With the help of MITRE ATT&CK, EDR technologies have improved steadily over the last few years to their current level of high maturity and sophistication. According to MITRE evaluation results, many vendors can now detect 80%, 90% of the steps of simulated attacks, while the best performing vendor can even provide 100% coverage. It is indeed a great achievement. However, in real-world scenarios, there will be a lot of noise that the attackers can leverage to hide their operation, and the task of detecting attackers is similar to “looking for a needle in a haystack.” This is the main reason why MITRE is now promoting the new Engage Framework, an active defense thinking to engage with the attackers in real-time, accurately detect their presence at very early stage of the security breach, and then cut them off to prevent damage to enterprise.