"MIRV (Metasploit's Incident Response Vehicle) is a new tool (based on Metasploit's meterpreter) which was created to address the perceived shortcomings in existing host-based incident response tools: they do not operate on large amounts of nodes, are difficult to get past change advisory boards that grant approval for deployment, are not stealthy and do not have the ability to be safely extended. MIRV's main design feature are the embedded Lua micro-agents to monitor various system activity events and the ability to act on those events using the full flexibility and most importantly - safety of Lua. It also revives the discussion of active defence - not just alarms, but traps: can the defender use the attacker's connection to obtain some information about the attacker's system, or even attack the attacker's system? An example based on terminal services shared drive feature is presented. MIRV's features can also be used for offence as a flexible rootkit and some examples are given."