A growing number of states have started pointing to the customary doctrine of countermeasures as the most feasible unilateral remedy in the case of a malicious cyber operation carried out by an adversarial actor. Thus, the legal requirements of successfully invoking a right to resort to countermeasures are analysed in depth. In particular, the chapter deals with state policies such as 'active cyber defences' and 'hacking back' as reactions to cybersecurity incidents, and their lawfulness as countermeasures. After examining the pervasive problem of attribution in cyberspace, the states' duty to prevent malicious cyber operations emanating from their territory and the standard of due diligence in this regard are investigated. The chapter concludes with considering the invocation of countermeasures for the purpose of guarantees of non-repetition and reparation in the aftermath of a cybersecurity incident.