Skip to content

Stealth

The adversary is trying to hide and conceal their actions, appearing as normal behavior.

Stealth consists of techniques that reduce the likelihood of detection by blending in with legitimate activity or minimizing observable signals. These techniques are characterized by concealment behaviors, such as avoiding, obfuscating, or mimicking normal operations, without modifying security controls or compromising collection and monitoring feeds. The goal is to remain indistinguishable from benign activity while leaving defensive systems intact.

In cloud environments, stealth looks like operating with valid credentials and sessions that blend into routine API activity, removing attacker-created artifacts such as service account keys to erase evidence of access, and running workloads in unused or unsupported regions where monitoring may not be deployed.

Stealth was introduced in ATT&CK v19 (April 2026), when the former Defense Evasion tactic was split into Stealth and Defense Impairment. Stealth keeps the TA0005 tactic ID.

View Stealth on MITRE ATT&CK →