Mitigation is the action taken to reduce the likelihood or impact of a security problem when risk cannot simply be ignored.
Mitigation is the process of reducing how likely a security problem is to happen or how much damage it can cause. In plain language, it means taking practical steps that make a weakness less dangerous, a threat harder to realize, or an incident easier to contain.
Mitigation matters because teams often cannot remove every problem immediately. A permanent fix may require a software release, infrastructure change, contract change, or operational window that is not available at once. Mitigation gives organizations a way to reduce exposure while they work toward the longer-term solution.
It also matters because security is often about reducing harm rather than waiting for perfect conditions. Good mitigation can buy time, reduce blast radius, and prevent a known issue from becoming a major incident.
Mitigation appears in vulnerability response, architecture review, exception handling, incident containment, and project planning. Teams may apply temporary access restrictions, monitoring, segmentation, stronger authentication requirements, or process changes to reduce exposure while a full remediation is being prepared.
It also appears in risk communication. Security leaders often need to explain what has already been mitigated, what remains unaddressed, and whether the current controls are sufficient for continued operation.
A business-critical server cannot be patched immediately because a vendor dependency must be tested first. To mitigate the risk, the team removes unnecessary network access, restricts admin logins, increases monitoring around the service, and schedules the patch for the earliest safe maintenance window.
Mitigation is not always the same as full remediation. A mitigation reduces danger, but it may not eliminate the underlying issue. That is why teams should be careful not to confuse temporary containment with a completed fix.
It is also different from a broad Security Control. A security control is a category of safeguard. Mitigation is the specific act of using controls or operational changes to reduce a particular risk in context.