Live Active security incident? Get immediate response
MITRE ATT&CK® Tactic

TA0112: Defense Impairment

The adversary is trying to break security mechanisms, pipelines, and tooling so defenders can’t see or trust what’s happening.

Defense Impairment consists of techniques that degrade, disable, or undermine the effectiveness and trustworthiness of security controls and monitoring mechanisms. These techniques are characterized by direct interference with defensive systems. The goal is to reduce defenders’ ability to detect, interpret, or respond to adversary activity.

EnterpriseTA0112TacticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Defense Impairment matters because it targets the organization’s ability to know what is happening during an incident. The tactic covers adversary behavior that degrades, disables, or undermines security controls, monitoring mechanisms, pipelines, and tooling, reducing defender visibility and trust in the evidence used for response decisions.

Executive priority

Treat this as a resilience and assurance issue, not only a SOC issue. Leaders should ask whether critical security tooling, alert pipelines, and monitoring controls are protected, monitored, and independently verifiable. The business risk is that an incident may continue longer or be misjudged if defenders cannot trust logs, alerts, or control status. This tactic also affects audit and compliance readiness because evidence quality depends on the integrity and availability of monitoring mechanisms.

Technical view

ATT&CK provides this as an enterprise tactic with no specific platforms, techniques, detections, or relationships supplied in the provided object. SOC, detection engineering, and IR teams should therefore validate the defensive architecture around security controls and telemetry pipelines broadly: whether control health is monitored, whether logging/alerting degradation is detected, whether responders can verify the integrity of security tooling, and whether incident procedures account for impaired visibility.

Likely telemetry

  • Security tool health and availability status
  • Alert pipeline delivery and processing status
  • Logging pipeline collection, forwarding, and ingestion status
  • Configuration and policy change records for defensive tools
  • Administrative access and change activity affecting security mechanisms

Detection direction

  • Validate that the SOC can detect degradation or disabling of defensive systems, not just endpoint or network events.
  • Baseline expected telemetry volume and alert flow so sudden drops, gaps, or processing failures are investigated rather than ignored.
  • Tune detections to distinguish authorized maintenance or control changes from unexpected impairment of monitoring or security mechanisms.
  • Ensure incident responders have alternate ways to confirm control status when primary tooling or pipelines may be untrusted.
  • Because no official ATT&CK detection text or relationships were supplied, detection logic must be derived from local tooling, architecture, and change-management evidence.

Mitigation priorities

  • Prioritize protection and monitoring of security controls, monitoring mechanisms, and telemetry pipelines as critical infrastructure for incident response.
  • Restrict and review administrative access that can change, disable, or degrade defensive tooling.
  • Implement operational checks that confirm logging, alerting, and control enforcement remain functional after changes or outages.
  • Maintain response procedures for degraded visibility, including escalation paths and independent verification of key security evidence.
  • Use tabletop or readiness exercises to test whether teams can recognize and respond when defensive systems cannot be fully trusted.
Analyst notes and limits

This tactic is newly represented in the supplied ATT&CK data as TA0112 Defense Impairment, focused on adversary interference with defensive systems and defender trust. The most useful Glexia decision point is whether the organization can prove its detection and response fabric remains available, trustworthy, and monitored during an incident.

The supplied object includes no platforms, no official detection guidance, no associated techniques, and no relationship context. This take therefore avoids platform-specific claims and requires local environment evidence to determine actual exposure, control coverage, and telemetry availability.

Official MITRE ATT&CK definition

Defense Impairment

The adversary is trying to break security mechanisms, pipelines, and tooling so defenders can’t see or trust what’s happening.

Defense Impairment consists of techniques that degrade, disable, or undermine the effectiveness and trustworthiness of security controls and monitoring mechanisms. These techniques are characterized by direct interference with defensive systems. The goal is to reduce defenders’ ability to detect, interpret, or respond to adversary activity.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
468c292a30f0f316...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 468c292a30f0…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack TA0112
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use