What Is the Cyber Kill Chain? 7 Stages Explained

An attacker has to get every step right. You only have to catch one.

That asymmetry, normally working against the defender, runs the other way once an intrusion is broken into stages. To steal your data, an adversary has to research the target, build a weapon, deliver it, get code running, install a foothold, open a channel back out, and only then act on the goal. Miss any one of those and the attack stalls. The cyber kill chain is the model that names those stages so a defender can decide where to break the sequence.

This guide covers what it is and where it came from, the seven stages with a worked example, how to break the chain at each stage using the original courses-of-action matrix, how it compares to MITRE ATT&CK, where the model falls short, the newer frameworks that answer those gaps, and how a blue team actually uses it day to day. It is written for defenders: SOC analysts, threat hunters, and DFIR responders who have to map an alert to a stage and act on it.

What is the cyber kill chain?

The cyber kill chain is a model that breaks a targeted intrusion into seven sequential stages, from an attacker's first research to the moment they act on their objective. Its purpose is operational: locate where an adversary is in the sequence, and break the chain before they reach the last stage.

Lockheed Martin analysts Eric Hutchins, Michael Cloppert, and Rohan Amin introduced it in 2011, in a paper titled *Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains*. They borrowed the term from the military targeting cycle, where a "kill chain" is the sequence an operator runs to find, fix, and engage a target. The insight was to apply the same staged thinking to network intrusions, specifically the patient, multi-step intrusions of advanced persistent threats.

The paper's core argument is the one in the opening line. An intrusion is a chain, and a chain breaks at its weakest link. The attacker must complete every stage in order to succeed; the defender wins by interrupting any single stage. That reframes defense from "keep everyone out forever," which is impossible, to "detect and disrupt somewhere in the sequence," which is achievable. It also makes defense intelligence-driven: each intrusion you analyze teaches you the adversary's behavior at each stage, and that knowledge hardens you against the next attempt.

The kill chain is a way to organize what you know about an attack, not a tool you install. Its value is in the questions it forces: which stage is this alert? What did we miss upstream? Where can we break it next time?

The 7 stages of the cyber kill chain

The original model has seven stages. They run in order, and the logic of breaking the chain depends on that order: the earlier you catch an intrusion, the less it costs you.

To make the stages concrete, follow a single spear-phishing intrusion through all seven.

1. Reconnaissance. The attacker researches the target. Passive recon harvests employee names, email formats, and exposed technology from LinkedIn, job postings, DNS records, and breach dumps. Active recon scans internet-facing services for versions and open ports. The output is a target list and a plan. In our example, the attacker learns the finance team's email convention and that one manager posts heavily on social media.

2. Weaponization. The attacker builds the weapon offline, on their own infrastructure, where you cannot see it. They pair a deliverable with an exploit: a malicious macro embedded in an Excel invoice, a PDF rigged to trigger a reader vulnerability, a ransomware loader hidden in a signed installer. Our attacker crafts a weaponized spreadsheet that drops a remote-access trojan when macros run.

3. Delivery. The weapon is transmitted to the target. Email is still the dominant channel, but delivery also rides through malicious links, watering-hole sites, USB drops, and compromised supply chains. Our attacker sends the spreadsheet as a "Q2 invoice" to the finance manager, timed for a Friday afternoon.

4. Exploitation. The delivered code executes and exploits a weakness, technical or human. A software vulnerability is triggered, or a user is tricked into enabling the macro. Either way, the attacker now runs code in your environment. Our manager opens the file and clicks "enable content."

5. Installation. The attacker establishes persistence so a reboot or a closed laptop does not end their access. They install a backdoor, register a service, add a scheduled task, or write a run key. This is the point where a one-time execution becomes a durable foothold. Our trojan writes itself to a registry run key and survives the weekend.

6. Command and control (C2). The implant beacons out to attacker-controlled infrastructure and waits for orders. This channel is how the attacker operates hands-on-keyboard: tasking the implant, moving laterally, escalating privilege. C2 traffic often hides inside normal-looking HTTPS, DNS, or traffic to trusted cloud services. Our trojan beacons to a look-alike domain behind a CDN every sixty seconds.

7. Actions on objectives. Only now does the attacker do what they came for. Depending on the mission, that is data theft and exfiltration, encryption for extortion, destruction, fraud, or staging for a deeper attack. Our attacker spends a week mapping file shares, then exfiltrates the finance archive and detonates ransomware on the way out.

Seven stages, one direction. The attacker spent days on the first six before a single byte of data left the building. That gap is the defender's opportunity.

How to break the cyber kill chain at each stage

Naming the stages is half the model. The other half is the courses-of-action matrix, the part most vendor explainers skip. The original paper maps six defensive actions, drawn from US Department of Defense information-operations doctrine, against every stage: detect, deny, disrupt, degrade, deceive, and destroy. The point is that you have an option at every stage, and a layered defense places a control at as many stage-action intersections as it can.

Two takeaways matter more than the cells.

First, break it early. Stopping an intrusion at delivery costs a blocked email. Stopping it at actions on objectives means an attacker has already lived in your network for days and you are now into incident response and cleanup. The original principle holds: the earlier you interrupt the chain, the less risk you absorb.

Second, you do not need to win every stage. A single reliable control on the C2 stage defeats an intrusion whose delivery and exploitation you missed entirely. That is the whole argument of the model. Spread controls across stages so that an attacker who slips one still trips another. Defense in depth is the kill chain read vertically.

Detection feeds back into the model. Every indicator you pull from a blocked attempt, an exploit hash, a C2 domain, a delivery sender, gets mapped to its stage and turned into a control that catches the next attempt earlier. That loop is what "intelligence-driven defense" means in practice.

A real intrusion through the chain: Equifax, 2017

The 2017 Equifax breach exposed the personal data of roughly 147 million people, and it maps cleanly onto the chain, including the parts attackers compress.

The front of the chain collapsed into almost nothing. There was no spear-phishing email and no weaponized document. Reconnaissance and delivery were a scan for internet-facing Apache Struts and a single crafted HTTP request to Equifax's online dispute portal. Exploitation hit CVE-2017-5638, a remote-code-execution flaw in the Struts Jakarta Multipart parser. Apache had released a patch in March 2017; the portal was not patched in time. That is the entire first half of the chain in one web request.

The back of the chain is where the damage compounded and where detection should have fired. After installation, the attackers used command and control to move laterally, and they found unencrypted credentials sitting on a file share. Those credentials opened databases far beyond the original server. Actions on objectives ran for more than two months: the attackers queried databases and exfiltrated data in small batches that blended into normal traffic. Equifax did not notice until it renewed an expired certificate on a monitoring device and finally saw the suspicious traffic.

The lesson the kill chain draws out: a single missed patch lost the front of the chain, but the long, quiet back half offered weeks of chances to break it that were never taken. Egress monitoring, segmentation, or credential hygiene at any one of those stages would have changed the outcome.

Cyber kill chain vs. MITRE ATT&CK

These two get pitted against each other, but they answer different questions. The kill chain gives you a high-level narrative arc of an intrusion. MITRE ATT&CK gives you the granular, evidence-based catalog of how adversaries behave inside that arc.

A practical way to see the relationship: ATT&CK's tactics roughly expand the back half of the kill chain into far more detail. One kill-chain stage, "actions on objectives," fans out in ATT&CK into Collection, Exfiltration, Impact, and more, each with concrete techniques like T1486 (Data Encrypted for Impact). Where the kill chain says "command and control," ATT&CK enumerates dozens of C2 techniques an analyst can write a detection against.

Use the kill chain to brief a stakeholder or decide where a control belongs. Use ATT&CK when you sit down to write the detection or scope a threat hunting hypothesis. They are layers, not rivals: the kill chain is the chapter titles, ATT&CK is the sentences.

Where the cyber kill chain falls short

The model is from 2011, and it shows. Treat it as a useful lens, not a complete map.

• It is perimeter-centric. The chain assumes an outsider breaching a network boundary with malware. It models that story well and a cloud-and-identity intrusion poorly. An attacker who logs in with a valid stolen credential and abuses SaaS never trips a "delivery" or "installation" stage in any recognizable form.
• It is weak on attacks that skip the front half. Insider threats, credential stuffing, and abuse of legitimate tools (living off the land) have little or no weaponization or installation. Web-application attacks like SQL injection compress reconnaissance, delivery, and exploitation into a single request, as Equifax showed.
• It assumes a clean linear sequence. Real intrusions loop. An attacker lands, does fresh internal reconnaissance, moves laterally, and repeats the cycle deeper in the network. The single straight line undersells that.
• It is light on lateral movement and privilege escalation. The most damaging part of a modern breach, what happens after the first host, is squeezed into "command and control" and "actions on objectives." That is exactly the territory where ATT&CK and newer models add detail.

None of this makes the kill chain wrong. It makes it a starting framework that needs company.

Newer models that extend the chain

Three extensions answer the gaps directly.

The Unified Kill Chain (developed by Paul Pols in 2017) merges the Lockheed Martin chain with MITRE ATT&CK into 18 phases grouped in three stages: gaining an initial foothold, propagating through the network, and acting on objectives. It explicitly models the lateral-movement loop the original flattens, which makes it a better fit for modern multi-stage intrusions.

The monetization phase. Many vendors append an eighth stage for how attackers turn access into money: ransom payment, reselling data, or fraud. It is a useful business framing, but it is an addition, not part of the original seven-stage model. Treat the "8 phases" you sometimes see as the seven canonical stages plus this commercial coda.

The ICS Cyber Kill Chain. SANS adapted the model for industrial control systems as a two-stage chain, reflecting that attacks on operational technology usually require an espionage stage to learn the physical process before a second stage that causes physical effects.

The takeaway is not to memorize all of them. It is that the kill chain is a base pattern others build on, and which model you reach for depends on the environment you defend.

How blue teams use the cyber kill chain

The model earns its keep as connective tissue across the SOC, not as a poster on the wall.

Triage and prioritization. Mapping an alert to a stage tells you how urgent it is. A blocked phishing email sits at delivery, low and routine. A confirmed C2 beacon sits at stage six, meaning an attacker is already inside and hands-on. Stage depth is a fast proxy for severity.

Detection engineering. Detection engineering teams use the chain to audit coverage: plot existing detections against the seven stages and the blind spots show up as empty stages. A SOC heavy on perimeter alerts but thin on C2 and exfiltration detection can see that gap at a glance.

Incident response. During an investigation, placing observed activity on the chain answers "how far did they get?" Reaching command and control is a different containment problem than catching them at exploitation. The chain frames scope and urgency for responders.

Threat intelligence and hunting. Analysts map an adversary's known behavior to the stages, then hunt for the stages they have not yet seen in their own telemetry. If intel says a group favors a specific persistence technique at installation, that becomes a hunt hypothesis. This is where the kill chain, ATT&CK, and cyber threat intelligence meet.

The bottom line

The cyber kill chain breaks a targeted intrusion into seven stages and turns one question into a defensive strategy: where do we break the chain? An attacker has to clear every stage; you only have to win one. The original courses-of-action matrix tells you what "winning" looks like at each stage, and the principle that catching an attack early costs less still holds.