The Cyber Kill Chain is the model that breaks a cyberattack down into seven sequential phases, from the moment an attacker gathers information about a target to the moment the final objective is reached. Lockheed Martin published it in 2011, and it remains the reference framework for understanding the logic of an intrusion and, above all, for deciding where to place controls that break the chain before the adversary reaches the last link.
This guide explains what the Cyber Kill Chain is and where it comes from, walks through its seven phases with a concrete defensive control for each, introduces the Unified Kill Chain (Paul Pols' 18-phase extension) as the modern evolution, compares the model with MITRE ATT&CK, and shows how to operationalise it in the daily work of a SOC and a threat hunting team.
What the Cyber Kill Chain is
The term "kill chain" comes from military targeting doctrine (the cycle of identifying, fixing and neutralising a target). In 2011, researchers Eric Hutchins, Michael Cloppert and Rohan Amin, of Lockheed Martin, adapted it to network defence in the paper Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains.
The core idea is simple and powerful: an advanced intrusion is not a single event but a progression of chained steps. The defender does not need to block every step, breaking a single link is enough to thwart the whole attack. And each link is a distinct opportunity to detect, deny or disrupt the adversary's operation.
The 7 phases of the Cyber Kill Chain
The model describes seven linear phases. For each one it helps to be clear about what the attacker does and which defensive control stops it.
1. Reconnaissance
The attacker gathers information about the target: domains, IP ranges, exposed technologies, corporate email addresses and employee profiles. This relies on OSINT and tools such as theHarvester, Shodan or subdomain finders.
Defensive control: reduce the exposed attack surface, monitor brand mentions and leaked credentials across open sources and the dark web, and deploy honeytokens that alert when someone probes sensitive assets.
2. Weaponization
The adversary prepares the malicious artifact: coupling an exploit with an office document, generating an implant or trojanising a legitimate installer. This happens on their own infrastructure, out of the defender's direct reach.
Defensive control: since it cannot be observed in real time, defence relies on threat intelligence and malware analysis. YARA rules for known builder families and sandbox detonation of the material that does arrive help infer the attacker's capability.
3. Delivery
This is the vector that introduces the artifact into the victim environment: phishing with an attachment, a link to a compromised site, a USB device or exploitation of an exposed service. Email is still the dominant channel, and it carries a large share of today's infostealers.
Defensive control: an email gateway with sandboxing, SPF, DKIM and DMARC in reject mode, web filtering through a proxy and ongoing user awareness training.
4. Exploitation
The code executes by abusing a vulnerability (for example, an unpatched CVE) or by tricking the user into enabling macros or running a file.
Defensive control: patch management with severity-based SLAs, memory protections (DEP, ASLR, CFG), the EDR's exploit prevention and GPO-based blocking of macros downloaded from the internet.
5. Installation
The attacker establishes persistence to survive reboots: a scheduled task, a service, a Run registry key, DLL sideloading or the creation of a new account.
Defensive control: application allowlisting with AppLocker or WDAC, an EDR watching for scheduled task creation (event 4698) and new services, and file integrity monitoring on critical paths.
6. Command and Control (C2)
The implant opens a channel back to the operator to receive orders: HTTPS, DNS tunnelling, fast flux domains or frameworks such as Cobalt Strike.
Defensive control: DNS filtering, inspection and filtering of outbound traffic, network detection (NDR) able to spot periodic beacons, and blocking of C2 indicators published by threat intelligence feeds.
7. Actions on Objectives
The adversary achieves the real goal: data exfiltration, ransomware encryption, financial fraud or destruction of information.
Defensive control: DLP to stop data leaving, network microsegmentation, immutable and offline backups, and honeypots that reveal lateral movement before impact lands.
Breaking the chain: the courses of action matrix
Lockheed Martin did not propose only the phases but also a courses of action matrix that crosses each phase with six defensive responses: detect, deny, disrupt, degrade, deceive and destroy. The guiding principle is defence in depth: the earlier a link is broken, the lower the cost of the incident. An attacker blocked at the delivery phase never gets to install anything or exfiltrate data.
The Unified Kill Chain
The classic Cyber Kill Chain drew well-founded criticism: it is too linear, focused on malware and the perimeter, and it does not model lateral movement, valid account abuse or living off the land techniques well. In 2017, Paul Pols, together with Fox-IT and the Cyber Security Academy in The Hague, published the Unified Kill Chain, revised in 2021, which merges the Lockheed Martin kill chain with MITRE ATT&CK into an 18-phase model grouped into three blocks:
- In (gaining the initial foothold): Reconnaissance, Weaponization, Delivery, Social Engineering, Exploitation, Persistence, Defense Evasion and Command and Control.
- Through (network propagation): Pivoting, Discovery, Privilege Escalation, Execution, Credential Access and Lateral Movement.
- Out (action on objectives): Collection, Exfiltration, Impact and Objectives.
The practical advantage is that the Unified Kill Chain describes in detail the part of the attack that already happens inside the perimeter, exactly where the original kill chain fell short and where the work of a threat hunting team is concentrated.
Cyber Kill Chain versus MITRE ATT&CK
Both frameworks describe attacks, but they operate at different levels of abstraction. The Cyber Kill Chain is linear and high level (seven phases), ideal for executive narrative and for reasoning about where to place controls. MITRE ATT&CK is a modular, granular matrix, with 14 Enterprise tactics and hundreds of techniques with their own identifiers, designed for the technical work of detection.
They are not mutually exclusive. The kill chain's "Installation" phase maps to the ATT&CK Persistence tactic, "Command and Control" maps to Command and Control, and "Actions on Objectives" unfolds into Collection, Exfiltration and Impact. In practice, teams use the kill chain as a narrative skeleton and ATT&CK as the detailed tactical map. The full comparison, tactic by tactic, is developed in the MITRE ATT&CK guide.
How to operationalise it in a SOC
The Cyber Kill Chain stops being theory once it is embedded in the defensive workflow:
- Control mapping by phase: each SIEM, EDR and NDR rule is tagged with the phase it covers, to visualise where coverage is solid and where the blind spots are.
- Incident reconstruction: during a DFIR engagement, placing each piece of evidence in its phase helps understand how far the attacker got and what remains to be contained.
- Threat hunting hypotheses per phase: at the C2 phase, hunt for periodic beacons toward low-reputation domains; at the Installation phase, look for scheduled tasks created by non-administrative accounts.
- Purple team exercises: the Red Team runs a full chain and the Blue Team validates at which phase it would have detected and stopped the attack, measuring the real depth of the defence.
- Reporting to leadership: a diagram of the seven phases coloured by coverage communicates how far a simulated attack reached far better than a table of metrics.
Frequently asked questions
Who created the Cyber Kill Chain and when?
Lockheed Martin published it in 2011, in a paper authored by Eric Hutchins, Michael Cloppert and Rohan Amin. The "kill chain" concept comes from military targeting doctrine and was adapted to computer network defence.
How many phases does the Cyber Kill Chain have?
Seven: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control and Actions on Objectives. The Unified Kill Chain extends the model to 18 phases.
What is the difference between the Cyber Kill Chain and the Unified Kill Chain?
The original is linear, has seven phases and is perimeter focused. The Unified Kill Chain (Paul Pols, 2017 and 2021) has 18 phases, integrates MITRE ATT&CK and also models what happens inside the network: pivoting, privilege escalation, lateral movement and credential access.
Does the Cyber Kill Chain replace MITRE ATT&CK?
No, they complement each other. The kill chain provides the high-level narrative and ATT&CK the technical detail per technique. Most mature teams use both frameworks at the same time.
Is the Cyber Kill Chain still useful in 2026?
Yes, as a conceptual and communication framework. For modern malware-free or identity-abuse attacks it is worth pairing it with the Unified Kill Chain and with ATT&CK, which cover the internal phases of an intrusion more thoroughly.
Related resources
- What is MITRE ATT&CK: the granular tactical map that complements the kill chain.
- What is threat hunting: the discipline that hunts attackers in the internal phases of the model.
- Dark web monitoring: early visibility during the reconnaissance phase.
- What is an infostealer: one of the most common payloads in the delivery phase.
- Ransomware in Spain 2026: the typical outcome of the actions on objectives phase.
Cyber Kill Chain at Secra
At Secra we use the Cyber Kill Chain and the Unified Kill Chain to structure the reports of our Red Team exercises and to measure at which phase a client's defence would detect and stop an attack. The deliverable is not a pretty diagram but a coverage map by phase that the security team maintains after the project and uses to prioritise where to invest. If you want to validate the depth of your defence or integrate tactical intelligence into your SOC, get in touch through contact or check our threat intelligence service.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.

