MITRE ATT&CK v19: What the Defense Evasion Split Means for Your SOC
What’s Changing in ATT&CK v19
MITRE ATT&CK v19 drops April 28, 2026. The biggest change: Defense Evasion (TA0005), the framework’s most bloated tactic, is being split into two new tactics with distinct operational meanings. We covered the rationale and early previews back in October. Since then, the ATT&CK team has published the specifics. Here’s what we now know, what it means for your SOC, and what you can do before the 28th to avoid scrambling after.
No adversary is going to change their behavior on April 28. The threats hitting your environment that morning will be the same ones from the day before. What changes is how we categorize and organize our response to them. The real opportunity is using this disruption as a reason to pressure-test whether your detections actually work.
ATT&CK v19 in brief: MITRE ATT&CK v19, releasing April 28, 2026, splits the Defense Evasion tactic (TA0005) into two new tactics. Stealth covers techniques where adversaries hide malicious activity within legitimate behavior. Impair Defenses covers techniques where adversaries actively disable, degrade, or compromise security controls. The former technique T1562 (Impair Defenses) is retired and elevated to the tactic level. Stealth inherits the existing TA0005 ID. Impair Defenses receives a net-new tactic ID.
Stealth vs. Impair Defenses: Two Tactics, Two Different Problems
Defense Evasion is being replaced by two tactics scoped to adversary intent:
Stealth captures techniques where adversaries make malicious activity look like legitimate behavior. Your defenses are still running. The adversary is operating below the detection threshold by blending in: masquerading (T1036), obfuscated files (T1027), system binary proxy execution (T1218), hiding artifacts (T1564). Your EDR sees these events. The problem is distinguishing them from the thousand other normal things happening on your network at any given moment.
Impair Defenses captures techniques where adversaries actively degrade, disable, or compromise the integrity of your security controls. Stopping your logging pipeline, tampering with your EDR agent, subverting trust controls at the certificate layer (T1553.004), modifying file and directory permissions to cut off defender access (T1222). Your tools aren’t being fooled here. They’re being broken.
| Stealth | Impair Defenses | |
|---|---|---|
| Adversary intent | Hide malicious activity within legitimate behavior | Disable, degrade, or compromise security controls |
| Your defenses | Still running, but being fooled | Being actively broken or silenced |
| Example techniques | Masquerading (T1036), obfuscated files (T1027), system binary proxy execution (T1218), hiding artifacts (T1564) | Stopping logging pipelines, EDR tampering, subverting trust controls (T1553.004), modifying permissions (T1222) |
| Detection approach | Behavioral correlation and anomaly hunting across legitimate-looking events | Monitoring for the absence of expected signals and control integrity validation |
| Triage response | Hunting and correlation to confirm malicious intent | Immediate containment and integrity validation of affected controls |
| Tactic ID | Inherits TA0005 from Defense Evasion | Receives a net-new tactic ID (not yet published) |
Stealth is about hiding from your defenses. Impair Defenses is about breaking them. For triage, the difference is concrete: a Stealth alert calls for hunting and correlation; an Impair Defenses alert calls for immediate containment and integrity validation.
And that second category exposes what is probably the least-discussed gap in enterprise defense. If your EDR agent gets tampered with and stops reporting, how fast do you know? Most SOCs are built to respond to signals. Building detections around the absence of expected signals is a different discipline entirely, and most teams haven’t invested in it. Now that it has its own tactic, the gap will be visible on every coverage dashboard. That’s probably the point.
ATT&CK v19 Operational Details: What Changes for SIEM and SOAR
The ATT&CK team’s blog post (by Allison Henao and Alice Koeninger) is worth reading in full. Three details matter most:
Stealth inherits TA0005. This caught us off guard. We expected the old tactic ID to be deprecated. It’s not. Stealth takes over Defense Evasion’s existing ID. Any SIEM rule, dashboard, or report that references TA0005 will continue to match after April 28, but against a narrower set of behaviors than before.
Impair Defenses gets a net-new tactic ID. This is where the real work is. Any detection, playbook, or report that should cover defense impairment behaviors will need to reference a tactic ID that doesn’t exist yet. If you don’t add it after the 28th, you’ll have a blind spot in your tactic-level coverage that wasn’t there before.
T1562 (Impair Defenses) is being retired as a technique. The concept has been elevated to the tactic level. Its sub-techniques (like T1562.001: Disable or Modify Tools) are being reviewed and realigned. If you have detection rules that target the T1562 parent technique specifically, those need attention.
Also worth noting: most technique IDs aren’t changing (only the tactic association moves, which is much less disruptive than a mass ID migration), three techniques are leaving the former Defense Evasion space entirely (MITRE is including a crosswalk with the release), and Email Spoofing and Impersonation techniques are being reorganized under a new Social Engineering technique. This is Enterprise-only; Mobile and ICS matrices are unchanged. And this is phase one. MITRE has been explicit that updated technique descriptions, scope realignments, and deprecations will ship in future releases. April is the structural foundation.
How to Prepare Your SOC for ATT&CK v19 Before April 28
How much this disrupts your SOC depends on how tightly you’ve coupled operations to ATT&CK tactic IDs. Teams with mature detection engineering practices will absorb this in a sprint. Teams that duct-taped SIEM rules and dashboards directly to TA0005 have a bigger project on their hands, and probably a bigger problem than v19.
Audit your TA0005 references. Search your SIEM rules, SOAR playbooks, dashboards, and reports for anything that filters on TA0005 or mentions Defense Evasion by name. You don’t need to change them yet, but you need to know the blast radius.
Find your T1562 rules. The parent technique is being retired. If your detections target T1562 broadly rather than its specific sub-techniques, flag them for rework on the 28th.
Test your existing detections while you’re at it. CardinalOps has reported that enterprise SIEMs miss roughly 79% of ATT&CK techniques used by real adversaries. If your Defense Evasion detections are already broken or noisy, remapping them to Stealth and Impair Defenses gives you broken detections in two buckets instead of one. This is a good forcing function to run the procedures, check false positive rates, and validate that what you’ll be remapping is worth remapping.
Think about Impair Defenses coverage now. Don’t wait for the tactic ID to exist. Start identifying what telemetry you have (or don’t have) for detecting when your security controls go silent. Morpheus monitors for gaps in expected telemetry as part of its investigation logic, which is the kind of absence-of-signal detection this new tactic is designed to surface. This is the gap the split was designed to expose.
Update your SOAR playbook routing. If you built playbooks that trigger different response actions based on the ATT&CK tactic, those routing conditions will need to account for Stealth and Impair Defenses as separate tactics with separate response logic. A playbook that treats all former Defense Evasion techniques identically is missing the point of the split. Runtime-generated playbooks handle this automatically because they build response logic per incident, not per static tactic mapping. D3 customers: we’re aligning Morpheus playbook templates to the new tactic structure ahead of the April 28 release. Contact your CSM or check the release notes for migration details.
Brief your analysts. The conceptual split between “hiding” and “breaking defenses” is intuitive once explained, but people need to hear it once before it clicks in a triage workflow. Do the briefing before April 28, not after.
None of this makes your environment more secure by itself. It makes your reporting more accurate and your triage logic sharper. Those are different things. But if you use the transition as an excuse to test what you have, you’ll come out of it with something better than updated labels.
What Comes Next After the ATT&CK v19 Release
We’ll update this post with the full crosswalk analysis and specific technique moves once the release notes go live on April 28. In the meantime, if you want to see how Morpheus maps to the new tactic structure and what the migration path looks like for your playbooks, book a walkthrough with our team.
ATT&CK v19 FAQ
What is MITRE ATT&CK v19?
MITRE ATT&CK v19 is the next major release of the ATT&CK framework for Enterprise, scheduled for April 28, 2026. Its most significant change is splitting the Defense Evasion tactic into two new tactics: Stealth and Impair Defenses.
When does ATT&CK v19 release?
ATT&CK v19 releases on April 28, 2026. MITRE has confirmed this is phase one, with updated technique descriptions and further scope realignments shipping in future releases.
What happened to Defense Evasion (TA0005)?
Defense Evasion is being retired as a tactic. Its techniques are being split between Stealth (which inherits the TA0005 ID) and Impair Defenses (which receives a new tactic ID). Stealth covers techniques where adversaries blend into legitimate behavior. Impair Defenses covers techniques where adversaries actively disable or compromise security controls.
What is the difference between Stealth and Impair Defenses in ATT&CK?
Stealth techniques hide malicious activity within normal operations. Your defenses are still running but failing to distinguish threats from legitimate behavior. Impair Defenses techniques actively break, disable, or degrade your security controls. The detection and response approaches differ: Stealth requires behavioral correlation, while Impair Defenses requires containment and control integrity validation.
What happens to T1562 (Impair Defenses) in ATT&CK v19?
T1562, previously a technique under Defense Evasion, is being retired. The concept is elevated to the tactic level. Its sub-techniques (like T1562.001: Disable or Modify Tools) are being reviewed and realigned under the new Impair Defenses tactic.
Do I need to update my SIEM rules for ATT&CK v19?
Rules referencing TA0005 will continue to match Stealth techniques automatically, since Stealth inherits that ID. However, you will need to add new rules referencing the Impair Defenses tactic ID once it’s published. Rules targeting T1562 as a parent technique will need rework, since that technique is being retired.
