MITRE ATT&CK v19 drops April 28. Before it lands, there is something worth paying attention to.
Defense Evasion is dead. After years of service as one of the original ATT&CK tactics, MITRE is retiring it and splitting it into two more focused categories: Stealth and Impair Defenses.
This is not a minor housekeeping update. It is an acknowledgment that attackers have gotten more sophisticated, and the framework needed to catch up. The old “Defense Evasion” bucket had gotten too broad. Attackers were doing two fundamentally different things under that label, and conflating them made it harder for defenders to think clearly about the problem.
MITRE separated them. So should you.
Stealth: The Art of Not Being Seen
The Stealth tactic covers everything an attacker does to remain hidden inside your environment. Impersonation. Hiding files and users. Blending into legitimate traffic. Moving in ways that look normal until they are not.
The assumption behind Stealth is that the attacker is already in. The question is how long they can operate before someone notices.
For most organizations, the answer is too long. Average dwell time across the industry is measured in weeks and months, not hours. Attackers are patient because patience works.
The conventional answer to Stealth is better detection. More sensors, better analytics, faster triage. The problem is that a patient, skilled attacker operating in legitimate-looking ways is genuinely hard to detect. They are designed to blend in. That is the point.
The better answer is to make stealth impossible rather than just harder to sustain. A network that actively deceives back at the attacker, that continuously changes its observable surface, that registers first contact as first detection. That network removes the conditions that make stealth viable. The attacker trying to stay hidden is still interacting with something. And that something knows.
Impair Defenses: Killing Your Security Before the Kill
The Impair Defenses tactic covers something different and arguably more dangerous. This is the attacker actively dismantling your security posture before executing the primary objective. Disabling antivirus. Modifying firewall rules. Wiping logs. Killing EDR agents. Tampering with conditional access policies.
This is not stealth. This is active sabotage.
And it works devastatingly well against endpoint-centric and software-dependent security architectures. If your defense depends on an agent running on a device, an attacker with elevated privileges can kill it. If your defense depends on firewall rules, an attacker with the right access can modify them. If your defense depends on logs, an attacker can wipe them.
The impair-then-attack sequence is now standard in sophisticated breach playbooks. The security tools go silent first. By the time anyone notices, the window is gone.
The answer to Impair Defenses is architecture, not more software. Security that has no agent to kill. No software process to terminate. No management interface to compromise. A transparent inline layer that the attacker cannot see, cannot modify, and cannot disable because it is physically in the traffic path with hardware bypass that operates independently of the software stack above it.
You cannot impair what you cannot find. You cannot kill what has no process.
Why This Framework Change Matters Right Now
MITRE splitting Defense Evasion into Stealth and Impair Defenses is not just taxonomy. It is a signal about how attacks actually work in 2026.
Sophisticated attackers do both. They move quietly and they kill your defenses before they move loudly. These are sequential phases of the same operation, and they require different defensive answers.
Most security architectures were designed to answer one or the other. Detection tools answer Stealth. Hardening and patching answer Impair Defenses. Neither is enough on its own because attackers do not limit themselves to one phase.
The architecture question v19 is really asking: does your security posture hold up when an attacker is simultaneously trying to stay invisible and actively trying to dismantle your defenses?
Most do not. The ones that do were designed from the ground up to assume both problems exist at the same time.
April 28 is when the map gets redrawn officially. The territory has looked like this for a while.
Francesco Trama is the founder of PacketViper.