What Is the Cyber Kill Chain?
A complete guide to the Cyber Kill Chain — the seven stages of a cyberattack, how defenders use the model to break an attack, and how it compares to MITRE ATT&CK.
Cyberattacks can feel chaotic and unpredictable, but serious intrusions are rarely a single event. They unfold as a sequence of steps, each one setting up the next. The Cyber Kill Chain is the model that maps that sequence — and turns a confusing attack into something defenders can anticipate and disrupt.
First published by defense contractor Lockheed Martin, the Cyber Kill Chain breaks a cyberattack into seven distinct stages, from the attacker's first research to the final theft or damage. Its central insight is simple but powerful: because an attack is a chain, breaking any single link stops the whole thing.
This guide explains the Cyber Kill Chain in full: where it came from, what happens at each of the seven stages, how defenders use it, and how it compares to the newer MITRE ATT&CK framework. It is part of our broader guide to the types of cyberattacks.
What Is the Cyber Kill Chain?
The Cyber Kill Chain is a framework that describes the stages of a cyberattack in the order they typically occur. The term "kill chain" is borrowed from the military, where it describes the structure of an attack — identifying a target, dispatching force, engaging it. Applied to cybersecurity, it gives defenders a shared vocabulary for how intrusions progress.
The model's value is defensive. By understanding the stages an attacker must move through, a security team can map its detection and prevention controls to each one, identify gaps, and recognize where in an active attack an intruder currently sits. An attack caught at stage two is far less damaging than one caught at stage seven.
The Origin of the Cyber Kill Chain
The Cyber Kill Chain was introduced by Lockheed Martin in 2011 as part of an approach called intelligence-driven defense. It was designed primarily with advanced, targeted intrusions in mind — the kind of patient, multi-stage campaigns associated with advanced persistent threats. More than a decade later, it remains one of the most widely taught models in cybersecurity, valued for how clearly it communicates the shape of an attack.
The Seven Stages of the Cyber Kill Chain
The model divides an attack into seven sequential stages.
1. Reconnaissance
The attacker researches the target — identifying employees, email addresses, technologies, and potential weaknesses. This stage often uses publicly available information and leaves few traces.
2. Weaponization
The attacker prepares the attack, typically by pairing malware with an exploit and packaging it into a deliverable payload, such as a malicious document. This happens on the attacker's own infrastructure, so defenders cannot observe it directly.
3. Delivery
The attacker transmits the weaponized payload to the target — most often through a phishing email, a malicious link, a compromised website, or an infected USB drive. Delivery is the first stage where the attacker makes contact, and therefore the first major opportunity to block them.
4. Exploitation
The payload executes, exploiting a vulnerability or tricking a user into running it, and the attacker gains an initial foothold. Sophisticated attacks may combine several flaws here; our guide to how exploit chains work explains that technique in detail.
5. Installation
The attacker installs malware or creates a backdoor to establish persistent access, so their foothold survives a reboot or a password change and they can return at will.
6. Command and Control (C2)
The compromised system connects back to the attacker's infrastructure, opening a channel through which the attacker can issue commands and operate remotely inside the network.
7. Actions on Objectives
With control established, the attacker pursues their actual goal. This is where they move through the environment using lateral movement and privilege escalation to reach valuable systems, then steal data, deploy ransomware, or cause disruption.
How Defenders Use the Cyber Kill Chain
The practical purpose of the Cyber Kill Chain is captured in one phrase: break the chain. Because the stages are sequential and dependent, an attacker who is stopped at any stage cannot proceed to the next. The defender does not need to be perfect at every stage — they need to succeed at just one.
Security teams use the model to map their controls to each stage and find the gaps. Security awareness training and email filtering target the Delivery stage. Prompt patching closes off Exploitation. Endpoint protection disrupts Installation. Network monitoring can catch Command and Control traffic. Data loss prevention and segmentation limit Actions on Objectives. Laid out against the chain, weak spots in a defense become obvious — and so does the fact that the earlier a control catches an attack, the less damage is done.
Cyber Kill Chain vs MITRE ATT&CK
The Cyber Kill Chain is often compared to MITRE ATT&CK, another widely used framework. They are complementary rather than competing.
The Cyber Kill Chain is linear and high-level: seven stages in a fixed order, ideal for explaining the overall shape of an attack. MITRE ATT&CK is a far more detailed, non-linear knowledge base that catalogs hundreds of specific attacker tactics and techniques observed in the real world. Many security teams use the Kill Chain to communicate strategy and structure, and ATT&CK for the granular detail of detection engineering and threat hunting.
Limitations of the Cyber Kill Chain
The model is valuable but not perfect, and understanding its limits keeps it useful. It was designed around malware-delivered, perimeter-focused intrusions, so it fits less neatly with attacks that rely purely on stolen credentials, insider threats, or the abuse of legitimate cloud services — where there is no malware to "install." Its strictly linear shape can also understate how attackers loop back, run stages in parallel, or skip steps entirely.
For these reasons, many security teams treat the Cyber Kill Chain as a clear conceptual foundation and pair it with more granular frameworks for day-to-day defense. It remains an excellent way to understand and explain how an attack unfolds — which is exactly what it was built for.
Conclusion
The Cyber Kill Chain reframes a cyberattack from a single frightening event into a sequence of seven understandable stages. That shift is what makes it so useful: a process with stages is a process that can be interrupted.
For defenders, the lesson is both practical and reassuring. An attacker has to succeed at every stage; a defender has to succeed at only one. Mapping defenses across the chain — and catching attacks as early in it as possible — turns the model from a teaching tool into a genuine strategy for stopping intrusions before they cause harm.
Frequently Asked Questions (FAQ)
What is the Cyber Kill Chain?
The Cyber Kill Chain is a cybersecurity framework, developed by Lockheed Martin, that breaks a cyberattack into seven sequential stages — from reconnaissance to actions on objectives — so defenders can understand and disrupt attacks.
What are the seven stages of the Cyber Kill Chain?
The seven stages are Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives.
How do defenders use the Cyber Kill Chain?
Defenders map their security controls to each stage of the chain. Because the stages are sequential, stopping an attacker at any single stage halts the entire attack — so the goal is to "break the chain" as early as possible.
What is the difference between the Cyber Kill Chain and MITRE ATT&CK?
The Cyber Kill Chain is a simple, linear seven-stage model that explains the overall shape of an attack. MITRE ATT&CK is a detailed, non-linear knowledge base of specific attacker tactics and techniques. The two are complementary and often used together.
What are the limitations of the Cyber Kill Chain?
The model was built around malware-based, perimeter-focused attacks, so it fits less well with credential-based attacks, insider threats, and cloud-service abuse. Its linear structure can also understate how attackers work in parallel or skip stages.
Is the Cyber Kill Chain still relevant?
Yes. While newer frameworks add detail, the Cyber Kill Chain remains one of the clearest ways to understand and communicate how a cyberattack progresses, and it is still widely taught and used.
