Skip to content
Chimera readability score 0.5968 out of 100, reading level.

By Allison Henao and Alice Koeninger, Art by Cat Self
If you’ve been following the ATT&CK community channels, you’ve probably heard us talking about changes to Enterprise’s Defense Evasion tactic (ATT&CKcon 5.0, ATT&CKcon 6.0, #att&cking-mondays on Slack, etc). Those changes are almost here, with the release of ATT&CK v19 coming on April 28th. This post walks through what’s changing, why, what’s shipping in April, and what’s still ahead.
A Tactic Divided Against Itself
It was the best of tactics and the worst of tactics.
Defense Evasion has been one of the most heavily used tactics in ATT&CK, and sometimes one of the most frustrating to work with. It wasn’t wrong, per se. Adversaries want to stay hidden, and they continue to find creative, layered ways to accomplish that. The problem is that ‘evading defenses’ turns out to describe two fundamentally different things, and Defense Evasion treated them as one. It was doing too much at once, which it means doing none of it clearly enough.
With over 40 techniques under a single umbrella, Defense Evasion became something of a catch-all. A behavior landed there if it was evasion-adjacent, regardless of what the adversary was actually doing. Some of those techniques are about blending in, like making malicious activity look like the thousand other normal things happening on your network at any time. Others are about something more aggressive: finding your security tools and breaking them or compromising their integrity.
Hiding and breaking are not the same behaviors and treating them as one means defenders have been trying to answer two completely different questions with the same playbook. When everything lives in the same bucket, you lose clarity. And when you lose clarity, you lose prioritization.
If you’ve ever tried to explain adversary intent using Defense Evasion, or map your detection coverage to it, you’ve probably felt that tension. Not all evasion is the same. It just looked that way because we were describing it with one word.
Two Tactics: One Adversary, Two Completely Different Problems
Walk through a real attack and the distinction quickly obvious.
An adversary gets in and starts moving through your environment. They start by using native system utilities to run their tools: rundll32.exe, msiexec.exe, the same living-off-the-land binaries that show up in your telemetry every single day. Your EDR is running, your SIEM is collecting, your defenses are fully intact. But the adversary is indistinguishable from the normal behavior. They are operating below the detection threshold by blending in.
That’s Stealth.
Later in the operation, that same adversary disables your logging pipeline, and tampers with your EDR agent, so it stops reporting. Now your defenses aren’t just fooled, they’re broken. The tools that would have caught the next action are no longer reliable.
That’s Impair Defenses.
One operation with two different intents. And two completely different defensive responses.
Stealth is about hiding from your defenses. Impair Defenses is about breaking them.
This distinction isn’t semantic; it’s the difference between needing better behavioral analytics and needed better tamper protection. Between asking “why does this look like normal activity?” and “why did my EDR stop reporting?” Conflating the two in a single tactic means the community has been trying to answer both questions with the same philosophy.
It Is a Far Better Thing: Stealth and Impair Defenses
We’re replacing Defense Evasion in the Enterprise matrix with two tactics, Stealth and Impair Defenses, each scoped to adversary intent.
Stealth captures techniques where adversaries reduce their visibility or make malicious activity indistinguishable from legitimate behavior. The defining characteristic is that your defensive systems are still working, the adversary is just operating in ways that look normal.
Examples include:
- T1564: Hide Artifacts: concealing files, users, or processes from standard system views
- T1027: Obfuscated Files or Information: encoding or encrypting payloads to avoid static detection
- T1218: System Binary Proxy Execution: abusing trusted Windows utilities to proxy malicious execution
- T1036: Masquerading: disguising malicious files or processes as legitimate system components
For defenders, Stealth techniques require a different response, one that is fundamentally analytic. Your tools can see these behaviors; the problem is distinguishing what looks benign from what’s actually malicious. That’s a behavioral analytics, anomaly detection, and forensic analysis response.
Impair Defenses is what happens when adversaries stop hiding and start breaking things. Techniques in this tactic actively degrade, disable, or compromise the integrity of security controls and monitoring infrastructure. The adversary’s goal here is to make your defenses less reliable, or to eliminate them entirely.
Examples include:
- T1562.001: Impair Defenses: Disable or Modify Tools: stopping, uninstalling, or tampering with endpoint security agents.
- T1553.004: Subvert Trust Controls: Install Root Certificate: subverting trust controls at the certificate layer.
- T1222: File and Directory Permissions Modification: altering access controls that govern what defenders can see.
Defending against the techniques in Impair Defenses requires a different mindset entirely: integrity monitoring, tamper protection, and continuous validation of your security controls. These techniques are designed to invalidate the assumption that your defenses are working. If you aren’t testing that assumption regularly, you may not know they’ve succeeded.
A Tale told in Multiple Parts: What’s Shipping in April
This is a phased change, and we want to be transparent about both the process and the timeline. April is a chapter.
Restructuring something as foundational as a tactic requires every technique to be reviewed against the same question: What is the adversary trying to do? Hide? Break your tools? Both? Neither/does this behavior belong somewhere else entirely? For the April release, the goal is to get the structural reorganization in place without burying the community in simultaneous content changes.
TLDR:
Most Technique IDs aren’t changing. For most techniques moving to Stealth or Impair Defenses, the only change will be the associated tactic(s). Technique IDs, behavior descriptions, procedures, and detection logic are unchanged/carried over.
3 techniques are moving out of the former Defense Evasion space entirely. Techniques leaving the tactic may have updated descriptions and remapped procedures to better reflect their actual scope. More detail on these techniques in the crosswalk that will be included with the April release.
The most significant structural update centers on T1562: Impair Defenses. The parent technique is being retired, and the concept now lives at the tactic level. The sub-techniques are being reviewed and realigned accordingly.
Email Spoofing and Impersonation techniques are being reorganized under a new Social Engineering technique. More detail on that in the April release post.
Tactic IDs are splitting. Stealth will inherit Defense Evasion’s existing tactic ID (TA0005) and Impair Defenses, as a net-new tactic, will be assigned a new ID.
Enterprise-only change. While rooted in common ground, the Enterprise, Mobile, and ICS matrices are distinct from each other and continue to develop independently. The tactics in Mobile and ICS will remain unchanged in the April release.
What This Means for Defenders
Don’t panic about your mappings (they’re still mostly valid). If you’ve mapped detections or controls to specific technique IDs, some adjustments may be needed for the April release. We’ll provide a crosswalk in the release notes and blog for the full picture of changes.
Think in terms of adversary intent, not just behavior. The Stealth / Impair Defenses split is most useful when you ask: is the adversary hiding, or are they breaking something? Those are different threat models that need different responses.
Impair defenses often goes unmeasured. If your EDR agent is tampered with and stops reporting, how fast do you know? Building detections around the absence of expected signals is one of the most underinvested areas in enterprise defense.
The Work of Many Seasons: What’s Still Coming
You’ll continue to see restructuring in future releases: updated technique descriptions, scope realignment, additional procedure mappings, and deprecation of techniques that no longer represent distinct behaviors. We know this realignment creates work for the community, and we’re committed to being deliberate and not (overly) disruptive. More detail on specific technique changes will be included in the April release notes.
As always, we want your feedback. Reach out at attack@mitre.org or join the conversation in the ATT&CK slack channels and stop by #att&cking-mondays. We want to hear your thoughts, what’s still unclear, and where you think we can push next.
©2026 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited. 26–00722–1.

Facts Only

Stealth is a new tactic replacing parts of Defense Evasion in the Enterprise matrix
Impair Defenses is a net-new tactic also splitting from Defense Evasion
The former Defense Evasion tactic ID (TA0005) will be inherited by Stealth
A new TAxxxx ID will be assigned to Impair Defenses
3 techniques are moving out of Defense Evasion and may have updated descriptions and remapped procedures
Email Spoofing and Impersonation techniques are being reorganized under a new Social Engineering technique

Executive Summary

The article discusses a significant change in the MITRE Corporation's ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework. The Defense Evasion tactic, one of the most used tactics in the Enterprise matrix, is being divided into two separate tactics: Stealth and Impair Defenses. This change aims to improve clarity and prioritization by separating techniques that involve hiding from defenses and those that involve breaking or compromising them.
Stealth techniques, such as Hide Artifacts, Obfuscated Files or Information, System Binary Proxy Execution, and Masquerading, focus on reducing visibility or making malicious activity indistinguishable from legitimate behavior. Defending against these techniques requires analytic responses, such as behavioral analytics, anomaly detection, and forensic analysis.
Impair Defenses techniques actively degrade, disable, or compromise the integrity of security controls and monitoring infrastructure, such as Disable or Modify Tools, Subvert Trust Controls, and File and Directory Permissions Modification. These techniques require a focus on integrity monitoring, tamper protection, and continuous validation of security controls to defend against.

Full Take

The change in the ATT&CK framework reflects a growing recognition that it is crucial to differentiate between tactics that involve hiding from defenses and those that involve breaking them. By making this distinction, organizations can better prioritize their security efforts and more effectively defend against advanced persistent threats (APTs).
However, the change may also introduce new challenges. For example, security analysts will need to adapt their tools and processes to account for the new tactics and techniques. Additionally, the reorganization of Email Spoofing and Impersonation techniques under Social Engineering raises questions about how these tactics fit within the broader ATT&CK framework and whether they should have been classified as part of Defense Evasion all along.

Sentinel — Human

Confidence

This text shows signs of being human-written. The writing style is varied, with a personal voice and idiosyncratic emphasis. There are no indications of argumentative skeleton matching or talking points appearing nearly verbatim across sources.

Signals Detected
low severity: variable sentence length and hedging density below AI averages
high severity: evidence of personal voice, idiosyncratic emphasis, and stylistic fingerprint
low severity: no signs of argumentative skeleton matching or talking points appearing nearly verbatim across sources
Human Indicators
Complex and nuanced argument, unique perspective on topic
Varied use of transition words
Use of idiomatic expressions and colloquial language