MITRE has released the scheduled ATT&CK Matrix v19 update

It’s a major release that significantly reshapes the familiar Enterprise matrix. The headline change is the long-awaited split of the Defense Evasion tactic.

Defense Evasion has been divided into two tactics and then deprecated.

The split is based on attacker intent. Some techniques appear in both tactics since real-world actions aren’t always clear-cut.

The most visible structural change is “T1562: Impair Defenses revoked.” T1562, T1562.001, and T1562.006 have been merged into a new parent technique, T1685: Disable or Modify Tools, while the remaining sub-techniques have been reassigned new IDs.

To assist migration, MITRE published a crosswalk in JSON and CSV.

AI and Social Engineering New techniques have been added to reflect current realities:

T1682: Query Public AI Services — using public AI services for reconnaissance and attack planning. T1683: Generate Content with sub-techniques “Written Content” and “Audio-Visual Content” — content generation (manually, via intermediaries, or with AI assistance). T1684: Social Engineering — a new parent technique covering manipulation through any communication channel (email, voice, helpdesk, messengers). Impersonation and Email Spoofing are now its sub-techniques.

MITRE’s approach focuses on behavior rather than specific tools. AI makes attacks faster and cheaper, but the underlying actions remain the same.

Other Domains

ICS — sub-techniques have finally arrived. Five parent techniques were restructured: Modify Firmware, Block Communications, Remote System Discovery, Program Download, and the new Insecure Credentials. Mobile — Detection Strategies are now included here as well. Each strategy is vendor-agnostic, with separate analytics for Android and iOS.

Release: https://attack.mitre.org/resources/updates/updates-april-2026/ Changelog: https://attack.mitre.org/docs/changelogs/v18.1-v19.0/changelog-detailed.html New Version: https://attack.mitre.org/