Cyber Kill Chain

The Cyber Kill Chain is one of the most influential frameworks in defensive security because it reframes an attack not as a single event but as a process with breakable links. Created by Lockheed Martin, it describes an intrusion as seven sequential stages, and its central insight is that the attacker has to complete every stage to win. Defenders only have to break one. That asymmetry, finally tilted in the defender's favor, is why the model has shaped detection strategy, threat intelligence, and incident response for over a decade.

The Seven Stages

The model walks an attack from the outside in:

The further left a defender detects activity, the cheaper and safer the response. Stopping a phishing email at delivery costs almost nothing; stopping an attacker at actions on objectives means the breach has already happened.

Kill Chain Versus MITRE ATT&CK

The kill chain is deliberately simple, and that is both its strength and its limit. It tells you which phase an attack is in, but not how the attacker behaves inside that phase. That is where MITRE ATT&CK comes in. Where the kill chain is a linear sequence of stages, MITRE ATT&CK is a matrix of concrete tactics and techniques drawn from real, observed adversary behavior.

Reconnaissance

→then

Delivery and Exploitation

→then

C2 and Lateral Movement

→then

Actions on Objectives

A practical workflow uses both: the kill chain to communicate the high-level story of an intrusion to leadership, and the ATT&CK matrix to pin each step to specific techniques so detection engineers know exactly what to hunt for. They are complementary, not competing.

Why the Model Is Under Pressure

The original kill chain assumes a fairly linear, human-paced intrusion. Modern attacks rarely behave that neatly. The most dangerous AI-enabled attackers now chain whole kill chains autonomously, running reconnaissance, exploitation, and lateral movement in tight loops with little human input, as documented in our analysis of how hackers use AI. When one machine can compress days of manual work into minutes, the comfortable economics of "break one link" start to erode.

The lesson endures even as the threat evolves: every attack is a chain of dependent steps, and security is the discipline of finding the weakest link and breaking it first. Master the kill chain, layer MITRE ATT&CK on top of it, and you have a shared language for describing, detecting, and defeating intrusions before they reach their goal.