What is the cyber kill chain?
Last reviewed June 2, 2026
The cyber kill chain is a model developed by Lockheed Martin that breaks a targeted intrusion into seven sequential stages, from reconnaissance through to actions on objectives. It helps defenders understand the steps an attacker must complete and find opportunities to disrupt the attack at each stage. It is more linear and higher level than MITRE ATT&CK, which catalogs many specific techniques in depth.
What the cyber kill chain is
The cyber kill chain is a framework introduced by Lockheed Martin to describe the structure of a targeted intrusion as a sequence of stages. The core idea is that an attacker must progress through each stage in order to succeed, so disrupting any single stage can break the chain and stop the attack.
The model is intentionally high level. It gives defenders a shared way to talk about where in an intrusion a given activity sits and where defensive controls can be applied.
The seven stages
| Stage | Description |
|---|---|
| 1. Reconnaissance | Researching and selecting targets, gathering information on the organization. |
| 2. Weaponization | Pairing an exploit with a deliverable payload, such as a malicious document. |
| 3. Delivery | Transmitting the weapon to the target, for example by email, web, or removable media. |
| 4. Exploitation | Triggering the exploit to execute code on the target system. |
| 5. Installation | Installing malware or a backdoor to establish persistence. |
| 6. Command and Control | Establishing a channel for the attacker to remotely control the compromised host. |
| 7. Actions on Objectives | Achieving the goal, such as data theft, destruction, or further movement. |
How defenders use it
- Mapping detective and preventive controls to each stage to find coverage gaps.
- Reasoning about defense in depth: the earlier a stage is disrupted, the less damage results.
- Communicating incidents in a common vocabulary, for example stating that an attack was stopped at delivery.
- Prioritizing investment toward stages where the organization has the weakest coverage.
Cyber kill chain compared to MITRE ATT&CK
The kill chain and ATT&CK are often used together. The kill chain is a linear, seven stage view of an intrusion that is easy to communicate, but it is coarse and somewhat focused on perimeter and early stages.
ATT&CK is far more granular, cataloging many tactics and hundreds of techniques grounded in real-world observation, and it covers post-compromise behavior in depth. Many teams use the kill chain for high level framing and ATT&CK for detailed detection and analysis.
Keep exploring
- What is MITRE ATT&CK?Detailed knowledge base of adversary tactics and techniques.
- MITRE ATT&CK vs CAPECComparing observed behavior with abstract attack patterns.
- What is an exploit?Code that takes advantage of a vulnerability.
- What is the attack surface?The sum of points where an attacker can attempt entry.
- What is a vulnerability?A weakness that can be exploited by a threat.
- What is MITRE?The organization behind ATT&CK and the kill chain comparison.
Frequently asked questions
- Who created the cyber kill chain?
- The cyber kill chain was developed by Lockheed Martin and introduced as part of its intelligence driven defense work. The term kill chain itself originates from military doctrine.
- How many stages does the cyber kill chain have?
- The classic Lockheed Martin model has seven stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives.
- Is the cyber kill chain the same as MITRE ATT&CK?
- No. The kill chain is a linear, high level model of seven stages, while ATT&CK is a detailed knowledge base of many specific techniques grounded in observed adversary behavior. They are complementary.
- What is a criticism of the cyber kill chain?
- A common criticism is that its linear, perimeter focused structure does not capture modern attacks well, including insider threats and intrusions that do not follow the stages in order. Frameworks like ATT&CK address some of these gaps.
