenders, superseding the earlier MITRE Shield knowledge base.
How does MITRE Engage work?
MITRE Engage is a framework released by MITRE in 2022 that replaces the experimental MITRE Shield matrix and aligns defensive deception, denial, and adversary-engagement operations with MITRE ATT&CK. The framework organises defensive activities under three top-level goals — Expose, Affect, Elicit — supported by approaches such as Plan, Prepare, and Understand. Each activity (for example Decoy Account, Lures, Network Diversity, Behavioral Monitoring) is mapped to ATT&CK techniques to enable defenders to design honeypots, decoys, deceptive credentials, and high-fidelity tripwires against documented adversary behaviors. Engage is openly licensed and intended for red, blue, and CTI teams that want to move beyond passive detection toward planned engagement.
How do you defend against MITRE Engage?
Defences for MITRE Engage typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for MITRE Engage?
Common alternative names include: Engage, MITRE Engage Matrix.
● Related terms
- compliance№ 687
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.
- defense-ops№ 293
Deception Technology
A defensive approach that deploys decoys, breadcrumbs, and fake assets across the environment to detect, mislead, and study attackers with high fidelity.
- network-security№ 485
Honeypot
A decoy system or service deliberately exposed to attract attackers, observe their techniques, and divert them from production assets.
- defense-ops№ 1148
Threat Intelligence
Evidence-based knowledge about threats and threat actors — including indicators, TTPs and context — used to guide security decisions and detection.
- defense-ops№ 909
Red Team
An offensive security group that emulates real adversaries end-to-end to test how an organization detects, contains, and responds to attacks.