What Is DISARM?
DISARM (Disinformation Analysis and Risk Management) is a community-maintained framework modelled on MITRE ATT&CK. Where ATT&CK catalogues cyber adversary tactics and techniques, DISARM catalogues the tactics and techniques of influence operations — the playbook adversaries use to conduct coordinated information campaigns.
The Red framework (adversary perspective) is currently at version 2 and contains over 200 techniques organised into phases: Plan, Prepare, Execute, Assess.
Retelnist uses DISARM Red v2 as the tagging backbone for Layer A detection. Every narrative cluster we identify is tagged with the techniques observed in its amplification and production chain.
How DISARM Tagging Works
A single observed information operation might generate a tag cluster like this:
T0007— Identify Target AudienceT0023— Distort FactsT0047— Hashtag HijackingT0049.001— Flooding: Coordinated Inauthentic BehaviourT0084— Exploit Existing Narratives
This tag cluster tells an analyst not just what is happening, but how — enabling comparison across operations, historical pattern matching, and attribution to known actor profiles.
The Phase Structure
Plan
Techniques in the Plan phase cover target selection, objective setting, and strategic narrative design. These are rarely directly observable in real-time monitoring — they must be inferred from the shape of subsequent phases. Retelnist flags Plan-phase indicators in post-operation retrospective analysis.
Prepare
Preparation covers account creation, infrastructure setup, asset pre-positioning (seeded content, sockpuppet networks), and test amplification. These are detectable with sufficient platform coverage and velocity monitoring — we flag Prepare-phase indicators as early warning signals.
Execute
The Execute phase is where most detection work concentrates: content creation, narrative injection, amplification, response suppression, and cross-platform laundering. This is the phase where DISARM tagging is most granular and most immediately actionable.
Assess
The Assess phase covers adversarial measurement of their own operation's effectiveness. Detecting Assess-phase activity — adversaries running their own polls, monitoring sentiment, adjusting narrative strategy in real-time — is a strong indicator of a sophisticated, resourced actor.
Where DISARM Excels
DISARM's greatest strength is interoperability. When a Retelnist report tags a technique as T0049.001, a NATO StratCom analyst, a journalist from EU DisinfoLab, and a researcher at the Stanford Internet Observatory all understand exactly what that means. Shared vocabulary reduces translation overhead and enables cross-organisational collaboration.
Its second strength is completeness as a technique catalogue. Over 200 techniques across four phases represents genuine community effort to systematise observed adversary behaviour. No proprietary taxonomy comes close.
Where DISARM Falls Short
DISARM does not measure effect. It is a detection and description framework, not a measurement framework. A set of DISARM tags tells you what techniques were used; it says nothing about whether those techniques succeeded.
This is precisely the gap that Retelnist's Layer B (V(x,t) measurement) fills. DISARM tagging tells us the adversary used hashtag hijacking and coordinated flooding. V(x,t) measurement tells us whether that flooding actually moved sentiment in the target population.
The combination is the capability. Neither layer alone is sufficient for operational decision-making.
DISARM in the EEAS-FIMI Format
The European External Action Service's FIMI (Foreign Information Manipulation and Interference) reporting format explicitly references DISARM techniques in its incident taxonomy. Retelnist reports are natively EEAS-FIMI compatible — a practical requirement for EU institutional clients.
If you are a StratCom unit or government department that needs FIMI-format reporting, Retelnist can generate structured EEAS outputs directly from our detection pipeline.