Too often, companies are playing defense while hackers, hacktivists and foreign governments are on the offensive. Laws, treaties, and public policy disfavor “self-help” in preventing attacks, probing attackers, and in retribution or punishment of hackers. Laws that punish “intentional access without authorization” or “intentional access in excess of authorization” or willful harm or damage to computers or computer networks act to punish attacker and defender alike, and recent prosecutions in the US and UK highlight the fact that companies intent on using “active defense” are on perilous legal ground. Yet the law has always recognized a right – both statutory and under common law – for defense of self and defense of property, and the right of an individual or entity to protect its assets with force. Legal exclusions for authorized criminal investigations or intelligence activities, coupled with the law of self-defense may provide legal cover for some forms of active defense, but entities still must wrestle with civil damage and negligence liability, problems with attribution and misattribution, and other legal and policy issues associated with taking the law into one’s own hands. Venue and jurisdictional issues complicate the authority of an entity to actively defend its data or network, or to put in beacons, dye packs or other technology designed to identify hackers or to destroy hacker networks. This session will discuss the nature of the law and policy for active defense, and propose some solutions which will balance the needs of the defender against the needs of others in the community.