Skip to content

Defense Impairment

The adversary is trying to break security mechanisms, pipelines, and tooling so defenders can’t see or trust what’s happening.

Defense Impairment consists of techniques that degrade, disable, or undermine the effectiveness and trustworthiness of security controls and monitoring mechanisms. These techniques are characterized by direct interference with defensive systems. The goal is to reduce defenders’ ability to detect, interpret, or respond to adversary activity.

In cloud environments, adversaries impair defenses by disabling or deleting logging services (CloudTrail, Azure diagnostic settings, GCP logging sinks), modifying or removing security group and firewall rules, tampering with audit logs, or stopping monitoring services like GuardDuty and Microsoft Defender for Cloud.

Defense Impairment (TA0112) was introduced in ATT&CK v19 (April 2026), when the former Defense Evasion tactic was split into Stealth and Defense Impairment.

View Defense Impairment on MITRE ATT&CK →