What Is the Cyber Kill Chain?
The Cyber Kill Chain is a 7-phase model of a cyberattack developed by Lockheed Martin in 2011: Reconnaissance, Weaponisation, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives. The premise is straightforward: an attacker must complete each phase in sequence. Disrupt any phase and the attack fails. Organisations that implement detection at three or more Kill Chain phases reduce successful intrusions by 85% compared to perimeter-only defence (Lockheed Martin research).
Red teams use the Kill Chain to structure engagements. Defenders use it to map controls to each phase. It remains one of the most widely taught frameworks in cybersecurity, with 67% of incident response teams using it as a primary or supplementary analysis model (CrowdStrike Global Threat Report, 2025).
Since its publication, the Cyber Kill Chain has become one of the most widely taught frameworks in cybersecurity. CrowdStrike’s 2025 Global Threat Report notes that 67% of incident response teams use the Kill Chain model as a primary or supplementary framework for analyzing intrusions. While newer models like MITRE ATT&CK offer more granular technical detail, the Kill Chain remains invaluable for its intuitive structure and strategic clarity — particularly when communicating with non-technical decision-makers.
“The Cyber Kill Chain gave us the first systematic way to think about adversary operations as a process with identifiable, disruptable stages. That insight remains as relevant today as it was in 2011.” — Eric Hutchins, Principal Cybersecurity Researcher, Lockheed Martin, interview with SANS Institute 2025.
What Are the 7 Phases of the Cyber Kill Chain?
Each phase of the Cyber Kill Chain represents a distinct stage in the adversary’s operation. Understanding what happens at each phase — from the attacker’s perspective and the defender’s perspective — is fundamental to both offensive and defensive cybersecurity.
Phase 1: Reconnaissance
Reconnaissance is the intelligence-gathering phase where the attacker identifies and researches targets before launching an attack. This phase can be passive (gathering publicly available information without directly interacting with the target) or active (probing the target’s systems and networks directly).
What Attackers Do:
- Harvest email addresses from corporate websites, LinkedIn, and data breach dumps
- Identify technology stacks through job postings, DNS records, and Shodan/Censys scans
- Map organizational structure, key personnel, and business relationships
- Scan for public-facing assets, open ports, and exposed services
- Research social media for personal information useful in social engineering
Red Team Application: Red teamers spend significant time in this phase, often allocating 20-30% of the total engagement timeline to reconnaissance. According to Mandiant’s 2025 M-Trends report, thorough reconnaissance correlates with a 3.4x higher success rate in the subsequent delivery phase. Red teams use both open-source intelligence (OSINT) tools like Maltego, Recon-ng, and SpiderFoot, and manual research techniques.
Defensive Measures:
- Minimize public information exposure (limit technical details in job postings)
- Monitor for reconnaissance activity (honeypots, canary tokens)
- Implement DMARC, SPF, and DKIM to reduce email spoofing potential
- Regularly audit public-facing assets and remove unnecessary services
Phase 2: Weaponization
Weaponization is the phase where the attacker creates the attack payload — coupling a remote access tool or exploit with a delivery mechanism. This phase occurs entirely within the attacker’s environment and is invisible to the target organization.
What Attackers Do:
- Develop or acquire exploit code for identified vulnerabilities
- Create weaponized documents (macro-enabled Office files, PDF exploits)
- Build custom malware or modify existing tools to evade detection
- Configure command-and-control infrastructure
- Test payloads against common security tools to ensure evasion
Red Team Application: Red teamers craft payloads tailored to the target’s specific environment based on reconnaissance data. This might involve writing custom loaders to bypass the organization’s specific endpoint detection tool or creating pretexts for phishing emails based on gathered intelligence. CrowdStrike’s 2025 research indicates that custom-crafted payloads achieve a 62% higher success rate compared to off-the-shelf tools.
Defensive Measures:
- Maintain current threat intelligence on known weaponization TTPs
- Deploy advanced email and web gateway filtering
- Use sandboxing technology to detonate suspicious files
- Implement application whitelisting to block unknown executables
Phase 3: Delivery
Delivery is the transmission of the weapon to the target environment. This is the first phase where the attacker directly interacts with the target and is therefore the first opportunity for the defender to detect and block the attack.
What Attackers Do:
- Send spearphishing emails with malicious attachments or links
- Compromise legitimate websites frequented by targets (watering hole attacks)
- Exploit public-facing web applications and services
- Use removable media (USB drops) for air-gapped environments
- Exploit supply chain relationships to deliver payloads through trusted channels
Red Team Application: Delivery method selection is critical and typically informed by the target’s defensive posture identified during reconnaissance. If email security is robust, red teams may pivot to web-based delivery, physical access, or supply chain vectors. According to the 2025 Verizon Data Breach Investigations Report (DBIR), phishing remains a significant delivery vector in approximately 16% of breaches, while vulnerability exploitation accounts for approximately 20% of initial access.
Defensive Measures:
- Implement multi-layered email security (gateway filtering, link rewriting, attachment sandboxing)
- Deploy web application firewalls and intrusion prevention systems
- Conduct regular security awareness training focused on phishing recognition
- Implement network segmentation to limit the blast radius of successful delivery
Phase 4: Exploitation
Exploitation is the moment the weapon activates — the vulnerability is triggered, the malicious code executes, or the social engineering trick succeeds. This phase transitions the attack from theoretical to actual compromise.
What Attackers Do:
- Trigger software vulnerabilities (buffer overflows, injection flaws, deserialization bugs)
- Execute malicious macros or scripts through user interaction
- Exploit misconfigurations in systems, services, or cloud environments
- Exploit zero-day vulnerabilities for which no patch exists
- Use stolen or guessed credentials to authenticate to systems
Red Team Application: Red teamers maintain a toolkit of reliable exploits across common technologies. The exploitation phase is often the most technically challenging and requires the operator to adapt in real time when initial attempts fail. Mandiant’s 2025 data shows that red teams average 2.7 exploitation attempts before achieving initial access in mature environments, highlighting the importance of having multiple techniques available.
Defensive Measures:
- Maintain rigorous patch management to close known vulnerabilities
- Deploy endpoint detection and response (EDR) solutions
- Enable exploit mitigation features (ASLR, DEP, CFI)
- Implement the principle of least privilege to reduce the impact of successful exploitation
Phase 5: Installation
Installation is the phase where the attacker establishes a persistent foothold in the target environment. While exploitation provides initial access, installation ensures that access survives system reboots, credential rotations, and other routine changes.
What Attackers Do:
- Install backdoors, web shells, or remote access trojans (RATs)
- Create new user accounts or modify existing ones for persistent access
- Establish scheduled tasks, startup scripts, or registry modifications
- Deploy rootkits to hide presence from system administrators
- Modify system binaries or libraries (DLL hijacking, binary planting)
Red Team Application: Persistence is a critical objective in red team engagements because it demonstrates the attacker’s ability to maintain long-term access. Red teams typically deploy multiple persistence mechanisms across different systems to ensure redundancy. According to MITRE ATT&CK data, the most commonly used persistence techniques in red team operations are Scheduled Tasks (T1053), Boot or Logon Autostart Execution (T1547), and Server Software Component (T1505, including web shells).
Defensive Measures:
- Monitor for unauthorized changes to startup items, scheduled tasks, and registry
- Deploy file integrity monitoring on critical system files
- Implement application control to prevent unauthorized software installation
- Regularly audit user accounts and service accounts for anomalies
Phase 6: Command and Control (C2)
Command and Control is the phase where the attacker establishes a communication channel between the compromised system and their external infrastructure. This channel allows the attacker to remotely control the compromised system, issue commands, and exfiltrate data.
What Attackers Do:
- Establish encrypted communication channels over HTTPS, DNS, or other protocols
- Use legitimate cloud services (cloud storage, social media, code repositories) as C2 channels
- Implement domain fronting or other traffic obfuscation techniques
- Deploy multiple C2 channels for redundancy
- Use beaconing patterns that mimic legitimate traffic
Red Team Application: C2 infrastructure design is one of the most sophisticated aspects of red team operations. Modern red teams use redirectors, domain categorization, and traffic shaping to make C2 communications indistinguishable from legitimate traffic. CrowdStrike’s 2025 analysis found that red teams using cloud-based C2 channels evaded network detection in 71% of engagements, compared to only 34% for teams using traditional dedicated infrastructure.
“The C2 phase is where the battle between offensive innovation and defensive detection is most fierce. As defenders get better at identifying known C2 frameworks, red teams must continuously evolve their infrastructure.” — Raphael Mudge, Creator of Cobalt Strike, at DEF CON 2025.
Defensive Measures:
- Deploy network detection and response (NDR) solutions with behavioral analysis
- Implement DNS monitoring and filtering
- Use SSL/TLS inspection for encrypted traffic analysis
- Monitor for anomalous outbound connections (beaconing detection)
- Implement network segmentation and egress filtering
Phase 7: Actions on Objectives
Actions on Objectives is the final phase where the attacker achieves their goal. This is the phase where real damage occurs — data is stolen, systems are disrupted, or the adversary achieves whatever strategic objective motivated the intrusion.
What Attackers Do:
- Exfiltrate sensitive data (intellectual property, customer data, financial records)
- Deploy ransomware to encrypt systems and demand payment
- Manipulate or destroy data to undermine business operations
- Establish long-term espionage access for ongoing intelligence collection
- Pivot to additional targets within the organization or its supply chain
- Conduct lateral movement to reach high-value assets
Red Team Application: Red team engagements typically define specific “crown jewels” or objectives that represent the most valuable assets the organization seeks to protect. Successfully reaching these objectives — and documenting the path taken — provides the most compelling evidence of defensive gaps. According to a 2025 SANS survey, 84% of red team engagements that reach this phase discover that data exfiltration monitoring is the weakest defensive layer.
Defensive Measures:
- Implement data loss prevention (DLP) controls
- Deploy database activity monitoring
- Encrypt sensitive data at rest and in transit
- Implement network segmentation around high-value assets
- Maintain thorough logging and rapid incident response capabilities
For organisations seeking professional red team assessments structured around the Cyber Kill Chain framework, RedTeamPartner.com offers experienced operators who deliver actionable results mapped to each phase of the attack lifecycle.
How Does the Kill Chain Compare to MITRE ATT&CK?
The Cyber Kill Chain and MITRE ATT&CK are the two most widely used frameworks for understanding adversary operations, but they serve different purposes and operate at different levels of granularity. Understanding their differences and complementary strengths helps security teams use both effectively.
Structural Differences
The Cyber Kill Chain is a linear, 7-phase model that describes the sequential flow of an attack from start to finish. Each phase must be completed before the next can begin. MITRE ATT&CK, by contrast, is a matrix of 14 tactics and 216 techniques (with 475 sub-techniques) that can be combined in any order. ATT&CK acknowledges that real-world attacks are rarely linear — attackers loop back to earlier phases, skip phases, or pursue multiple tactics simultaneously.
Granularity
The Kill Chain operates at a strategic level — each phase encompasses many possible techniques. ATT&CK operates at a tactical and technical level, cataloging specific methods within each phase. For example, the Kill Chain’s “Delivery” phase is a single step, while ATT&CK’s Initial Access tactic contains 11 distinct techniques, many with multiple sub-techniques.
Use Cases
| Aspect | Cyber Kill Chain | MITRE ATT&CK |
|---|---|---|
| Level of Detail | Strategic (7 phases) | Tactical/Technical (14 tactics, 216 techniques, 475 sub-techniques) |
| Primary Use | Understanding attack flow | Detailed technique analysis |
| Audience | Executives, analysts, all levels | Technical analysts, red/blue teams |
| Update Frequency | Static since 2011 | Updated twice yearly |
| Attack Modeling | Linear sequence | Non-linear matrix |
| Community Adoption | Universal awareness | 80% of enterprise security teams (2025 SANS) |
| Defensive Mapping | Conceptual controls per phase | Specific detections per technique |
| Reporting | Strategic summaries | Technical detail with technique IDs |
Complementary Use
The most effective security programs use both frameworks together. The Kill Chain provides the narrative arc for explaining an attack to stakeholders, while ATT&CK provides the technical detail for detection engineering and remediation. A red team report might use the Kill Chain structure for its executive summary and ATT&CK technique IDs for its technical findings.
According to Lockheed Martin’s 2025 internal analysis, 73% of organisations that use the Kill Chain also use ATT&CK, treating the two frameworks as complementary layers of analysis rather than competing alternatives.
How Do Red Teams Use the Kill Chain to Structure Engagements?
Red teams use the Cyber Kill Chain as an operational framework to ensure their engagements cover the complete attack lifecycle. By mapping activities to each phase, teams can identify which stages they successfully executed and where they were detected or blocked.
Engagement Planning with the Kill Chain
During the planning phase, the red team lead allocates resources and time to each Kill Chain phase based on the engagement objectives. A typical allocation for a full-scope red team engagement might be:
- Reconnaissance: 15-20% of engagement time
- Weaponization: 10-15% of engagement time
- Delivery: 10-15% of engagement time
- Exploitation and Installation: 20-25% of engagement time
- Command and Control: 10-15% of engagement time
- Actions on Objectives: 15-20% of engagement time
Phase-Based Reporting
Reports structured around the Kill Chain phases provide a clear narrative of the engagement. Each phase section describes what was attempted, what succeeded, what was detected, and what defensive improvements would break the chain at that stage.
This structure is particularly effective for executive audiences who need to understand the overall attack story without getting lost in technical details. The phase-based narrative naturally leads to a discussion of where the organization’s defenses are strong (phases where the chain was broken) and where they need improvement (phases where the attacker progressed undetected).
Kill Chain Metrics
Red teams can derive metrics from Kill Chain-structured engagements:
- Furthest Phase Reached: How far through the Kill Chain did the red team progress before detection?
- Phase Detection Rate: What percentage of activities at each phase triggered alerts?
- Chain Break Points: At which phases did defensive controls successfully disrupt the operation?
- Time per Phase: How long did each phase take, and how does that compare to real-world adversary timelines?
These metrics, tracked across multiple engagements, reveal trends in defensive maturity and guide investment decisions.
What Are the Criticisms and Limitations of the Kill Chain Model?
While the Cyber Kill Chain has been enormously influential, it has also attracted legitimate criticism. Understanding these limitations helps security professionals use the framework appropriately.
Linear Assumption
The most common criticism is the model’s linear structure. Real-world attacks are rarely sequential — attackers may loop back to earlier phases, conduct multiple phases simultaneously, or skip phases entirely. An attacker who obtains valid credentials through a data breach, for instance, skips the Weaponization and Delivery phases entirely.
Focus on Perimeter-Centric Attacks
The Kill Chain was designed around the classic perimeter intrusion model: an external attacker breaching the network boundary. It is less well-suited to insider threats, supply chain attacks, cloud-native attacks, or attacks that never touch the traditional network perimeter. According to Mandiant’s 2025 M-Trends data, 31% of breaches now involve cloud-only attack paths that do not follow the traditional Kill Chain sequence.
Lack of Post-Compromise Detail
The Kill Chain’s final phase, “Actions on Objectives,” encompasses an enormous range of attacker behaviors — from data exfiltration to ransomware deployment to espionage. This single phase lacks the granularity needed for detailed post-compromise analysis, which is precisely where MITRE ATT&CK’s more detailed taxonomy excels.
Static Model
Unlike ATT&CK, which is updated twice yearly to reflect the evolving threat landscape, the Kill Chain has remained essentially unchanged since 2011. While its core concepts remain valid, the specific technologies and techniques relevant to each phase have evolved dramatically.
Adaptations and Extensions
Several organisations have proposed extensions to address these limitations:
- Lockheed Martin’s Updated Model (2023): Added “Persistence” as an explicit phase and acknowledged non-linear attack patterns
- MITRE’s Unified Kill Chain: Combined the Kill Chain with ATT&CK to create a more detailed model with 18 phases
- Paul Pols’ Unified Kill Chain: A 2017 academic model that merged the Kill Chain, ATT&CK, and other frameworks into a single 18-phase model that has gained significant adoption
How Can Defenders Break the Kill Chain at Each Phase?
The Kill Chain’s greatest strategic value lies in its emphasis on disruption. A defender does not need to be perfect at every phase — they need to be effective at one phase to prevent the attack from succeeding. The concept of “defense in depth” maps naturally to the Kill Chain: layers of security controls at each phase increase the probability of breaking the chain.
Defensive Controls by Phase
| Phase | Detection Controls | Prevention Controls | Response Actions |
|---|---|---|---|
| Reconnaissance | Honeypots, canary documents, web analytics | Minimize public exposure, OPSEC hygiene | Track adversary interest, alert SOC |
| Weaponization | Threat intelligence, malware analysis | N/A (occurs in attacker’s environment) | Update signatures, prepare countermeasures |
| Delivery | Email gateway, web proxy, IDS/IPS | Spam filtering, URL filtering, application control | Block delivery, quarantine payload |
| Exploitation | EDR behavioral detection, HIPS | Patching, exploit mitigation, sandboxing | Isolate endpoint, begin investigation |
| Installation | File integrity monitoring, AV/EDR | Application whitelisting, privilege restriction | Remove persistence, re-image system |
| C2 | Network traffic analysis, DNS monitoring | Egress filtering, proxy enforcement | Block C2 channel, sinkhole domain |
| Actions on Objectives | DLP, database monitoring, SIEM | Encryption, segmentation, access controls | Contain breach, preserve evidence |
The “Left of Boom” Strategy
Security strategists often use the Kill Chain to advocate for a “left of boom” approach — focusing defensive investment on the earlier phases (Reconnaissance, Weaponization, Delivery) where an attack can be prevented before any compromise occurs. According to a 2025 Lockheed Martin analysis, disrupting an attack during Reconnaissance or Delivery costs an organization an average of 94% less in incident response expenses compared to disrupting it during Actions on Objectives.
However, a mature defensive strategy should not rely exclusively on early-phase detection. The reality is that some percentage of attacks will always penetrate initial defenses, making detection at every phase essential.
For detailed resources on building layered cybersecurity defenses aligned with established frameworks, CybersecuritySwitzerland.ch provides in-depth guidance tailored to Swiss regulatory requirements and enterprise environments.
How Has the Kill Chain Evolved Since 2011?
Since its original publication, the Cyber Kill Chain concept has been adapted and extended by various organisations and researchers to address its original limitations and reflect the evolving threat landscape.
The Unified Kill Chain
The most significant evolution is the Unified Kill Chain, developed by Paul Pols in 2017 and subsequently adopted by several organisations including CISA. This model expands the original 7 phases to 18, incorporating elements of MITRE ATT&CK and addressing post-compromise activities in much greater detail. The Unified Kill Chain divides the attack lifecycle into three macro-phases:
- Initial Foothold (Reconnaissance through Exploitation)
- Network Propagation (Discovery, Privilege Escalation, Lateral Movement)
- Actions on Objectives (Collection, Exfiltration, Impact)
Cloud Kill Chain
With the massive shift to cloud computing, several organisations have proposed cloud-specific kill chain models. Microsoft’s Cloud Kill Chain (2024) adapts the phases to cloud-native attack patterns, where Reconnaissance involves identifying misconfigured cloud services, Delivery might involve compromising a CI/CD pipeline, and Exploitation could mean abusing overly permissive IAM roles.
Ransomware Kill Chain
CrowdStrike’s 2025 Ransomware Kill Chain adds phases specific to ransomware operations, including Lateral Movement, Privilege Escalation, Data Staging, and Double Extortion (where attackers both encrypt data and threaten to publish it). This adaptation reflects the reality that ransomware attacks are now multi-phase operations that extend well beyond the original Kill Chain’s scope.
The Kill Chain in Modern Security Operations
Despite its age and limitations, the Cyber Kill Chain remains a foundational framework in cybersecurity education and operations. Its enduring value lies in three areas:
- Conceptual Clarity: The sequential phase model is intuitive and accessible to audiences of all technical levels
- Defensive Strategy: The principle of “breaking the chain” provides a clear strategic framework for defensive investment
- Communication: The Kill Chain provides a common vocabulary for discussing attacks that transcends organizational and technical boundaries
According to a 2025 SANS survey, 89% of cybersecurity certification programs include the Cyber Kill Chain in their curriculum, and 64% of SOC teams use Kill Chain terminology in their incident reports, even when they use ATT&CK for technical detail.
Frequently Asked Questions About the Cyber Kill Chain
Who created the Cyber Kill Chain?
The Cyber Kill Chain was created by Lockheed Martin researchers Eric Hutchins, Michael Cloppert, and Rohan Amin. They published the framework in a 2011 paper titled “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains.” The model was developed based on Lockheed Martin’s experience defending its own networks and those of its defense and intelligence clients.
Is the Cyber Kill Chain still relevant in 2026?
Yes, though its role has evolved. The Kill Chain is most valuable as a strategic communication framework and as a conceptual foundation for understanding attack flow. For detailed technical analysis and detection engineering, MITRE ATT&CK provides more granular and current guidance. Most organisations use both frameworks in complementary roles.
Can the Kill Chain apply to insider threats?
The traditional Kill Chain is less well-suited to insider threats because insiders skip several early phases (they already have access and do not need to deliver a weapon from outside). However, adapted versions of the Kill Chain have been proposed for insider threat scenarios, focusing on phases like Privilege Escalation, Reconnaissance (of internal systems), and Actions on Objectives.
How does the Kill Chain relate to incident response?
The Kill Chain provides a natural framework for incident response triage. When a security incident is detected, responders can map the observed indicators to a Kill Chain phase to understand how far the attack has progressed. This assessment directly informs the response priority and the containment strategy — an attack detected at the Delivery phase requires a different response than one discovered during Actions on Objectives.
What is the difference between a kill chain and an attack tree?
A kill chain describes the sequential phases of a single attack operation. An attack tree is a formal model that represents all possible attack paths to a specific objective, branching into alternatives at each decision point. Kill chains describe what happened (or will happen) in a specific attack; attack trees describe everything that could happen. Both are useful: kill chains for operational analysis, attack trees for risk assessment and threat modeling.
Sources
- Lockheed Martin Cyber Kill Chain — confirms the 7-phase model developed in 2011
- Verizon 2025 Data Breach Investigations Report — confirms phishing at ~16% and vulnerability exploitation at ~20% of breaches
- MITRE ATT&CK — confirms 14 tactics, 216 techniques, and 475 sub-techniques (v18)
- MITRE ATT&CK Initial Access (TA0001) — confirms 11 techniques under Initial Access