The Ultimate Beginner's Guide to the Cyber Kill Chain

The Cyber Kill Chain describes the typical progression of a targeted cyberattack in seven stages: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives. Each stage requires the attacker to succeed; defenders disrupt the chain at any link to stop the attack.

The framework was originally developed by Lockheed Martin in 2011 to support intelligence-driven defense. It borrowed the military concept of a "kill chain," which describes the steps required to engage and destroy a target. Applied to cybersecurity, it gave defenders a structured way to think about adversary behavior and to map their controls.

Key strengths of the Kill Chain include its simplicity, its emphasis on early-stage disruption, and its alignment with intelligence-driven defense. Key weaknesses include its linear nature (real attacks often loop and branch), its focus on perimeter-based intrusions (less applicable to insider threats or supply chain attacks), and its high level of abstraction compared to more granular frameworks.

Despite these limitations, the Kill Chain remains widely used as a teaching tool, a conceptual framework for security program design, and a way to communicate with non-technical stakeholders.

Reconnaissance is where adversaries gather information about their target. They identify employees, vendors, technologies, public-facing systems, and weaknesses. OSINT (open-source intelligence) plays a major role, as do scanning, social engineering, and analysis of leaked data. The goal is to build a profile that informs the rest of the attack.

Weaponization combines the information gathered with the tools needed for the attack. An attacker might craft a malicious document, develop or buy custom malware, or prepare a phishing infrastructure. This stage happens largely outside the target's environment but determines the nature of the attack to come.

Delivery sends the weapon to the target. Email attachments, phishing links, infected websites, compromised supply chain components, USB drops, and exploited services are common delivery vectors. Many attacks fail at this stage because email filters, web proxies, and user awareness intercept the payload.

Exploitation triggers the malicious payload. A vulnerability in software, a misconfiguration, or a tricked user provides the initial foothold. Patch management, secure configurations, and user awareness all reduce success rates at this stage.

Installation establishes persistence. The attacker installs malware, creates accounts, modifies startup files, or otherwise ensures access survives reboots and other normal events. EDR tools, application allowlisting, and strict change management can detect or block installation attempts.

Command and Control (C2) opens a communication channel between the compromised system and the attacker. This is how the adversary issues commands, exfiltrates data, and updates their tooling. Network monitoring, DNS analysis, proxy logs, and threat intelligence on known C2 infrastructure help defenders detect and block C2 traffic.

Actions on Objectives is where the attacker pursues their actual goals: data theft, financial fraud, destruction, espionage, or ransomware deployment. By the time defenders reach this stage in their detection pipeline, the impact is usually significant. Detecting unusual data movement, lateral movement, and privilege escalation helps disrupt this stage.

Imagine a phishing-driven ransomware attack against a mid-sized company.

Reconnaissance: Attackers scrape LinkedIn for staff in the finance department, identify the company's email convention, and find a few exposed services through Shodan.

Weaponization: They craft a malicious Excel document with a macro that downloads a second-stage payload, prepare a phishing page that mimics the company's SSO portal, and rent infrastructure for command and control.

Delivery: A phishing email is sent to the finance team, referencing an invoice from a known vendor. The macro-laden attachment passes email security because it looks like routine business traffic.

Exploitation: An employee opens the attachment and enables macros. The macro downloads and runs a second-stage payload, which exploits an unpatched local privilege escalation vulnerability to gain administrative rights.

Installation: The malware installs a scheduled task, creates a hidden user account, and drops a remote access tool. EDR misses these actions because the malware is recently compiled and not yet known to vendors.

Command and Control: The infected machine reaches out to a domain registered the previous day. Network monitoring tools could flag the unusual destination, but the organization lacks effective detections for newly registered domains.

Actions on Objectives: Over the next several days, attackers move laterally, harvest credentials, exfiltrate sensitive data to a cloud storage provider, and finally deploy ransomware across the network.

This example shows how each stage provides an opportunity for defense. A trained user, better email filtering, prompt patching, EDR detection, network anomaly monitoring, or strong identity controls could have broken the chain.

MITRE ATT&CK has become the dominant framework for describing adversary behavior in detail. While the Kill Chain provides a high-level view in seven stages, ATT&CK provides hundreds of specific techniques organized into 14 tactics (Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact).

The two frameworks are complementary. The Kill Chain offers a digestible mental model for explaining attack progression and structuring defenses. ATT&CK provides the granular detail needed for detection engineering, threat hunting, and red teaming. Many organizations use both: Kill Chain for executive communication and program structure, ATT&CK for technical detection coverage.

Other models like the Unified Kill Chain and the Diamond Model offer additional perspectives. The Unified Kill Chain extends the original to include lateral movement and integrates better with ATT&CK. The Diamond Model focuses on adversary, infrastructure, capability, and victim relationships rather than attack stages.

For beginners, the most important step is to learn one model deeply and use it consistently. Trying to master every framework at once leads to confusion. Start with the original Kill Chain, then expand to ATT&CK as your knowledge matures.

The 2014 Sony Pictures hack famously followed the Kill Chain. Reconnaissance gathered employee and infrastructure data. Weaponization produced custom malware. Delivery used spear phishing. Exploitation gained initial access. Installation established persistence. Command and Control enabled ongoing intrusion. Actions on Objectives included data exfiltration and destructive wiping of systems.

The 2020 SolarWinds compromise illustrates a supply chain version. Reconnaissance identified SolarWinds as a high-value vendor. Weaponization built backdoored Orion updates. Delivery used the legitimate update mechanism. Exploitation and Installation happened on each customer's infrastructure. Command and Control used a sophisticated DNS-based protocol. Actions on Objectives included long-term espionage.

Major ransomware incidents in healthcare, manufacturing, and government similarly follow the Kill Chain. The path from initial phishing or VPN compromise to data exfiltration and encryption typically takes days or weeks, providing many opportunities for detection if defenders are watching.

Map your controls to the Kill Chain. For each stage, list the controls you have, the controls you wish you had, and the gaps that need attention. This exercise reveals defense-in-depth opportunities and prioritizes investments.

Invest in early-stage defenses. Disrupting Reconnaissance, Delivery, and Exploitation prevents incidents from escalating. Attack surface management, email security, vulnerability management, and user awareness pay outsized dividends compared to late-stage detection alone.

Build detection across all stages. Even if early defenses fail, detection at any stage gives you a chance to respond. Modern XDR platforms aim to cover the full chain. Map your detection coverage to both Kill Chain and ATT&CK to identify blind spots.

Use threat intelligence to inform priorities. Different threats favor different techniques. Knowing which adversaries target your industry helps focus defense efforts. Resources like MITRE ATT&CK Navigator and threat intelligence platforms support this analysis.

Run purple team exercises. Pairing red and blue teams allows you to test detections against real attack techniques and improve them iteratively. Frameworks like Atomic Red Team and Caldera provide structured exercises mapped to ATT&CK.

Communicate with leadership in business terms. Use the Kill Chain to explain attack progression and the rationale for security investments. Linking each stage to potential business impact makes the case more concrete than abstract technical descriptions.

Continuously refine. Adversary techniques evolve. So should your defenses. Use lessons learned, threat intelligence, and incident data to update your maps and detections regularly.

Read the original Lockheed Martin paper. The 2011 white paper "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains" is concise and accessible. It remains relevant despite the field's evolution.

Practice mapping incidents. Pick public breach reports and walk through each Kill Chain stage. What controls failed? What detection signals were missed? What would have worked better? This exercise builds practical intuition.

Explore MITRE ATT&CK. The free online ATT&CK Navigator lets you visualize techniques, sub-techniques, and procedures. Start with a few common ones (T1566 Phishing, T1078 Valid Accounts, T1059 Command and Scripting Interpreter) and dig in.

Earn certifications. The SANS GIAC GCIA, GCIH, and GCFA all cover Kill Chain and related concepts. Cisco's CyberOps and Palo Alto's PCCSE certifications also incorporate them.

Join the community. Local DEF CON groups, BSides conferences, and online communities frequently discuss attack progression, detection engineering, and threat hunting. Engaging with practitioners accelerates learning enormously.