What Is Mitigation in Cybersecurity? | NOC.org

What Is Mitigation?

In cybersecurity, mitigation refers to the actions taken to reduce the severity, impact, or likelihood of a security threat. Mitigation does not always eliminate the threat entirely — it reduces it to an acceptable level of risk. When a vulnerability is discovered, a patch may not be immediately available. When an attack is underway, stopping it at the source may not be possible. In these situations, mitigation strategies are what keep systems operational and data protected while a full resolution is developed.

Mitigation is a core concept in risk management. Every organization faces threats that cannot be fully eliminated, and mitigation is the practical discipline of reducing exposure until a complete fix — remediation — can be applied.

Types of Mitigation

Mitigation strategies vary depending on the type of threat being addressed. Here are the most common forms:

DDoS Mitigation

Distributed denial-of-service (DDoS) attacks overwhelm a target with traffic to make it unavailable. DDoS mitigation involves detecting the attack, distinguishing legitimate traffic from malicious traffic, and absorbing or filtering the attack volume. This is typically handled by an upstream provider or a CDN with built-in DDoS protection that can absorb attack traffic at the network edge before it reaches the origin server. Techniques include rate limiting, IP reputation filtering, challenge pages (CAPTCHAs), geographic filtering, and traffic scrubbing.

Vulnerability Mitigation

When a software vulnerability is discovered, the ideal response is to apply a patch. But patches are not always available immediately — zero-day vulnerabilities, legacy systems, and complex dependency chains can delay remediation. Vulnerability mitigation fills the gap with compensating controls: WAF rules that block the specific exploit pattern, configuration changes that disable the vulnerable feature, network segmentation that limits exposure, or access restrictions that reduce the number of users who can trigger the vulnerability.

WAF Rules and Virtual Patching

A web application firewall (WAF) is one of the most important mitigation tools for web applications. Virtual patching is the practice of deploying WAF rules that block exploitation of a known vulnerability before the underlying code is patched. When a new CVE is published for a CMS plugin, for example, a virtual patch can be deployed within hours to block the specific attack pattern — protecting all sites behind the WAF while site owners schedule their updates. Virtual patching does not fix the vulnerability; it mitigates the risk of exploitation.

Configuration Hardening

Many threats can be mitigated through tighter configurations rather than code changes. Disabling directory listing, removing default admin accounts, restricting file upload types, enforcing HTTPS, and applying security headers all reduce the attack surface without modifying application code. These are mitigation measures that reduce the likelihood and impact of exploitation.

Network-Level Mitigation

Network-level mitigation includes firewall rules, IP blocklists, rate limiting, geographic restrictions, and traffic filtering. These controls are applied at the network perimeter to block known malicious sources, limit request volumes, and prevent reconnaissance. While they do not address application-level vulnerabilities, they reduce the overall volume of malicious traffic that reaches the application.

Mitigation vs. Remediation

Mitigation and remediation are complementary but different strategies:

• Mitigation reduces the impact or likelihood of a threat. It is a temporary or compensating measure applied when a full fix is not yet possible. Example: deploying a WAF rule to block a specific SQL injection pattern while the development team prepares a code fix.
• Remediation eliminates the threat at its source. It is the permanent fix. Example: patching the vulnerable code so the SQL injection flaw no longer exists.

In practice, mitigation is often the first response — it buys time and reduces risk immediately. Remediation follows as the long-term solution. A mature security program uses both: mitigation for speed and remediation for completeness. Relying only on mitigation without ever remediating leaves the underlying vulnerability in place. Waiting for remediation without mitigating in the meantime leaves systems exposed during the gap.

When to Use Mitigation

Mitigation is the right approach when:

• A patch is not yet available (zero-day or newly disclosed vulnerability).
• Patching requires downtime that cannot be scheduled immediately.
• Legacy systems cannot be updated without significant rework.
• An attack is actively underway and must be stopped before root cause analysis is complete.
• The risk is accepted but must be reduced to an tolerable level through compensating controls.