eastbaycyber

What Is the Cyber Kill Chain?

FAQs 5 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Short answer

The Cyber Kill Chain maps common attack stages such as reconnaissance, delivery, exploitation, installation, command and control, and actions on objectives. It helps defenders think in terms of disruption points rather than a single moment of failure.

The Cyber Kill Chain is a model that breaks a cyberattack into stages, from initial reconnaissance to the attacker’s final objective. Security teams use the Cyber Kill Chain to understand how intrusions progress and to identify where they can detect, block, or disrupt the attacker before serious damage occurs.

Why the Cyber Kill Chain Matters

The value of the Cyber Kill Chain is simple: most attacks are not one event. They are a sequence of actions.

That matters because defenders do not need to catch the attacker at the very first step to reduce impact. If you miss reconnaissance, you might still block delivery. If delivery succeeds, you might still catch exploitation. If exploitation succeeds, you may still detect persistence or command-and-control traffic before the attacker reaches their objective.

This model helps teams ask better questions:

  • Where do we have visibility?
  • Which controls map to which stage?
  • Where are our blind spots?
  • At what point did we first have a chance to stop the attack?

For teams building detection use cases, incident triage, or response plans, that framing is often more practical than treating an intrusion as one isolated alert.

If you want a related framework for deeper technique-level mapping, see what is mitre attck.

The Seven Classic Stages

1. Reconnaissance

This is the attacker’s research phase. They gather information about the target, such as:

  • employee names and email addresses
  • exposed services and software
  • internet-facing systems
  • leaked credentials
  • vendor relationships
  • cloud assets
  • public documents and metadata

Reconnaissance may be passive, such as reviewing websites, LinkedIn, and job postings, or active, such as scanning internet-facing infrastructure.

2. Weaponization

In this stage, the attacker prepares a payload or method for the target. Examples include:

  • a phishing document with malware
  • a malicious link to a credential harvesting page
  • an exploit tailored to a vulnerable application
  • a script or tool customized for the environment

This stage combines attacker capability with target knowledge gained during reconnaissance.

3. Delivery

Delivery is how the malicious payload or access attempt reaches the victim. Common delivery methods include:

  • phishing emails
  • malicious links
  • compromised websites
  • exposed remote access services
  • drive-by downloads
  • removable media in some environments

This is the stage many organizations focus on first because email and web protections often sit here.

4. Exploitation

Exploitation is where the attack actually succeeds. That may mean:

  • a user opens a malicious attachment
  • a browser or application vulnerability is exploited
  • stolen credentials are accepted
  • a fraudulent MFA request is approved

This is the point where intent becomes initial compromise.

5. Installation

After exploitation, the attacker establishes a foothold. This may involve:

  • installing malware
  • planting a web shell
  • adding scheduled tasks or startup entries
  • dropping persistence tools
  • creating rogue accounts or SSH keys

The goal is to remain in the environment long enough to continue the operation.

6. Command and Control

At this stage, the compromised system communicates with attacker-controlled infrastructure. This command-and-control, or C2, channel allows the attacker to:

  • issue commands
  • move laterally
  • deploy additional tools
  • exfiltrate data
  • coordinate follow-on actions

C2 traffic may be obvious or deliberately blended into normal HTTPS or DNS patterns.

7. Actions on Objectives

This is the end-goal stage. The attacker may want to:

  • steal data
  • encrypt systems for ransom
  • disrupt operations
  • alter records
  • maintain espionage access
  • abuse business processes for fraud

From the business perspective, this is where damage becomes visible. From the defender’s perspective, the attack began much earlier.

How Defenders Use the Kill Chain

The Cyber Kill Chain is useful because it supports layered defense. Different controls can help at different stages. For example:

  • security awareness and email filtering can reduce delivery
  • patching and secure configuration can limit exploitation
  • EDR and application control can detect installation
  • network monitoring can identify command and control
  • segmentation and least privilege can reduce actions on objectives

This makes the model useful for:

  • threat modeling
  • control gap analysis
  • SOC alert mapping
  • incident timelines
  • executive reporting
  • post-incident lessons learned

For example, after a phishing-led incident, a response team might determine that delivery succeeded, credential theft happened during exploitation, persistence was established in installation, and suspicious outbound traffic marked command and control. That sequence helps identify which improvements matter most.

For another core defensive concept, see what is least privilege and why does it matter.

A Simple Example

A practical scenario might look like this:

  1. The attacker researches finance staff on LinkedIn.
  2. They create a phishing email that appears to come from a known vendor.
  3. The email is delivered to the accounts payable team.
  4. A user clicks the link and enters credentials into a fake login page.
  5. The attacker uses those credentials to establish access and persistence.
  6. They communicate with external infrastructure and move laterally.
  7. They redirect payments or stage ransomware.

The benefit of the Cyber Kill Chain is that it shows defenders several chances to intervene, not just one.

Limitations of the Model

The Cyber Kill Chain is useful, but it is not perfect.

Modern attacks do not always follow a neat, linear order. Some scenarios it handles less well include:

  • cloud-native attacks
  • identity-centric intrusions
  • insider threats
  • supply chain compromises
  • SaaS abuse using valid credentials
  • iterative attacks that loop through privilege escalation and lateral movement

That is why many teams pair it with more detailed frameworks such as MITRE ATT&CK. The Kill Chain is best viewed as a high-level operational model, not a complete map of every modern attack path.

Common Misconceptions

The Kill Chain only applies to malware

No. It is often explained with malware examples, but it can also describe phishing, credential theft, web exploitation, and ransomware operations.

The stages always happen in a strict order

Not always. Real intrusions can overlap, branch, repeat, or skip steps depending on the attacker and environment.

If we block one phishing email, we broke the whole chain

Maybe for that attempt, but attackers often retry with different delivery methods, users, or lures.

The Kill Chain is outdated and useless

It is limited, not useless. It remains a strong high-level model for understanding attack progression and organizing defenses.

It replaces other security frameworks

It does not. It works best alongside detailed detection engineering, response playbooks, and frameworks like MITRE ATT&CK.

Final Takeaway

The practical takeaway is simple: the Cyber Kill Chain helps defenders think in stages. If you understand how an attacker moves from reconnaissance to objective, you are better positioned to detect them earlier, contain them faster, and reduce business impact.

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.