The Cyber Kill Chain: All 7 Stages Explained

The Cyber Kill Chain is a model that describes the stages of a cyberattack, from an attacker's first research through to achieving their goal. Developed by Lockheed Martin and adapted from a military concept, it breaks an intrusion into seven sequential phases. Its core insight is powerful: if defenders can detect and disrupt an attack at any stage, they can break the chain and stop it before damage is done.

The framework remains a useful mental model for understanding how attacks progress and where defensive controls fit — and it pairs well with more granular frameworks like MITRE ATT&CK.

Stage 1: Reconnaissance

The attacker researches the target — identifying employees, technologies, suppliers and potential weak points. Much of this uses open-source intelligence (OSINT): harvesting email addresses, mapping the organization's footprint and gathering details to craft convincing lures. Defensive opportunity: reduce your public attack surface and monitor for reconnaissance against your assets.

Stage 2: Weaponization

The attacker prepares their attack — for example, pairing an exploit with a backdoor to create a deliverable malicious payload, or building a phishing lure with a weaponized document. This happens on the attacker's side, so it's hard to observe directly, but threat intelligence about tooling and infrastructure can provide early warning.

Stage 3: Delivery

The weaponized payload is transmitted to the target — most often via a phishing email, a malicious website, a USB drive, or by exploiting an exposed service. Defensive opportunity: email filtering, web security, user awareness and attack-surface reduction all aim to block delivery.

Stage 4: Exploitation

The payload triggers — exploiting a vulnerability or abusing a feature to execute malicious code on the target system. Defensive opportunity: patching, hardening, application control and exploit protection.

Stage 5: Installation

The attacker establishes persistence — installing a backdoor or implant so they retain access even after reboots or password changes. Defensive opportunity: EDR can detect persistence mechanisms and malicious installation behavior.

Stage 6: Command and Control (C2)

The compromised system establishes a channel back to the attacker's infrastructure, allowing them to remotely control it and issue commands. Defensive opportunity: network monitoring, blocking known-malicious infrastructure, and detecting beaconing patterns can cut the attacker off from their foothold.

Stage 7: Actions on Objectives

With control established, the attacker pursues their goal — stealing data (a data breach), deploying ransomware, sabotaging systems, or moving toward another target. Defensive opportunity: data-loss prevention, segmentation, behavioral detection and rapid response can limit the damage even at this late stage.

Using the kill chain for defense

The strategic value of the kill chain is the principle of defense in depth across stages. Because an attack must pass through every phase, defenders get multiple chances to detect and disrupt it. Mapping your controls to each stage reveals where you're strong and where you have gaps. The earlier in the chain you break it, the less damage occurs — but even late-stage detection can prevent the worst outcomes. The model also helps frame intelligence: knowing which stage an observed activity belongs to clarifies how urgently to respond.

Cyber Kill Chain vs MITRE ATT&CK

The two are complementary rather than competing. The Kill Chain offers a high-level, linear narrative of an attack's progression — excellent for explaining and for thinking about layered defense. MITRE ATT&CK provides a far more granular, non-linear catalog of the specific techniques used within those phases. Many teams use the Kill Chain to frame the story and ATT&CK to describe and detect the details. A common critique of the Kill Chain is that it's somewhat perimeter- and malware-focused and treats attacks as strictly linear, whereas real intrusions loop and branch — which is exactly where ATT&CK's flexibility helps.

Limitations and evolutions of the kill chain

For all its usefulness, the original Cyber Kill Chain has well-known limitations that are worth understanding so you apply it appropriately:

• It's perimeter- and malware-focused. The model was designed around a classic intrusion that delivers malware from outside. It maps less cleanly onto threats like credential abuse, insider threats, or attacks that "live off the land" using legitimate tools without traditional malware.
• It's strictly linear. Real intrusions rarely proceed neatly from stage one to stage seven. Attackers loop back, run stages in parallel, and revisit earlier phases. Treating the chain as a rigid sequence can create blind spots.
• It underplays what happens after the breach. The original model compresses everything inside the network into "actions on objectives," even though lateral movement, privilege escalation and persistence are rich, distinct phases where much defense happens.
• It assumes a single chain. Modern attacks often involve multiple footholds and paths simultaneously.

These gaps inspired evolutions of the concept. The Unified Kill Chain combines the Cyber Kill Chain with MITRE ATT&CK into a longer, more detailed sequence of phases that better captures the internal stages of an attack and accommodates non-linear behavior. Many practitioners also simply use the original Kill Chain for high-level framing while relying on ATT&CK for the granular detail of what happens at each step.

The takeaway isn't that the Kill Chain is obsolete — it remains a clear, accessible way to think about layered defense and the principle of disrupting attacks early. Rather, it's that no single model captures everything. The most effective teams treat the Kill Chain, ATT&CK and the Diamond Model as complementary lenses, choosing the right one for the question at hand: the Kill Chain to communicate and structure defense in depth, ATT&CK to describe and detect specific techniques, and the Diamond Model to investigate and attribute. Used together, they give a far richer picture than any one provides alone.

The bottom line

The Cyber Kill Chain breaks an attack into seven stages — reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives — giving defenders a clear map of where to detect and disrupt. Used alongside ATT&CK and fed by current intelligence, it helps teams build layered defenses that break the chain early. Our live threat intelligence feed surfaces the campaigns, tooling and vulnerabilities attackers use across these stages, ranked by priority.