MITRE ATT&CK v19 Just Dropped. Here's What Changed and Why It Matters.

How well do you actually know the playbook your security team maps threats against?

If your answer is "we use ATT&CK," that's a good start. But the framework just went through its most significant structural change in years. MITRE released ATT&CK v19 on April 28, 2026, if you don't update how you reference it, your threat models, detection rules, and risk reports will quietly fall out of alignment with the rest of the industry.

What's Happening

One of the largest changes took place in the Enterprise matrix. The Defense Evasion tactic has been split into two separate tactics:

Stealth (TA0005) and Defense Impairment (TA0112).

That's not a cosmetic rename. It reflects a real distinction in how attackers operate. Some techniques are about hiding. Others are about breaking your ability to detect anything at all. Lumping them together made it harder for defenders to prioritize. Enterprise ATT&CK now contains 15 Tactics, 222 Techniques, and 475 Sub-Techniques.

Why It Matters to You

Every detection rule, report, and coverage map that references "Defense Evasion" now needs to point to one of two places. MITRE published transition guidance in March 2026. This isn't optional maintenance. It's structural.

Think of it like a hospital splitting "Emergency Services" into "Trauma" and "Urgent Care." Same building, same staff, but patients get routed to the right place faster. Stealth covers techniques where attackers avoid being noticed: obfuscated files, execution guardrails, process injection, and indicator removals. Your tools run normally. The attacker just stays out of sight. Defense Impairment covers techniques where attackers actively break your defenses: techniques like disabling firewalls, modifying your infrastructure, and killing endpoint protection. Your tools aren't missing the attacker. They've been sabotaged.

The Stats

ATT&CK v19 now tracks 949 pieces of software, 178 threat groups, and 59 campaigns across all three domains. Enterprise carries the heaviest load with 222 techniques, 475 sub-techniques, and 821 tracked software tools. That's a substantial body of knowledge your team can map defenses against.

Mobile and ICS are growing fast. Mobile now covers 77 techniques across 126 software entries. ICS tracks 79 techniques with 18 brand-new sub-techniques added for the first time in this release. If your organization runs operational technology or has a mobile workforce, those domains deserve the same attention you give Enterprise. ATT&CK doesn't add techniques based on speculation. It adds them based on observed real-world operations. The inclusion of "Generate Content" and "Query Public AI Services" means threat actors are already using these methods in the wild. Your adversaries are using the same AI tools your marketing team uses.

The detection side of the framework expanded significantly too. Enterprise alone now includes 697 detection strategies and 1,758 analytics. That's not just a list of threats. It's a catalog of specific ways to catch them. For a full breakdown of the changes from this release, check out the release notes here.

New Threat Intelligence

This section was of real interest to me. V19 adds two new Enterprise groups, MirrorFace and VOID MANTICORE. MuddyWater received a major update to version 7.0, and APT-C-36 also received significant revisions. On the Mobile side, Kimsuky, MONSOON, Patchwork, and Stolen Pencil were added.

Four new campaigns entered the framework: 2025 Poland Wiper Attacks, Operation AkaiRyū, Operation Digital Eye, and a notable AI-orchestrated campaign. New techniques like "Generate Content," "Query Public AI Services," and "Social Engineering" (with email spoofing and impersonation sub-techniques) reflect attackers using AI tooling in documented operations. The framework now tracks 949 pieces of software, 178 groups, and 59 campaigns total. That's a ton of CTI for your teams to reference, and it's at no cost to you.

What You Should Do