MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.


Configure devices, systems, networks, etc. to contain activity and data in order to promote inspection or prevent expanding an engagement beyond desired limits.

Using isolation, a defender can prevent potentially malicious activity before it starts or limit its effectiveness and scope. A defender can observe behaviors of adversaries or their tools without exposing them to unintended targets.

ID: DTE0022
Tactics:  Contain Detect Disrupt


DOS0010 There is an opportunity to test hardware additions in an isolated environment and ensure they can't be used by an adversary.
DOS0012 There is an opportunity to prevent an adversary from using removable media to compromise disconnected or air-gapped systems.
DOS0160 There is an opportunity to detect an unknown process that is being used for command and control and disrupt it.

Use Cases

DUC0010 A defender can install any suspect hardware on an isolated system and monitor for non-standard behaviors.
DUC0014 A defender can setup protections so removeable media cannot be mounted until an isolated review process has cleared the drive.
DUC0160 A defender can isolate unknown processes that are being used for command and control and prevent them from being able to access the internet.


DPR0040 Unplug an infected system from the network and disable any other means of communication.
DPR0066 Run all user applications in isolated containers to prevent a compromise from expanding beyond the container's boundaries.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1091 Replication Through Removable Media Lateral MovementInitial Access
T1104 Multi-Stage Channels Command and Control
T1200 Hardware Additions Initial Access