Trackr.Live The landing site for Trackr Services
§ Trackr.Live

The Cyber Kill Chain

The Lockheed Martin Cyber Kill Chain, published in 2011, is the attack lifecycle model that established the framework of thinking about intrusions as multi-stage sequences that defenders can disrupt at any point. The model was the first widely-adopted attempt to systematize adversary behavior across the full lifecycle of an intrusion, and it has held up well enough over fifteen years that the vocabulary it introduced — “kill chain,” “break the chain,” the seven named stages — has become standard across the discipline. The model also has structural limits that have become more apparent as the threat landscape has evolved, and the dominant modern frameworks (notably MITRE ATT&CK) extend and refine the Kill Chain rather than replacing it.

This page is the deep-dive companion to the Threat Modeling Frameworks umbrella. The scope here is what the Kill Chain is, why it has endured, the variants that extend it, where it earns operational value, and where its limits matter in practice.

What the Kill Chain actually is

The Cyber Kill Chain is a seven-stage model of how adversary intrusions unfold, originally published by Lockheed Martin researchers Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin in a 2011 paper titled “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains.” The paper applied military targeting doctrine — specifically the F2T2EA targeting cycle (Find, Fix, Track, Target, Engage, Assess) — to network intrusions, producing the seven-stage cyber adaptation.

The framework’s enduring contribution is two structural ideas:

Intrusions are sequences, not events. Before the Kill Chain, much of the defensive industry thought about attacks as discrete moments — the malware execution, the data exfiltration, the breach. The Kill Chain framing made explicit that any successful intrusion is the product of a multi-stage sequence, and that each stage is itself an opportunity for the defender to intervene.

Defenders can disrupt at any stage. The “break the chain” philosophy holds that disrupting an intrusion at any stage prevents the adversary from completing their objective. A blocked phishing email at the delivery stage is as effective at preventing data exfiltration as detection of the exfiltration itself — and substantially less costly to defend against. This framing reorganized how detection investments were prioritized, with earlier-stage disruption getting more attention than it had before.

These two ideas have been absorbed so completely into defensive practice that they now seem obvious. They were not obvious in 2011. The Kill Chain made them explicit and gave the discipline a vocabulary for discussing them.

The military origin

The Kill Chain is named for and derived from a military concept. In military targeting doctrine, the kill chain is the sequence of decisions and actions required to engage a target: detect, identify, decide, engage, assess. The military kill chain framing emphasizes that the chain can be broken at any link — a target that cannot be detected cannot be engaged, regardless of how effective the engagement capability is.

The Lockheed Martin researchers adapted this framing to network intrusions explicitly. The cyber adaptation:

  • The adversary is the actor trying to complete a kill chain against a victim.
  • The defender’s job is to disrupt the adversary’s kill chain at any link.
  • Each stage of the cyber kill chain corresponds to a different defensive opportunity, with different tools and different telemetry sources.

The military origin matters for how the framework is sometimes received. Some practitioners find the military framing unfortunate or inappropriate for civilian cybersecurity contexts; others find it productive because it captures the adversarial structure clearly. The framing has been criticized as overly martial and as appropriate to its subject matter; both criticisms have merit. The framework’s value does not depend on the framing of its name.

The seven stages

The Lockheed Martin Kill Chain has seven stages, in the order they typically occur in an intrusion:

1. Reconnaissance

The adversary gathers information about the target before any direct interaction. The reconnaissance stage covers passive information gathering (web searches, social media research, open-source intelligence) and active reconnaissance (port scanning, vulnerability scanning, DNS enumeration). The output is a profile of the target sufficient to inform later stages.

Defensive opportunities at this stage are limited because much reconnaissance happens against publicly-accessible information and infrastructure. Detection of active reconnaissance (scanning, probing) is possible and is the standard defensive investment here. Reduction of public attack surface (limiting what reconnaissance can find) is the complementary investment.

2. Weaponization

The adversary prepares the payload for delivery. This is the stage where exploit code is paired with malware, where phishing lures are crafted, where the operational tooling is assembled into a deliverable form. Weaponization typically happens entirely on adversary-controlled infrastructure and is largely invisible to defenders.

Defensive opportunities at this stage are minimal — defenders generally cannot see weaponization happening. The stage is significant in the model because it represents a window where the adversary is committed to a particular approach but has not yet engaged the target; threat intelligence about adversary tooling can sometimes inform defensive preparation for the next stages.

3. Delivery

The adversary delivers the weaponized payload to the target. Delivery vectors include phishing emails, malicious websites, removable media, supply chain compromise, watering-hole attacks, and direct exploitation of internet-facing services. The delivery stage is where the adversary first interacts with the target environment in a way the defender can potentially observe.

Defensive opportunities at this stage are substantial. Email security gateways, web proxies, network detection, and similar perimeter controls all target delivery-stage activity. Disrupting an intrusion at delivery is typically high-leverage — the adversary has invested in reconnaissance and weaponization, but the defender has prevented the adversary from gaining any foothold.

4. Exploitation

The delivered payload exploits a vulnerability to execute code or otherwise establish initial control. Exploitation can target software vulnerabilities, user behavior (clicking a link, opening a document, entering credentials), configuration weaknesses, or trust relationships. The exploitation stage is where the adversary transitions from “delivering content” to “executing on the target.”

Defensive opportunities include vulnerability management (preventing exploitable conditions), endpoint protection (detecting exploitation attempts), user awareness (reducing the success rate of social engineering), and runtime protections (sandboxing, exploit mitigation features). Disrupting at exploitation is meaningful but more challenging than delivery-stage disruption because exploitation is already happening on the target system.

5. Installation

The adversary installs persistence mechanisms that allow continued access. Installation can involve dropping malware to disk, creating accounts, modifying scheduled tasks, installing services, or modifying boot-time behavior. The installation stage is where the adversary transitions from “we got in this time” to “we can get in again.”

Defensive opportunities are endpoint detection content focused on installation behaviors — new service creation, registry persistence keys, scheduled task modifications, file system changes in sensitive paths. Endpoint detection and response (EDR) tooling is the standard defensive investment for this stage.

6. Command and Control

The adversary establishes communication with installed implants from external infrastructure. The C2 stage covers the ongoing channel between adversary infrastructure and compromised systems through which commands flow and information is exchanged. C2 traffic must blend in with normal network activity to evade detection, which drives substantial adversary effort in protocol selection, encryption, and timing.

Defensive opportunities at this stage are network detection content (anomalous outbound traffic patterns, communications with known-bad infrastructure, unusual protocol behaviors) and host-level detection of the C2 software itself. The C2 stage is one of the most studied areas of defensive content because the traffic is necessarily different from legitimate activity, but adversaries have invested heavily in making the differences subtle.

7. Actions on Objectives

The adversary completes the objective that motivated the intrusion. Objectives vary by adversary: data exfiltration, ransomware deployment, destructive operations, persistent access for future use, lateral movement to higher-value targets, modification of business processes, financial fraud. The actions-on-objectives stage is the one the adversary actually came to perform; all preceding stages are means to this end.

Defensive opportunities are detection content specific to the objective: data loss prevention for exfiltration, ransomware detection for encryption, integrity monitoring for tampering, financial transaction monitoring for fraud. Disruption at this stage prevents the adversary’s objective but typically means the earlier stages succeeded — the threat actor has been in the environment, with all the implications that carries.

The “break the chain” philosophy

The framework’s central operational claim is that disrupting the adversary at any stage prevents successful completion of the kill chain. A phishing email blocked at delivery is functionally equivalent to data exfiltration prevented at the last stage — both prevent the adversary’s objective.

The corollary is that earlier disruption is more economical than later disruption. Three reasons drive this:

Earlier disruption is cheaper for the defender. Email filtering at delivery is substantially less expensive than incident response after exploitation, installation, and lateral movement. The cost of defense generally grows as the attack progresses.

Earlier disruption is more reliable. Detection at later stages depends on the adversary’s specific implementation choices; the adversary can often evade specific late-stage detections by changing tools or techniques. Earlier-stage controls (email security, vulnerability management) are less dependent on adversary-specific signatures.

Earlier disruption is more contained. An intrusion stopped at delivery affects only the delivery channel; an intrusion stopped at actions-on-objectives may have affected many systems and may have established persistence that requires substantial remediation.

The “break the chain” philosophy reorganized how detection investments were prioritized. Before the Kill Chain, defensive content was often organized by tool type (firewall rules, IDS signatures, antivirus signatures); after the Kill Chain, it became increasingly organized by where in the lifecycle the detection fires. The change has stuck — modern SOC operations universally track detection coverage by lifecycle stage in some form.

Variants and extensions

Two notable variants of the original Kill Chain are worth knowing:

The Mandiant Attack Lifecycle is the variant used by Mandiant (now Google Cloud / Mandiant) in their incident response and CTI work. The Mandiant model has more stages than Lockheed Martin’s, with explicit distinction between phases like initial compromise, establish foothold, escalate privileges, internal reconnaissance, move laterally, maintain presence, and complete mission. The Mandiant variant captures the post-exploitation lateral movement that the original Kill Chain compresses into “actions on objectives,” which is more accurate to real adversary behavior.

The Unified Kill Chain, developed by Paul Pols starting in 2017 with revisions through 2022, extends the Kill Chain with 18 phases organized into three macro-phases: initial foothold, network propagation, and action on objectives. The Unified Kill Chain explicitly addresses the linearity criticism of the original by allowing the model to capture iterative and cyclical adversary behavior. Adoption has been limited but the framework is well-regarded in academic and research contexts.

Sector-specific kill chains have emerged for specific contexts: industrial control systems (the Industrial Control System Kill Chain by SANS), insider threats (where the early Kill Chain stages don’t apply directly), and supply chain attacks (where the chain spans multiple organizations). These specializations address areas where the general-purpose Kill Chain doesn’t fit cleanly.

The original Lockheed Martin seven-stage model remains the most-cited and most-used version. The variants address specific limitations but have not displaced the original as the standard reference.

Relationship to ATT&CK

The Kill Chain and MITRE ATT&CK operate at different levels of abstraction and are complementary rather than competing:

The Kill Chain provides macro structure. Seven stages, the attack lifecycle, the break-the-chain philosophy. The model is at the right level for executive communication, strategic defensive planning, and high-level threat intelligence reporting.

ATT&CK provides technique-level granularity. Over 200 specific techniques organized into 14 tactics. The catalog is at the right level for detection engineering, threat hunting, and operational SOC work.

The two map onto each other in a natural way. The Kill Chain’s Reconnaissance stage corresponds to ATT&CK’s Reconnaissance tactic. The Kill Chain’s Delivery and Exploitation stages roughly correspond to ATT&CK’s Initial Access tactic. The Kill Chain’s Installation corresponds to Persistence. C2 corresponds to Command and Control. Actions on Objectives expands into multiple ATT&CK tactics (Collection, Exfiltration, Impact, plus the lateral movement tactics like Discovery, Lateral Movement, Credential Access that the original Kill Chain compressed).

The mapping is not perfect — ATT&CK explicitly extends beyond the Kill Chain’s structure in several places (Persistence, Defense Evasion, and the post-exploitation tactics are richer in ATT&CK than in the Kill Chain) — but the relationship is well-understood. Mature defensive programs use both: the Kill Chain for executive-level lifecycle communication and strategic planning, ATT&CK for technique-level operational work.

Where the Kill Chain excels

The framework continues to earn operational value in several specific contexts:

Communicating attack lifecycle to non-specialists. The seven-stage structure is accessible to executives, board members, auditors, and other stakeholders who do not need technical detail. “We blocked this attack at the delivery stage” is more informative to a non-technical reader than “we mitigated technique T1566 sub-technique 002.”

Organizing detection content by lifecycle stage. SOC analysts and detection engineers benefit from knowing where in the lifecycle each detection fires. Earlier-stage detections are typically higher-leverage; later-stage detections often indicate that earlier-stage controls have already failed. The lifecycle organization provides a structure for thinking about detection portfolio balance.

Framing investment in early-stage controls. The economics argument for earlier disruption is most easily made with the Kill Chain framing. A CISO presenting an investment case for improved email security or vulnerability management can use the Kill Chain to make the “earlier is cheaper” argument clearly.

Incident timeline communication. Walking through an incident’s stages — when did reconnaissance occur, when was delivery, when was the system actually compromised — is naturally structured by the Kill Chain. Post-incident reports often use the framework as the timeline organization.

Strategic defensive planning. Multi-year defensive roadmaps that emphasize lifecycle coverage — “year one improve delivery controls, year two strengthen exploitation defenses, year three build installation detection” — use the Kill Chain as the planning structure.

Where the Kill Chain has limits

Several structural limits of the Kill Chain have become more apparent as the threat landscape has evolved:

The model is too linear. Real attacks do not proceed cleanly through the seven stages. Adversaries reconnoiter throughout the intrusion, including post-compromise. Credential access can happen at any stage where credentials are available. Lateral movement involves repeated cycles through reconnaissance, exploitation, and persistence. The linear seven-stage structure compresses what is actually a non-linear graph of activities into a sequence that does not match real adversary behavior.

The model is heavily perimeter-focused. The Kill Chain was developed in an era when the network perimeter was the dominant defensive concept. The model emphasizes delivery (perimeter crossing) and exploitation (initial compromise) more than the post-compromise lateral movement that dominates modern intrusions. In environments with weak perimeters (cloud-native architectures, zero-trust networks, work-from-anywhere postures), the Kill Chain’s emphasis on perimeter stages produces a partial picture.

The model does not handle insider threats. An insider with legitimate access does not progress through reconnaissance, weaponization, and delivery in the way the Kill Chain describes. The model can be adapted to insider scenarios but the adaptation is awkward; frameworks designed specifically for insider threats (or general models like the Diamond Model) handle these cases better.

Actions on Objectives compresses too much. Real intrusions spend most of their time in the post-compromise phase — lateral movement, privilege escalation, persistence, collection, exfiltration — that the Kill Chain compresses into a single stage. ATT&CK explicitly addresses this by expanding the post-compromise phase into multiple tactics; the original Kill Chain does not.

Some attacks don’t have all seven stages. Drive-by downloads, browser exploits, and other attacks compress multiple stages into a single moment. Ransomware-as-a-service operations split the stages across multiple actors. Supply chain attacks have weaponization that happens long before the target organization is in scope. The seven-stage structure fits some attacks well and other attacks poorly.

The “break the chain” philosophy is sometimes overstated. The framework correctly identifies that earlier disruption is generally better than later disruption, but real defenses must address all stages because no single stage of defensive controls catches every attack. Defenders that over-invest in early-stage controls because of the “earlier is more economical” argument often find themselves under-prepared when an attack does reach later stages.

The model is descriptive, not prescriptive. The Kill Chain describes how attacks progress; it does not tell defenders what specific controls to deploy. Translating from “we need delivery-stage controls” to “deploy specific email security and web filtering controls” requires additional frameworks and expertise.

Operational use

A few places the Kill Chain shows up in practical defensive work in 2026:

Executive risk communication and board reporting. The Kill Chain framing is appropriate for non-technical audiences who need to understand lifecycle structure without technique-level detail. CISOs presenting to boards typically use Kill Chain framing rather than ATT&CK technique IDs.

Detection content classification. Detection rules are sometimes tagged by Kill Chain stage in addition to (or instead of) ATT&CK technique. The classification provides a coarser-grained organization that complements the technique-level tagging. Coverage by stage is easier to communicate than coverage by technique.

Incident report structure. Post-incident reports often use Kill Chain stages as the timeline organization. “The reconnaissance phase ran from [date] to [date]; delivery occurred on [date]; exploitation succeeded on [date]; the intrusion was detected during the installation phase” produces a structured timeline that non-technical readers can follow.

Strategic defensive planning. Multi-year planning that emphasizes which lifecycle stages need investment uses Kill Chain framing. The pattern is appropriate for budget-cycle conversations rather than tactical detection engineering.

Vendor communication. Security product vendors often describe their offerings in Kill Chain terms — “we address delivery-stage threats,” “we provide C2-stage detection.” The shorthand is useful at the level of vendor positioning even when the actual product capabilities require more detail to evaluate.

Standards and references

  • Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains — Hutchins, Cloppert, and Amin (2011), the canonical paper introducing the framework.
  • Lockheed Martin Cyber Kill Chainlockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html, the official Lockheed Martin documentation.
  • Mandiant Attack Lifecycle — referenced extensively in Mandiant’s M-Trends annual reports and incident response documentation.
  • Unified Kill Chain — Paul Pols’ research, available at unifiedkillchain.com, with the 2017 thesis and subsequent updates.
  • SANS ICS Kill Chain — the industrial control system adaptation.

Persistent pitfalls

Several recurring failure patterns in Kill Chain adoption:

Taking the linearity too literally. Real attacks do not proceed cleanly through the seven stages, and treating the model as a strict sequence produces analysis that misses the non-linear reality of post-compromise activity. The Kill Chain is a structure for thinking, not a workflow specification.

Over-emphasizing early-stage controls. The “earlier disruption is more economical” argument is correct in general but should not justify under-investing in late-stage controls. No defense catches every attack at delivery; later-stage detection is the safety net that catches what earlier controls miss.

Treating the Kill Chain as the complete operational framework. The model provides macro structure; the technique-level operational work requires ATT&CK or equivalent granularity. Defensive programs that use only Kill Chain framing miss the operational detail needed for effective detection engineering.

Force-fitting attacks to the seven-stage structure. Some attacks fit the Kill Chain naturally; others do not. Insider threats, supply chain attacks, drive-by downloads, and ransomware-as-a-service operations all stretch or break the original structure. Acknowledging the mismatch is more honest than forcing the attack into a structure that doesn’t fit.

Using outdated lifecycle vocabulary. Some security teams continue to organize work around Kill Chain stages without integrating the more granular ATT&CK vocabulary that has become the operational standard. The Kill Chain remains useful at the strategic level; operational work benefits from the finer-grained framework.

How to use the Kill Chain in 2026

The framework’s current best use is as the strategic-level lifecycle structure that pairs with technique-level frameworks for operational work. Concretely:

  1. Use the Kill Chain for executive communication. The seven-stage structure is appropriate for board-level discussions, executive briefings, and audit reporting. Don’t use ATT&CK technique IDs in these contexts; use Kill Chain stages.

  2. Use the Kill Chain for strategic planning. Multi-year defensive roadmaps benefit from the lifecycle structure. Prioritize investments by which stages need strengthening.

  3. Use ATT&CK for operational work. Detection engineering, threat hunting, red team planning, and CTI consumption all operate at the technique level. The Kill Chain is too coarse for this work.

  4. Map between the two frameworks deliberately. Detection content tagged with both Kill Chain stage and ATT&CK technique can be filtered and aggregated either way, supporting both strategic and operational views of coverage.

  5. Acknowledge the model’s limits honestly. When discussing the Kill Chain with technical audiences, be explicit about where the linear seven-stage structure breaks down. The discipline has moved on from treating the Kill Chain as a complete picture; the framework’s continuing value lies in being one input among several, not the entire model.

  6. Update to a variant if the original doesn’t fit. Organizations dealing extensively with supply chain attacks, insider threats, or other scenarios that don’t fit the original seven-stage structure may benefit from adopting one of the variants (Unified Kill Chain, sector-specific adaptations).

The Kill Chain has earned its place in the defensive vocabulary. It captures real structural insights about how intrusions work and how defenders can think about disruption. The model’s limits are real, and modern defensive programs use it alongside more granular frameworks rather than instead of them.

Where to go next on this site

Adjacent material on this site:

  • Threat Modeling Frameworks — the umbrella overview.
  • MITRE ATT&CK — the technique-level framework that extends Kill Chain stage structure with operational granularity.
  • MITRE D3FEND — the defensive countermeasure catalog.
  • STRIDE — the design-time threat categorization framework.
  • The Diamond Model — the CTI analytical framework that pairs with the Kill Chain for intrusion analysis.
  • LINDDUN — the privacy-focused parallel framework.
  • PASTA — the heavyweight risk-centric methodology.
  • OCTAVE — the asset-driven enterprise risk methodology.

The Cyber Kill Chain is fifteen years old as of 2026 and shows its age in places — the linear structure, the perimeter focus, the compressed post-compromise treatment all reflect the threat landscape of the late 2000s and early 2010s. The framework continues to earn its keep for executive communication, strategic planning, and incident timeline structure. For technique-level operational work, ATT&CK is the better tool. Most mature defensive programs use both, with the Kill Chain at the strategic level and ATT&CK at the operational level, neither alone sufficient.