The cyber kill chain refers to the sequence of steps cybercriminals often take to carry out an attack. Also, a framework introduced by Lockheed Martin, the cyber kill chain maps these sequences, helping organisations understand and disrupt cyber attacks in the process.
Table of Contents
This model is especially useful for analysing advanced persistent threats (APTs) and sophisticated attacks that combine tactics like malware, ransomware, trojans, spoofing, and social engineering.
The cyber kill chain framework
Lockheed Martin originally developed the cyber kill chain framework as a way to adapt military “kill chain” thinking to cybersecurity. In military strategy, a kill chain describes the structured steps an adversary takes to identify and engage a target—and the opportunities defenders have to disrupt them.
Similarly, the cyber kill chain framework breaks down an attack into distinct phases, giving defenders a clear view of where and how to intervene. Security teams now use this model to map threats to specific stages, helping them prioritise defences and spot gaps.
Cyber kill chain steps
The cyber kill chain model identifies seven steps cyber attackers will take:
Reconnaissance: Attackers gather information on the target, such as open ports or employee emails.
Weaponization: They prepare malware payloads, often tying exploits to malicious files or links.
Delivery: Sending the payload, typically via phishing emails or drive-by downloads.
Exploitation: The malicious code runs on the target system, exploiting a vulnerability.
Installation: Malware establishes persistence by installing backdoors or trojans.
Command and Control (C2): Attackers communicate with the compromised system to issue commands.
Actions on Objectives: They achieve their goal, whether stealing data, encrypting files, or disrupting services.
How the cyber kill chain model visualises attacks
This model shows that cyberattacks aren't single events, but a series of interconnected steps. By disrupting even one stage in this chain, security teams can prevent attackers from achieving their goals and reduce the overall impact of a breach.
For example, they might deploy threat intelligence to detect reconnaissance activity, use sandboxing to catch weaponised malware, or monitor network traffic for suspicious C2 connections.
Cyber kill chain vs MITRE ATT&CK
The cyber kill chain gives a linear, high-level view of an attack, whereas the MITRE ATT&CK framework provides a detailed matrix of adversary tactics and techniques. Using both together strengthens detection, incident response, and continuous improvement of cyber security.
Unified cyber kill chain & other models
The unified cyber kill chain integrates the Lockheed Martin model with MITRE ATT&CK tactics to better capture the complexity of modern attacks, especially advanced persistent threats (APTs). It expands the kill chain beyond initial compromise to include post-exploitation lateral movement and credential theft, offering defenders a more complete roadmap to spot and disrupt intrusions.
Cyber kill chain vs. other models: Comparison chart
Framework
Focus
Strengths
Cyber Kill Chain
Linear stages of an
attack
Easy to understand, stops attacks early
MITRE ATT&CK
Tactics & techniques matrix
Highly detailed, supports threat hunting
Unified Cyber Kill Chain
Combines both approaches
Captures APT lifecycle, supports full-spectrum defence
How to disrupt the cyber kill chain process
Stopping cyber attacks is often about identifying and disrupting one or more stages of the kill chain. This layered approach reduces an attacker’s chance of success and limits the damage if they do breach initial defences.
Cyber kill chain tactics and prevention
Kill chain stage
Common attacks / tactics
Typical / best prevention
Reconnaissance
OSINT, social media profiling, scanning for exposed assets
Threat intelligence & attack surface management to identify what attackers see, minimise exposure.
Weaponization
Creating malware payloads, malicious macros, exploit kits
Patch & vulnerability management, reduce exploitable gaps; keep endpoint tools updated.
Delivery
Phishing emails, malicious links, watering hole attacks
Email security & web filtering to block malicious emails and sites.
Exploitation
Exploiting software vulnerabilities, credential attacks
Endpoint protection (EPP/EDR) to detect & block malicious actions.
Installation
Malware installs backdoors, ransomware, trojans
Application controls & sandboxing to stop unknown or suspicious installs.
Command & Control (C2)
Remote access tools like Cobalt Strike, suspicious outbound connections
Network intrusion prevention systems (IPS) & anomaly detection to block C2 traffic.
Actions on Objectives
Data theft, encryption for ransomware, sabotage
XDR & SOC monitoring for quick detection, isolation, & response to limit impact.
Real-world cyber kill chain examples
LockBit & BlackCat (ALPHV) ransomware
In 2024, LockBit leveraged the QakBot trojan during the delivery and exploitation phases to gain access, then used Cobalt Strike to gain command and control. Ultimately, they encrypted critical systems, demanding millions in ransom payments, demonstrating the cost of skipping detection aimed at early cyber kill chain stages.
Clop ransomware
Clop is notorious for exploiting secure file transfer applications to gain access. After delivery, they rapidly move to data exfiltration (installation and actions on objectives), combining encryption with public data leaks for double extortion.
Benefits of using the cyber kill chain in cybersecurity
Reduces Breach Costs: Early detection means stopping attacks before they escalate, saving on recovery and legal costs.
Supports Regulatory Compliance: Helps demonstrate proactive measures under GDPR, NIS2, and similar regulations.
Improves SOC & IR Readiness: Gives security teams a structured approach to threat hunting and incident response. Learn how this ties into Zero Trust Networking
Strengthen your defenses across the entire cyber kill chain
Understanding the cyber kill chain helps you anticipate and disrupt each stage of an attack—from initial reconnaissance to data exfiltration. But knowing the tactics isn’t enough without the ability to detect, respond, and adapt in real time.
Trend Vision One™ delivers unified visibility, powerful analytics, and extended detection and response (XDR) across your entire environment. By correlating activity at every phase of the kill chain, you can stop threats earlier, reduce dwell time, and protect critical assets with confidence.
Jon Clay has worked in the cybersecurity space for over 29 years. Jon uses his industry experience to educate and share insights on all Trend Micro externally published threat research and intelligence.