MITRE Engage
a planning framework for adversary engagement, deception, and denial

MITRE Engage: a planning framework for adversary engagement, deception, and denial

MITRE Engage is a planning framework for adversary engagement, deception, and denial. It gives security teams a structured way to think about how a defensive estate can be operated so adversary behaviour is surfaced earlier, shaped during the engagement, and converted into durable threat intelligence at engagement close. Where MITRE ATT&CK catalogues offensive techniques and MITRE D3FEND catalogues defensive countermeasures, MITRE Engage sits on the strategy layer above both and answers the operating question of how the defence should engage the adversary across three goals (Expose, Affect, Elicit) and five activity classes (Prepare, Collect, Detect, Prevent, Direct). Engage absorbs and supersedes the earlier MITRE Shield active-defence matrix as the maintained reference.

For detection engineering teams, threat intelligence and threat hunting teams, incident response and SOC teams, security engineering and platform teams owning the decoy infrastructure, security architecture teams designing the operating environment that makes the engagement plausible, AppSec and product security teams handing off adversary observations to the operating defensive estate, GRC and compliance teams reading detection-and-response evidence against NIST CSF 2.0, NIST SP 800-53, ISO 27001, SOC 2, PCI DSS, CIS Controls, DORA, and NIS2, and CISOs carrying the board risk-committee read on adversary-engagement coverage, MITRE Engage is the strategic operating frame the engagement record reads against. The value is the planning structure that turns adversary engagement from a per-tool exercise into a per-engagement, per-adversary operating record.

This page covers how Engage is structured (three goals, five activity classes, the Engage matrix), how the pairing with ATT&CK and D3FEND works mechanically, how to run an adversary-engagement programme end to end, where Engage sits next to ATT&CK, D3FEND, MITRE Shield, MITRE CALDERA, NIST CSF 2.0, and honeypot tools, the audience read for detection engineering, threat intelligence, incident response, security engineering, GRC, and CISO functions, the framework crosswalk the same engagement record satisfies, and how SecPortal operates a MITRE Engage engagement as one structured record.

The three Engage goals

Engage organises adversary-engagement strategy across three top-level goals, each named for what the defensive estate is trying to accomplish against the adversary at that step. The goals are not severity-ranked; they are objective-ranked against the operating shape of an adversary-engagement programme, and a single Engage activity often reads against more than one goal. The goals give the framework its navigable shape; the activities underneath each goal give the per-engagement evidence the operating record reads against.

The five activity classes underneath the goals

Engage organises the per-engagement operating layer across five activity classes that anchor the planning, the baseline, the observation, the hardening, and the deliberate environmental change underneath the three goals. The activity classes give the engagement a temporal shape (Prepare and Collect happen before any adversary interaction; Detect runs continuously; Prevent runs against the precondition surface; Direct is the visible operating layer the goals are anchored to) and the engagement record reads against named activities rather than against abstract goal-level claims.

The Engage matrix and the pairing with ATT&CK and D3FEND

Engage is a planning matrix, not a checklist, and the pairing with the other MITRE knowledge bases happens at the strategy-and-technique level. Naming the join surface is the difference between an engagement record that survives an architectural review and one that does not. The mechanic below is the structural pairing the matrix supports; tag accordingly so the engagement record reads against the full MITRE family at once.

Planning principles that survive contact with the adversary

Most adversary-engagement programmes start strong on framework fidelity and decay because engagement design happens against a generic adversary and the operating posture is set up and torn down per exercise. By then the cycle-over-cycle signal is gone, the plausibility of the operating posture has drifted, and the engagement record ends up as a one-time report rather than a durable artefact. Build the discipline into the engagement charter so the operating record is derived from named-adversary work, not from improvisation.

Running an adversary-engagement programme end to end

Adversary-engagement work benefits from MITRE Engage even when the engagement is a single application scope, a single network segment, or a single operating-system class. The matrix gives the work a structure that connects the named threat model, the named operating environment, the Direct-stage operating posture, and the engagement-time interactions on one record. The workflow below assumes the engagement is run as a structured project on SecPortal rather than a collection of ad-hoc artefacts. For the operational ground covered alongside engagement at exercise time, the purple team operations workflow applies the same per-action evidence discipline with the detection outcome captured inline.

Routines that read against the Engage matrix

Engage is closest to its operational shape during the recurring routines that read the adversary-engagement posture against the threat model. The routines below all read against the same engagement record on SecPortal; the value comes from the cycle-over-cycle comparison the engagement record supports.

Recurring failure modes that weaken an Engage record

Programmes that struggle with Engage typically hit a small set of recurring failure modes. Naming the failure modes up front lets the engagement design controls to avoid them rather than discovering them during the report review or the audit fieldwork.

How Engage sits next to ATT&CK, D3FEND, Shield, CALDERA, NIST CSF 2.0, and honeypot tools

Engage is rarely used in isolation. It is the per-engagement strategy layer that the offensive knowledge base, the defensive countermeasure graph, the outcome-oriented framework, the test-execution platform, and the implementation-side honeypot tools all read into. The contrast below is a working view, not a buyer comparison: the practitioner question is which artefacts to pair Engage with, not which to pick instead of it.

Buyers procuring an adversary-engagement programme should pair the Engage operating record with MITRE ATT&CK as the offensive technique catalogue the engagement reads against, with MITRE D3FEND as the per-technique defensive countermeasure catalogue the Engage activities implement against, with continuous threat exposure management as the programme discipline the engagement reads through, with CREST and TIBER-EU as the assurance frameworks the threat-led testing cycle reads against, and with the threat modelling guide on the planning side.

How auditors and regulators read an Engage citation

Engage is not itself a regulator-issued standard; it is the open adversary-engagement strategy framework that regulator-issued standards, audit frameworks, and procurement processes accept as the per-engagement evidence record for detection-and-response work. The list below maps Engage to the regulator-side and audit-side references that read against it; the same engagement record satisfies several reads at once when the per-activity evidence is honest.

For the broader audit-evidence story (how the same finding can satisfy multiple regulator reads without rebuilding the evidence pack per audit), see the vulnerability evidence reuse across audits research and the multi-framework control crosswalk economics research. The validation discipline that reads outputs from Engage-tagged exercises is covered in the control validation vs detection validation pairing research.

The Engage read across detection-and-response functions

Engage is a cross-functional artefact. The same engagement record reads differently depending on which function holds the work. Programmes that run adversary engagement as a SOC exercise alone lose the architectural depth the framework supports; programmes that run it as a CISO scorecard alone lose the engineering depth. The named functions below own different parts of the same per-engagement operating record.

The persona-specific entry points are SecPortal for detection engineering teams, SecPortal for security engineering teams, SecPortal for incident response leads, SecPortal for internal security teams, SecPortal for security architects, and SecPortal for CISOs. Each anchors a different view of the same MITRE Engage engagement record.

Adjacent MITRE and threat-engagement references

Engage reads alongside several other MITRE and threat-engagement references. Each one covers a different slice of the operating model; Engage is the per-engagement strategy artefact that converts the references into a verifiable adversary-engagement record.

Running an Engage programme on SecPortal

SecPortal is the operating record for an adversary-engagement programme, not a replacement for the MITRE Engage matrix or the deception platform. The platform holds the in-scope threat model, the in-scope Engage activity set, the in-scope ATT&CK technique scope, the in-scope D3FEND defensive technique pairing, the Direct-stage operating posture inventory, the engagement-time interaction record, and the report that ties them together. Coverage tracking, the cross-engagement comparison, and the next-cycle activity roadmap live alongside the same findings management record that drives CVSS scoring and remediation. For multi-framework programmes, the same finding can carry an Engage activity tag, an ATT&CK technique tag, a D3FEND tag, and a mapping to NIST CSF 2.0, NIST SP 800-53, ISO 27001, SOC 2, PCI DSS, or CIS Controls without re-keying anything.

Honest scope: what SecPortal does not do

Engage work runs across multiple specialist tools, identities, and legal authorities the SecPortal product does not replicate inline. The honest scope below names the boundaries so the engagement record reads against the verified product surface and the externally produced artefacts attach through document management rather than implying the platform performs work it does not perform.

The operational workstreams the Engage programme reads against already exist as named use cases on SecPortal. The red team workflow carries the offensive technique evidence the Engage Detect and Affect stages read against. The purple team operations workflow captures the per-action outcome on the same engagement record at exercise time. The threat-led penetration testing workflow runs the named-adversary exercise the Engage operating posture is validated against. The continuous threat exposure management cycle runs the programme-level exposure-management discipline the Engage operating posture reads through. The emerging vulnerability and CVE watch program feeds the new-technique signals into the Engage refresh cycle. The security leadership reporting workflow reads the engagement record to the audit committee and board risk committee.

Related reading on SecPortal

• MITRE ATT&CK is the offensive technique knowledge base Engage pairs with on the strategy layer through named adversary action references on every engagement record.
• MITRE D3FEND is the defensive countermeasure knowledge graph the Engage activities read against on the implementation side through Digital Artefact pairing.
• Cyber Defense Matrix (CDM) explained (blog) is the portfolio-mapping framework that places the Engage activities into named cells (Detect Devices, Detect Networks, Respond across asset classes) so the engagement record reads against the wider security capability map.
• NIST CSF 2.0 is the outcome-oriented cybersecurity framework whose Detect and Respond functions read against the Engage engagement-record evidence.
• NIST SP 800-53 Rev 5 names decoy systems explicitly as a control class (SC-26 Decoys); MITRE Engage is the framework the operating evidence underneath SC-26 reads against.
• Continuous threat exposure management (CTEM) is the programme-level exposure-management discipline the Engage operating posture reads through.
• CREST penetration testing and TIBER-EU are the assurance frameworks the threat-led offensive cycle reads against, and the Engage operating posture is the long-running blue-team frame those exercises validate against.
• Threat modelling guide (blog) covers the threat-model layer that the Engage charter reads against on the planning side.
• Breach and attack simulation explained (blog) covers the simulation-side discipline that pairs with the Engage operating posture on the test-execution surface.
• Control validation vs detection validation pairing (research) covers the validation discipline that reads outputs from Engage-tagged exercises.
• Detection validation cycle economics (research) covers the cadence and cost-curve economics of the detection-validation cycle the Engage Detect-stage activities read against.
• Red team workflow carries the offensive technique evidence the Engage Detect and Affect stages read against.
• Purple team operations workflow captures the per-action outcome on the same engagement record at exercise time.
• Threat-led penetration testing workflow runs the named-adversary exercise the Engage operating posture is validated against.
• Continuous threat exposure management cycle runs the programme-layer exposure-management workflow the Engage operating posture reads through.
• SecPortal for detection engineering teams is the persona entry point for teams running Engage Detect-stage analytics as a working surface.
• SecPortal for incident response leads is the persona entry point for leads operating the live engagement-time interaction escalation path.

Engage rewards consistency over time more than any single engagement. Adversary interactions captured on this year's engagement become the baseline for next year's threat model, and the trend across engagements is what tells a CISO whether adversary engagement is actually producing durable threat intelligence against a moving threat picture. Run the work as a managed continuous threat exposure management cycle with Engage activity tagging in place from the first engagement, and the second engagement is far cheaper to scope, plan, and report than the first.