Impact

Definition

Impact is the harm or potential harm caused by a security incident. It describes what changes for the worse once an attacker’s actions take effect. Impact can show up in technical systems, business operations, people’s lives, or an organization’s reputation. It is how we answer the question, “So what?” after we discover that an incident has occurred.

In cybersecurity, impact is often described using the confidentiality, integrity, and availability (CIA) model.

* Confidentiality impact means information is exposed to people who should not see it.
* Integrity impact means data or systems are altered in a way that is unauthorized or incorrect.
* Availability impact means systems or data are unavailable or unreliable when needed.

Concrete examples of impact include:

* Customer records are stolen and posted online. This affects confidentiality and can lead to fraud or identity theft.
* A database is modified by an attacker so that financial numbers are wrong, but nothing is visibly broken. This affects integrity and can mislead decision makers.
* A hospital’s critical systems are locked by ransomware. This affects availability and can delay patient care.

Impact is not only technical. It also includes:

* Financial loss, such as ransom payments, recovery costs, legal fees, and lost revenue during downtime.
* Reputational harm when customers, partners, or the public lose trust in the organization.
* Legal and regulatory consequences if the incident violates privacy laws, industry rules, or contract obligations.
* Safety risks if compromised systems control physical equipment, medical devices, or industrial processes.

During incident response, understanding impact is essential for prioritization. Teams need to know which systems are affected, which data is at risk, who is harmed, and how badly. A minor incident with low impact may require limited response and documentation. A high impact incident may require full escalation, executive involvement, public communication, and long-term changes to security controls.

Impact also drives business decisions about risk. Organizations compare the potential impact of a threat with the cost of defenses. If a possible incident could severely disrupt operations or expose sensitive data, leaders are more likely to invest in stronger protections, training, and monitoring. In this way, impact sits at the center of risk assessment, incident response, and long-term security planning.

In the context of MITRE ATT&CK, **Impact** is a tactic that describes what attackers do to disrupt, damage, or manipulate systems and data after they have gained access. It focuses on the final outcomes of an attack, not how the attacker got in. Impact answers the question: “What effect does the attacker want to have on the victim’s environment?”

In MITRE ATT&CK for Enterprise, Impact is listed as its own tactic at the end of the attack chain (tactic ID TA0040). It covers techniques that affect the availability, integrity, or confidentiality of systems and data. These are actions that change how the victim operates, often in ways the victim immediately feels.

Examples of Impact techniques in MITRE ATT&CK include:

* **Data Encrypted for Impact**: Ransomware and other methods that encrypt data so users cannot access it
* **Data Destruction**: Wiping or corrupting files, databases, or systems so they cannot be recovered easily
* **Service Stop or Inhibit System Recovery**: Stopping services or disabling backups to make recovery harder
* **Defacement**: Changing websites, applications, or content to send a message or damage reputation
* **Resource Hijacking**: Using victim resources, such as compute power, for cryptocurrency mining or other purposes
* **Account Access Removal**: Locking out legitimate users to disrupt operations

Relative to the rest of MITRE ATT&CK, Impact:

* Comes after earlier tactics such as Initial Access, Execution, Persistence, Privilege Escalation, and Exfiltration
* Represents the attacker achieving their end goal, such as extortion, disruption, or sabotage
* Often maps directly to business-level consequences, such as downtime, financial loss, and safety risks

For blue teamers, mapping activity to the Impact tactic helps:

* Distinguish between “preparation” or “movement” by the attacker and actions that cause real damage
* Prioritize incident response when they see behaviors that fall under Impact techniques
* Communicate clearly with leadership by linking technical actions (for example, encryption or wiping) to business outcomes such as system outages or data loss

Impact

Definition

Explore More Terms