What Is a Cyber Kill Chain: Stages of an Attack and Defensive Use
A comprehensive guide to the Cyber Kill Chain framework—its seven stages from reconnaissance to actions on objectives, how defenders use it, and its relationship to MITRE ATT&CK.
This article is for informational purposes only. Consult a qualified healthcare professional for medical advice, diagnosis, or treatment.
What Is the Cyber Kill Chain?
The Cyber Kill Chain is a framework developed by Lockheed Martin in 2011 that models the stages of a targeted cyberattack as a sequential series of steps the adversary must complete to achieve their objectives. Adapted from the military concept of a "kill chain"—a chain of decisions and actions required to neutralize a target—the cyber model describes seven phases from initial reconnaissance through final impact. The framework is used by defenders to understand attack progression, identify defensive opportunities at each stage, measure the maturity of defensive controls, and develop intelligence-driven defenses that disrupt adversary campaigns before they reach their objectives.
The Seven Stages of the Cyber Kill Chain
| Stage | Description | Adversary Actions | Defender Opportunity |
|---|---|---|---|
| 1. Reconnaissance | Gathering intelligence on the target before the attack | OSINT gathering; LinkedIn employee enumeration; DNS/WHOIS lookup; scanning public-facing infrastructure; social media profiling | Minimize public attack surface; monitor for scanning; detect credential exposure |
| 2. Weaponization | Creating a deliverable malicious payload | Pairing exploit with malware (e.g., malicious macro document, exploit-laden PDF); building C2 infrastructure; registering lookalike domains | Limited direct opportunity; threat intel on attacker tooling; study of TTPs |
| 3. Delivery | Transmitting the weapon to the target environment | Spear-phishing email; watering hole attack; infected USB; supply chain compromise; web exploitation | Email filtering; anti-phishing training; web proxy; removable media controls |
| 4. Exploitation | Triggering the exploit to execute malicious code | Exploiting browser/document/OS vulnerability; user executes attachment; macro execution; server-side exploitation | Patch management; application whitelisting; exploit mitigation (ASLR, DEP); EDR |
| 5. Installation | Establishing persistent access on the target | Dropping malware to disk; registry run keys; scheduled tasks; DLL hijacking; service installation | EDR behavioral detection; file integrity monitoring; least privilege; anti-persistence controls |
| 6. Command and Control (C2) | Establishing communication channel back to attacker infrastructure | HTTPS/HTTP beaconing; DNS tunneling; domain generation algorithm (DGA); use of legitimate cloud services for C2 | DNS filtering; network anomaly detection; egress filtering; SSL inspection; threat intel-based blocking |
| 7. Actions on Objectives | Achieving the attack's final goal | Data exfiltration; ransomware deployment; sabotage; lateral movement to secondary targets; credential harvesting | Data loss prevention; network segmentation; encryption; backup integrity; SIEM/UEBA alerting |
How the Kill Chain Framework Helps Defenders
The Kill Chain's most important insight for defenders is that an attacker must successfully complete every stage in sequence. Disrupting the adversary at any point—breaking the chain—prevents the final objective from being achieved. This shifts the defensive perspective from purely reactive (detect and respond to the final breach) to proactive and layered: defenders who detect and disrupt delivery, exploitation, or C2 stages prevent the attacker from ever reaching data exfiltration. This concept is sometimes expressed as "defenders need only succeed once per stage; attackers must succeed at every stage."
Applying the Kill Chain to Threat Intelligence
Threat intelligence teams use Kill Chain analysis to understand adversary campaigns by mapping observed technical indicators (file hashes, IPs, domains, TTPs) to specific stages. When defenders detect an activity, they can assess how far along the chain the adversary has progressed, prioritize response efforts accordingly, and use intelligence about earlier-stage indicators to hunt proactively for related activity. The framework also enables communication between technical teams and executive stakeholders, providing a narrative structure ("the attacker was detected and disrupted at the installation phase before achieving any data access") that is more meaningful than raw technical details.
Limitations of the Cyber Kill Chain
The original Kill Chain framework has several acknowledged limitations:
- Linear assumption: Real-world attacks are rarely perfectly sequential. Sophisticated adversaries may iterate, loop back, or operate multiple chains in parallel. The framework does not model intra-network lateral movement well.
- Insider threat inadequacy: The Kill Chain is designed around external intrusions. Insider threats may skip reconnaissance and delivery stages entirely, entering directly at exploitation or installation.
- Cloud and SaaS attack paths: Attacks targeting cloud environments, identity providers, or SaaS applications may not map cleanly to the original seven stages.
- Attacker perspective only: The Kill Chain describes what attackers do but does not comprehensively map to defensive capabilities or organizational controls in the way more modern frameworks do.
The Kill Chain vs. MITRE ATT&CK
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a more detailed and comprehensive framework that has largely supplemented the Kill Chain for threat intelligence and purple team exercises. ATT&CK documents specific adversary techniques (over 600 unique techniques across 14 tactics as of ATT&CK v14) with real-world attribution, detection guidance, and mitigation recommendations. The Kill Chain's value lies in its simplicity and communication utility; ATT&CK's value lies in granular technical detail for detection engineering and threat intelligence analysis.
| Framework | Developer | Granularity | Best Use Case |
|---|---|---|---|
| Cyber Kill Chain | Lockheed Martin | 7 high-level stages | Executive communication; broad campaign analysis; defensive investment planning |
| MITRE ATT&CK | MITRE Corporation | 14 tactics; 600+ techniques | Detection engineering; threat intelligence; red/purple team exercises |
| Diamond Model | Caltagirone, Pendergast, Betz | 4 core features (adversary, capability, infrastructure, victim) | Threat intelligence pivoting; campaign attribution |
| Unified Kill Chain | Paul Pols | 18 phases | Combines Kill Chain and ATT&CK coverage including lateral movement |
Defensive Use in Security Operations
Mature security operations centers use the Kill Chain as an overlay for measuring detection coverage: for each stage, they assess which security controls provide visibility and which gaps exist. A "kill chain heat map" maps each control (SIEM rules, EDR, DLP, proxy, email gateway) to the stage it detects, revealing blind spots. Exercises like red team engagements and purple team workshops test whether controls actually detect simulated adversary actions at each stage, driving iterative improvement in detection engineering and response playbooks.
Related Articles
cybersecurity
Endpoint Detection and Response (EDR): How Modern Threat Defense Works
An encyclopedic guide to Endpoint Detection and Response covering real-time monitoring, behavioral analysis, threat hunting, and how EDR platforms differ from traditional antivirus solutions.
10 min read
cybersecurity
How Antivirus Software Works: Detection Methods and Protection
Understand how antivirus software works, including signature-based detection, heuristic analysis, behavioral monitoring, and real-time protection mechanisms.
8 min read
cybersecurity
How Blockchain Consensus Mechanisms Validate Transactions
Blockchain networks use Proof of Work, Proof of Stake, and other consensus mechanisms to validate transactions without central authority. Compare their tradeoffs and energy costs.
9 min read
cybersecurity
How Cloud Security Misconfigurations Happen and How to Prevent Them
Misconfiguration is the leading cause of cloud data breaches. Learn how S3 buckets get exposed, IAM policies fail, and what the Shared Responsibility Model means for your security.
9 min read