diff --git a/NEWS b/NEWS
index 9d2c25dba4..96f86230a8 100644
--- a/NEWS
+++ b/NEWS
@@ -45,6 +45,16 @@ New Functionality
   For further details on the framework and examples, please refer to the
   Zeek documentation.
 
+- Introduce a global ``disabling_analyzer()`` hook to allow vetoing calls
+  to ``disable_analyzer()``.
+
+  The contract is simple: Any script can veto a ``disable_analyzer()`` call by
+  breaking from this hook. The decision is local to the script taking into
+  account any state attached to the connection or state stored elsewhere.
+  A script breaking from the hook takes over responsibility to call
+  ``disable_analyzer()`` at a later point when it finds the condition due
+  to which it vetoed fulfilled (which may be never).
+
 Changed Functionality
 ---------------------
 
diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index cd1914cea3..2651537acd 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -585,8 +585,9 @@ type fa_metadata: record {
 };
 
 ## A hook taking a connection, analyzer tag and analyzer id that can be
-## used to veto disabling analyzers. This hook is invoked synchronously
-## during a :zeek:see:`disable_analyzer` call.
+## used to veto disabling analyzers. Specifically, an analyzer can be prevented
+## from being disabled by using a :zeek:see:`break` statement within the hook.
+## This hook is invoked synchronously during a :zeek:see:`disable_analyzer` call.
 ##
 ## Scripts implementing this hook should have other logic that will eventually
 ## disable the analyzer for the given connection. That is, if a script vetoes