Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0729: Detection of Loss of Availability

DET0729 is an ICS ATT&CK detection strategy for recognizing Loss of Availability: disruption of essential components or systems that prevents an owner/oper...

ICSDET0729Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0729 is an ICS ATT&CK detection strategy for recognizing Loss of Availability: disruption of essential components or systems that prevents an owner/operator from delivering products or services. For executives, the practical issue is not just a security alert; it is whether the organization can quickly distinguish a cyber-driven outage from routine operational failure and make safe continuity decisions.

Executive priority

Treat this as an operational resilience and incident decision-making priority. Leaders should ask whether SOC, OT operations, incident response, and business continuity teams share evidence and escalation criteria for availability loss. The business value is proving that the organization can detect service-impacting disruption early enough to support safe operations, customer/service communications, recovery prioritization, and audit-ready evidence of response readiness.

Technical view

The ATT&CK object provides no official detection text, platforms, or tactics, so validation should be anchored to its relationship: it detects ICS technique T0826, Loss of Availability. SOC and IR teams should confirm they can correlate cyber and operational signals that show essential components or systems are unavailable, degraded, deleted, encrypted, unreachable, or unable to support delivery of products or services. Detection engineering should avoid relying on a single IT alert and instead validate cross-functional triage with OT/operations context.

Likely telemetry

  • Operational availability and service health indicators for essential ICS components or systems
  • Alarms or event records showing component/system unavailability, degradation, or failure to deliver expected function
  • Endpoint or host evidence where applicable for HMIs, workstations, or databases referenced in the related technique description
  • Database, file, or application evidence indicating critical data deletion, encryption, or inaccessibility where such systems are in scope
  • Network reachability and connectivity evidence between operational systems and supporting services

Detection direction

  • Validate whether availability-loss alerts are mapped to business-critical processes, not only individual devices or hosts.
  • Tune for correlation across operational alarms, system health, endpoint/file/database indicators, and network reachability where those data sources exist.
  • Define false-positive handling for maintenance windows, equipment faults, environmental issues, and planned shutdowns; these can resemble malicious loss of availability.
  • Confirm escalation paths between SOC, OT operators, IR, and business continuity teams when availability loss affects delivery of products or services.
  • Because MITRE provides no official detection logic for DET0729, use local process criticality and recovery objectives to decide alert severity and response thresholds.

Mitigation priorities

  • Prioritize identification of essential components, systems, data stores, and services whose loss would interrupt operations.
  • Ensure monitoring and incident response procedures cover both cyber indicators and operational availability evidence.
  • Maintain tested backup, restoration, and recovery processes for critical data and systems where deletion or encryption could drive loss of availability.
  • Document maintenance windows, expected outages, and operational dependencies so detection teams can reduce noise without suppressing real incidents.
  • Exercise joint SOC/OT/IR/business continuity response for availability-loss scenarios to validate decision rights and evidence collection.
Analyst notes and limits

This take is based on ATT&CK detection strategy DET0729 and its relationship to ICS technique T0826, Loss of Availability. The most important defensive value is readiness to recognize and triage service-impacting disruption in an ICS context. Local architecture, process criticality, and available telemetry will determine what detection content is practical.

The supplied ATT&CK object has no official description, official detection guidance, tactics, platforms, aliases, or labels. Recommendations are therefore conservative and relationship-driven. This does not establish active exploitation, attribution, specific affected platforms, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Detection of Loss of Availability

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
ICS T0826 Loss of Availability This object detects Loss of Availability.
Relationship explorer

All related ATT&CK context

detects · Technique T0826: Loss of Availability ICS
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c36960aa2508f6b7...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c36960aa2508…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0729
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use