Update: MITRE ATT&CK v19 Is Live: What Defense Impairment (TA0112) Means for Your SOC)
MITRE ATT&CK v19 dropped on April 28, 2026, and the headline change is exactly what we expected: Defense Evasion (TA0005), the framework’s most bloated tactic, has been split. We covered the rationale and early previews back in October, and we previewed the operational implications when the ATT&CK team’s split blog went live. Now the IDs are published, the crosswalk is out, and there are a few specifics worth knowing before you start remapping.
No adversary changed their behavior on April 28. The threats hitting your environment that morning were the same ones from the day before. What changed is how we categorize and organize our response to them. The real opportunity is using this disruption as a reason to pressure-test whether your detections actually work.
ATT&CK v19 in brief: The Defense Evasion tactic (TA0005) has been split into two new tactics. Stealth covers techniques where adversaries hide malicious activity within legitimate behavior, and it inherits the TA0005 tactic ID. Defense Impairment covers techniques where adversaries actively disable, degrade, or compromise security controls; it receives the new tactic ID TA0112. The former parent technique T1562 (Impair Defenses) has been merged with two of its sub-techniques into a new technique, T1685: Disable or Modify Tools. Some techniques are now mapped to both Stealth and Defense Impairment, because adversary intent is not always clean.
Stealth vs. Defense Impairment: Two Tactics, Two Different Problems
Defense Evasion has been replaced by two tactics scoped to adversary intent:
Stealth captures techniques where adversaries make malicious activity look like legitimate behavior. Your defenses are still running. The adversary is operating below the detection threshold by blending in: masquerading (T1036), obfuscated files (T1027), system binary proxy execution (T1218), hiding artifacts (T1564). Your EDR sees these events. The problem is distinguishing them from the thousand other normal things happening on your network at any given moment.
Defense Impairment captures techniques where adversaries actively degrade, disable, or compromise the integrity of your security controls. Stopping your logging pipeline, tampering with your EDR agent (T1685: Disable or Modify Tools), subverting trust controls at the certificate layer (T1553.004), modifying file and directory permissions to cut off defender access (T1222). Your tools are not being fooled here. They are being broken.
A note on dual mapping: MITRE has been explicit that some techniques will appear under both Stealth and Defense Impairment, because adversaries do not always operate cleanly within one intent. Treat the split as a clearer lens for triage, not a hard partition.
Stealth vs. Defense Impairment: Key Differences in ATT&CK v19
| Stealth | Defense Impairment | |
|---|---|---|
| Adversary intent | Hide malicious activity within legitimate behavior | Disable, degrade, or compromise security controls |
| Your defenses | Still running, but being fooled | Being actively broken or silenced |
| Example techniques | Masquerading (T1036), obfuscated files (T1027), system binary proxy execution (T1218), hiding artifacts (T1564) | Disable or Modify Tools (T1685), subverting trust controls (T1553.004), modifying permissions (T1222), Exploitation for Defense Impairment (T1687) |
| Detection approach | Behavioral correlation and anomaly hunting across legitimate-looking events | Monitoring for the absence of expected signals and control integrity validation |
| Triage response | Hunting and correlation to confirm malicious intent | Immediate containment and integrity validation of affected controls |
| Tactic ID | Inherits TA0005 from Defense Evasion | TA0112 (newly published) |
Stealth is about hiding from your defenses. Defense Impairment is about breaking them. For triage, the difference is concrete: a Stealth alert calls for hunting and correlation, while a Defense Impairment alert calls for immediate containment and integrity validation of the affected control.
And that second category exposes what is probably the least-discussed gap in enterprise defense. If your EDR agent gets tampered with and stops reporting, how fast do you know? Most SOCs are built to respond to signals. Building detections around the absence of expected signals is a different discipline entirely, and most teams have not invested in it. Now that it has its own tactic and its own ID, the gap will be visible on every coverage dashboard. That is probably the point.
ATT&CK v19 Operational Details: What Changed for SIEM and SOAR
The official ATT&CK v19 release post (by Amy L. Robertson) is worth reading in full, along with the earlier Defense Evasion split blog by Allison Henao and Alice Koeninger. Five details matter most for operations:
Stealth inherits TA0005. Any SIEM rule, dashboard, or report that references TA0005 will continue to match after April 28, but against a narrower set of behaviors than before. The label changed from “Defense Evasion” to “Stealth”; the ID did not.
Defense Impairment is TA0112. Any detection, playbook, or report that should cover defense-impairment behaviors needs to reference this new ID. If you do not add TA0112 coverage, you will have a blind spot in your tactic-level coverage that was not there before.
T1562 was merged into a new technique, T1685. The old parent T1562 (Impair Defenses), along with T1562.001 (Disable or Modify Tools) and T1562.006 (Indicator Blocking), have been merged into a new technique called T1685: Disable or Modify Tools. The remaining T1562 sub-techniques have been revoked and reissued under new IDs within Defense Impairment. If you have detection rules that reference T1562 or any of its sub-techniques, you need to consult the crosswalk for the new IDs.
Two new techniques arrived. T1687: Exploitation for Defense Impairment is the complement to the renamed T1211: Exploitation for Stealth (formerly Exploitation for Defense Evasion). If you previously mapped to T1211, decide per rule whether the adversary’s goal was hiding or breaking, and remap to T1687 where appropriate. T1686.003: Disable or Modify System Firewall: Windows Host Firewall is a new platform-specific sub-technique; review any existing T1686 mappings (formerly T1562.004) and re-map Windows-specific cases to T1686.003.
Social engineering got its own parent technique. T1684: Social Engineering is now the home for trust-based manipulation across email, voice, collaboration platforms, and help desk channels. Two existing techniques were restructured as sub-techniques: T1684.001: Impersonation and T1684.002: Email Spoofing. The detection strategy DET0899 focuses on the pattern that holds across channels: a suspicious interaction followed by an unusual user-authorized action, like a password reset, OAuth consent grant, financial approval, or credential submission.
Three more facts worth keeping straight: most technique IDs did not change (only the tactic association moved, which is much less disruptive than a mass ID migration), a small number of techniques left the former Defense Evasion space entirely and now live under tactics like Lateral Movement, Privilege Escalation, or Execution, and this is Enterprise-only. Mobile and ICS matrices have separate updates of their own (more on that below). The crosswalk is live in JSON and CSV formats; both contain a per-technique breakdown of relocations, revocations, and merges, which is the fastest way to scope your remapping work.
Beyond the Split: The Rest of ATT&CK v19
The Defense Evasion split was the headline. The rest of v19 is worth a quick scan, especially if your coverage extends beyond Enterprise.
AI-enabled techniques. Two new techniques expand coverage of how adversaries use AI in their operations. T1682: Query Public AI Services covers using public AI services for target research and operational planning at scale. T1683: Generate Content, with sub-techniques T1683.001: Written Content and T1683.002: Audio-Visual Content, covers content development whether it is created manually, sourced through third parties, or AI-assisted. The framing here is consistent: ATT&CK is tracking the behavior, not the tool. AI makes these activities faster and cheaper to scale, but the underlying behavior is what defenders need to detect.
ICS sub-techniques. Five new parent techniques have been reorganized with sub-techniques to make ICS coverage more actionable. T1693: Modify Firmware separates system firmware (T1693.001) and module firmware (T1693.002). T1695: Block Communications covers Serial COM (T1695.001), Ethernet (T1695.002), and Wi-Fi (T1695.003). T0846: Remote System Discovery now distinguishes Port Scan, Broadcast Discovery, and Multicast Discovery. T0843: Program Download picks up Download All, Online Edit, and Program Append. And T1694: Insecure Credentials is a new technique with Default Credentials and Hardcoded Credentials as sub-techniques. The full ICS crosswalk is published.
Mobile detection strategies. ATT&CK’s detection strategies framework, launched last year for Enterprise, has now been applied to Mobile. The new strategies are vendor-agnostic, give explicit log sources and tunable parameters, and call out where visibility gaps remain. The example MITRE highlights, T1398 (Boot or Logon Initialization Scripts), now ships with platform-specific analytics for Android (AN1739) and iOS (AN1740) under detection strategy DET0654. That is the difference between knowing something is detectable and knowing how to detect it.
Threat intelligence additions worth flagging. The CTI updates that will most likely show up in your next threat brief: the Anthropic AI-orchestrated Campaign (C0062), capturing GTG-1002, an assessed PRC state-directed cluster that used Claude Code to autonomously execute most of a multi-stage espionage campaign; LAMEHUG (S9035), the first malware documented to query a large language model in live operations, associated with APT28; an updated MuddyWater (G0069) entry with new tooling; updates to Volt Typhoon (G1017); and the 2025 Poland Wiper Attacks (C0063), mapped as a cross-domain ICS and Enterprise campaign (alongside DynoWiper and LazyWiper) and documenting the first destructive wiper deployment against a NATO member’s energy infrastructure. T1660 (Phishing) has also been updated to capture AI-enabled voice phishing.
What to Do Now: A Remap Checklist
How much this disrupts your SOC depends on how tightly you have coupled operations to ATT&CK tactic and technique IDs. Teams with mature detection engineering practices will absorb v19 in a sprint. Teams that duct-taped SIEM rules and dashboards directly to TA0005 and T1562 have a bigger project on their hands, and probably a bigger problem than v19.
Pull the crosswalk first. The official Defense Evasion split crosswalk is live in JSON and CSV. The CSV is the fastest way to filter for techniques that changed type (“Revoked,” “Merged into new technique,” “Became new sub-technique”) and prioritize those for review. Start there.
Audit your TA0005 references. Search your SIEM rules, SOAR playbooks, dashboards, and reports for anything that filters on TA0005 or mentions Defense Evasion by name. Those will keep matching, but the label has changed and the technique set is narrower. Confirm each rule still does what you intended.
Find your T1562 rules. Anything mapped to T1562, T1562.001, or T1562.006 needs to be remapped to T1685: Disable or Modify Tools. Anything mapped to other T1562 sub-techniques needs to be remapped to whichever new ID the crosswalk assigns. Detections that target the T1562 parent technique broadly are the highest priority.
Test your existing detections while you are at it. CardinalOps has reported that enterprise SIEMs miss roughly 79% of ATT&CK techniques used by real adversaries. If your Defense Evasion detections were already broken or noisy, remapping them to Stealth and Defense Impairment gives you broken detections in two buckets instead of one. The remap effort is a good forcing function to run the procedures, check false-positive rates, and validate that what you are remapping is worth remapping.
Build out Defense Impairment coverage. Defense Impairment is the gap the split was designed to expose. Identify what telemetry you have (or do not have) for detecting when your security controls go silent. Morpheus’s Cybersecurity Triage LLM Framework reasons natively about MITRE ATT&CK technique IDs and tactics, and monitors for gaps in expected telemetry as part of its investigation logic. Absence-of-signal patterns surface against the right tactic, including TA0112, without rule-by-rule remapping.
Update your SOAR playbook routing. If you built playbooks that trigger different response actions based on the ATT&CK tactic, those routing conditions need to account for Stealth and Defense Impairment as separate tactics with separate response logic. A playbook that treats all former Defense Evasion techniques identically is missing the point of the split. Runtime-generated playbooks handle this automatically because they build response logic per incident, not per static tactic mapping. In a Morpheus investigation, every event is mapped to its ATT&CK technique ID and tactic, and analysts can filter the timeline by tactic to scan the investigation through the framework they already use. D3 customers: we have aligned Morpheus playbook templates to the new tactic structure. Contact your CSM or check the release notes for migration details.
Brief your analysts. The conceptual split between “hiding” and “breaking defenses” is intuitive once explained, but people need to hear it once before it clicks in a triage workflow. Run the briefing this week if you have not already.
None of this makes your environment more secure by itself. It makes your reporting more accurate and your triage logic sharper. Those are different things. If you use the transition as an excuse to test what you have, you will come out of it with something better than updated labels.
What Comes Next After ATT&CK v19
MITRE has signaled that more changes are coming this year, with an updated Roadmap publication expected and additional updates beyond the Defense Evasion split still to ship. The v19 release notes and detailed changelog are the authoritative reference.
ATT&CK v19 FAQ
What is MITRE ATT&CK v19?
MITRE ATT&CK v19 is the April 28, 2026 release of the ATT&CK framework. Its most significant change is splitting the Defense Evasion tactic into two new tactics: Stealth (TA0005) and Defense Impairment (TA0112). The release also includes new AI-enabled and social engineering techniques, ICS sub-technique reorganizations, Mobile detection strategies, and CTI updates.
When did ATT&CK v19 release?
ATT&CK v19 released on April 28, 2026. MITRE has signaled that an updated Roadmap and additional changes are coming later this year.
What happened to Defense Evasion (TA0005)?
Defense Evasion has been retired as a tactic. Its techniques are now split between Stealth (which inherits the TA0005 ID) and Defense Impairment (which receives the new tactic ID TA0112). Stealth covers techniques where adversaries blend into legitimate behavior. Defense Impairment covers techniques where adversaries actively disable or compromise security controls. Some techniques are mapped to both, where adversary intent overlaps.
What is the difference between Stealth and Defense Impairment in ATT&CK?
Stealth techniques hide malicious activity within normal operations. Your defenses are still running but failing to distinguish threats from legitimate behavior. Defense Impairment techniques actively break, disable, or degrade your security controls. The detection and response approaches differ: Stealth requires behavioral correlation, while Defense Impairment requires containment and control integrity validation.
What is the new tactic ID for Defense Impairment?
Defense Impairment is TA0112. SIEM rules, dashboards, and SOAR playbooks that should cover defense-impairment behaviors need to reference TA0112 going forward.
What happened to T1562 (Impair Defenses) in ATT&CK v19?
T1562 has been retired, along with two of its sub-techniques (T1562.001: Disable or Modify Tools and T1562.006: Indicator Blocking). All three were merged into a new technique, T1685: Disable or Modify Tools. The remaining T1562 sub-techniques have been revoked and reissued under new IDs within Defense Impairment. The official crosswalk lists every change.
What new techniques were added in ATT&CK v19?
The Defense Evasion split introduced T1685 (Disable or Modify Tools), T1687 (Exploitation for Defense Impairment), and T1686.003 (Disable or Modify System Firewall: Windows Host Firewall). T1684 (Social Engineering) is a new parent technique, with T1684.001 (Impersonation) and T1684.002 (Email Spoofing) as sub-techniques. T1211 has been renamed to “Exploitation for Stealth.” The release also added AI-enabled techniques T1682 (Query Public AI Services) and T1683 (Generate Content), plus several ICS sub-techniques.
Do I need to update my SIEM rules for ATT&CK v19?
Rules referencing TA0005 will continue to match Stealth techniques automatically, since Stealth inherits that ID. You will need to add new rules referencing TA0112 (Defense Impairment) and the new techniques (T1685, T1687, T1686.003, T1684 and its sub-techniques). Rules targeting T1562 or its sub-techniques need rework based on the crosswalk. Rules targeting T1211 should be reviewed and split between T1211 (Exploitation for Stealth) and T1687 (Exploitation for Defense Impairment) based on adversary intent.
Where is the official ATT&CK v19 crosswalk?
The Defense Evasion split crosswalk is published in JSON and CSV formats. The ICS sub-technique crosswalk is published here. Both are the fastest way to scope your remapping work.
Autonomous SOC. On Your Terms.
D3 Morpheus is the autonomous AI SOC platform that investigates every security alert at L2+ depth and runs the full triage-to-closure workflow at the autonomy level you choose. Every event in a Morpheus investigation is mapped to its MITRE ATT&CK technique ID and tactic, and analysts can filter by tactic to scan the investigation through the framework they already use. Curious how absence-of-signal detections surface against TA0112? Book a 30-minute Morpheus demo.
