Channels (or "groups", as we refer to them) are encrypted using AES256-CBC, as described above. When the traffic is conveyed over UDP, the entire UDP payload is encrypted. This means that an attacker has no reliable way to know if the traffic is a known format (such as RTP) or a custom format implemented by the Engage Engine or the application using the Engine (in the case of "raw" group types). Also, even if the attacker assumes correctly that the payload is a standards-based format (such as RTP), since even the RTP headers are encrypted and the entire payload was preceded by an initialization vector produced uniquely for each packet; the task of cryptanalysis is exponentially more computationally expensive.

When traffic is conveyed over TCP, which is the case for client connections to RallyPoints and peer connections between RallyPoints operating in a mesh, that traffic is secured with TLS 1.3. This TLS-provided encryption is in addition to whatever encryption is already present for a group. Therefore, if the traffic for a group is encrypted, Engage will always encrypt it and, when that traffic then flows through TLS, the traffic is encrypted once again.

Engage generally views all traffic as packets conveyed over UDP. Even if the packets are conveyed over TCP, they are still treated by Engage as UDP (atomically). Essentially, Engage views TLS connections as secured tunnels (not unlike VPN connections) over which regular UDP is conveyed as a TCP stream.