TA0107: Inhibit Response Function
The adversary is trying to prevent your safety, protection, quality assurance, and operator intervention functions from responding to a failure, hazard, or unsafe state.
Inhibit Response Function consists of techniques that adversaries use to hinder the safeguards put in place for processes and products. This may involve the inhibition of safety, protection, quality assurance, or operator intervention functions to disrupt safeguards that aim to prevent the loss of life, destruction of equipment, and disruption of production. These techniques aim to actively deter and prevent expected alarms and responses that arise due to statuses in the ICS environment. Adversaries may modify or update system logic, or even outright prevent responses with a denial-of-service. They may result in the prevention, destruction, manipulation, or modification of programs, logic, devices, and communications. As prevention functions are generally dormant, reporting and processing functions can appear fine, but may have been altered to prevent failure responses in dangerous scenarios. Unlike Evasion, Inhibit Response Function techniques may be more intrusive, such as actively preventing responses to a known dangerous scenario. Adversaries may use these techniques to follow through with or provide cover for Impact techniques.
Analyst context for executives and security teams
Inhibit Response Function is an ICS tactic where an adversary tries to stop safety, protection, quality assurance, or operator intervention functions from responding when a process reaches a failure, hazard, or unsafe state. For leaders, the significance is not just cyber disruption: this behavior targets the safeguards that prevent equipment damage, production disruption, and potential life-safety consequences.
Executive priority
Treat this as a high-consequence operational resilience concern for ICS environments. Leaders should ask whether critical safeguards are independently validated, whether changes to logic/devices/communications are governed and auditable, and whether incident response plans account for scenarios where alarms, interlocks, or operator responses may not behave as expected. This tactic is especially relevant to risk ownership, compliance evidence, safety assurance, and cyber-physical incident decision-making.
Technical view
ATT&CK provides no specific detection text, platforms, or relationship context for this tactic, so SOC, detection engineering, and IR teams should validate coverage around the classes of activity described: modification or replacement of system logic, manipulation of programs/devices/communications, denial-of-service that prevents expected responses, and conditions where reporting appears normal while dormant prevention functions have been altered. Testing should focus on whether safety/protection/quality/operator-response functions are monitored as control-critical assets, not only whether production systems are available.
Likely telemetry
- Change records and audit trails for control logic, programs, device configuration, and safety/protection functions
- Engineering workstation and controller activity logs where available
- ICS network communications showing changes, blocked communications, or denial-of-service conditions affecting response paths
- Alarm, event, and historian data that can show whether expected alarms or responses occurred during abnormal states
- Operator action logs and intervention records
Detection direction
- Validate whether dormant safety and protection functions are checked for integrity, because normal reporting may not prove that response functions will work during a hazardous condition.
- Correlate configuration or logic changes with alarm/event behavior and maintenance authorization records to separate approved engineering work from suspicious safeguard inhibition.
- Look for gaps where monitoring focuses on process visibility but not on the ability of safeguards to execute a response.
- Include denial-of-service or communication disruption scenarios that could prevent alarms, protection actions, or operator intervention.
- Because ATT&CK provides no official detection guidance for this tactic, tune detections using local process knowledge, approved change windows, safety requirements, and known maintenance procedures.
Mitigation priorities
- Prioritize governance and independent review for changes to logic, programs, devices, and communications that support safety, protection, quality assurance, or operator intervention.
- Maintain trusted baselines for safeguard-related configurations and validate them periodically, especially for functions that are normally dormant.
- Ensure incident response and operations playbooks include cyber-physical scenarios where alarms or protective responses may be suppressed or unavailable.
- Segment and protect systems and communications that enable response functions, with special attention to availability and authorized engineering access.
- Use tabletop and controlled validation exercises to confirm that expected safeguards still respond under defined unsafe or failure conditions.
Analyst notes and limits
This object is a tactic, not a specific technique, so it provides strategic intent rather than implementation detail. The key defensive decision is whether the organization can prove that safeguard functions remain trustworthy, not merely that ICS monitoring appears normal. Coverage should be assessed jointly by security, engineering, operations, and safety stakeholders.
No official detection field, platforms, aliases, labels, or relationship context were supplied. The take therefore avoids claims about specific technologies, adversaries, exploitation, or guaranteed detections. Local asset architecture, safety design, engineering procedures, and available ICS telemetry are required to turn this into actionable detection and control requirements.
Inhibit Response Function
The adversary is trying to prevent your safety, protection, quality assurance, and operator intervention functions from responding to a failure, hazard, or unsafe state.
Inhibit Response Function consists of techniques that adversaries use to hinder the safeguards put in place for processes and products. This may involve the inhibition of safety, protection, quality assurance, or operator intervention functions to disrupt safeguards that aim to prevent the loss of life, destruction of equipment, and disruption of production. These techniques aim to actively deter and prevent expected alarms and responses that arise due to statuses in the ICS environment. Adversaries may modify or update system logic, or even outright prevent responses with a denial-of-service. They may result in the prevention, destruction, manipulation, or modification of programs, logic, devices, and communications. As prevention functions are generally dormant, reporting and processing functions can appear fine, but may have been altered to prevent failure responses in dangerous scenarios. Unlike Evasion, Inhibit Response Function techniques may be more intrusive, such as actively preventing responses to a known dangerous scenario. Adversaries may use these techniques to follow through with or provide cover for Impact techniques.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9c6fd3c0d120… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack TA0107Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.