← All posts

June 26, 2026

The Cyber Kill Chain

Originally published on Medium in November 2022. Rewritten and expanded here.

The Cyber Kill Chain describes a computer attack as a sequence of steps. Lockheed Martin published it in 2011 and took the idea from the military, where a “kill chain” is the set of stages you have to complete to hit a target. The security version applies that to a network intrusion. It lists the seven steps an attacker works through to reach a goal, whether that is stealing data, running ransomware, or staying inside a network for months without being noticed.

The useful part is the asymmetry. The attacker has to finish every step. The defender only has to break one. Stop the attack at any single phase and the rest of the chain never runs. So the model gives you a list of places to watch and places to step in.

The rest of this uses one example: an attacker going after the customer database of a mid-sized company.

Phase 1: Reconnaissance

This is the research phase. Before touching anything, the attacker learns about the target. Who works there, what the email addresses look like, what software and servers the company runs, and what is reachable from the internet. Whatever they find here makes every later step easier.

There are two kinds.

  • Passive reconnaissance collects information without sending anything to the target, so there is nothing for the company to log. Most of it is open-source intelligence (OSINT): the company website, LinkedIn, job postings, GitHub repos, DNS records, and TLS certificate transparency logs, which leak subdomain names. A job ad asking for “experience with Citrix and Okta” tells the attacker what to prepare for. Shodan and Censys index internet-facing hosts other people have already scanned, so you can look up a company’s exposed services without touching them yourself.
  • Active reconnaissance means sending traffic to the target. It is faster and gives you fresh data, but it shows up in logs. Port scanning to see what is open and what versions are running lives here. Common tools are nmap for ports and services, Nessus for vulnerability scanning, Amass for mapping subdomains, and Nikto for web servers.

The attacker does not need the noisy option. A few minutes on LinkedIn gives them names on the finance team and the email pattern the company uses, first.last@company.com.

Phase 2: Weaponization

Now the attacker builds the payload and pairs it with a way to make it run. In practice that means combining malware with a delivery file, like a macro inside a Word document or an exploit inside a PDF. Nothing gets sent in this phase. It all happens on the attacker’s side. The point is a package that looks harmless but does something once it is opened.

The payload is usually a remote access trojan (RAT), which is malware that gives the attacker a live handle on the machine: run commands, read and write files, log keys, take screenshots. The document that carries it is often a loader, a small piece of code whose only job is to pull down the real malware after the file is opened. Attackers build these with kits like the Metasploit Framework or Cobalt Strike, or with off-the-shelf macro and exploit builders.

For the example, the package is a Word document dressed up as an invoice. Inside is a macro that downloads and runs the RAT once the document opens and macros are enabled, plus a short email to carry it.

Phase 3: Delivery

This is the step where the weapon reaches the target. Email is the most common path, but not the only one. Delivery can be a link, a USB drive left in a parking lot, or a legitimate website the attacker has compromised so it serves malware to visitors, which is called a watering hole attack.

The attacker emails the fake invoice to three people on the finance team and spoofs the display name of a vendor the company actually uses. One busy person who does not look closely is enough.

Phase 4: Exploitation

Delivery gets the weapon there. Exploitation is when it goes off. Something has to trigger the code, and it is one of two things: a person doing what the attacker wanted (opening the file, enabling macros, clicking the link), or a software flaw that runs the code without any help. The second kind targets bugs like memory corruption in a parser or a document reader, where opening the file is enough on its own.

Here, a finance employee opens the invoice and clicks “Enable Content” because the document tells them to. The macro runs and the attacker has code executing on a company machine. This first bit of access is usually a normal user account with no special rights yet.

Phase 5: Installation

That first foothold is fragile. If the employee reboots, the running malware is gone and the attacker loses access. So this phase sets up persistence, a way for the malware to start again on its own. Common methods on Windows are a Run key in the registry, a scheduled task, or a Windows service, all of which fire the payload on boot or login. Nothing gets stolen yet. The goal is only to make sure they can come back tomorrow.

The RAT creates a scheduled task that runs it every time the machine starts, so the foothold survives a reboot.

Phase 6: Command and Control

The malware on the victim’s machine needs a way to receive orders. In this phase it “phones home,” opening a connection to a server the attacker controls, called a command and control (C2) server. Over that channel the attacker sends commands and gets results back.

The malware usually does this by beaconing: it reaches out to the C2 server on a set interval, asks for instructions, runs whatever comes back, and goes quiet again until the next check-in. To make the traffic hard to pick out, it tends to ride on protocols that are always busy on a normal network, mostly HTTPS, so the contents are encrypted, and sometimes DNS, which almost nobody blocks. Some malware also uses domain generation algorithms (DGAs), churning through thousands of throwaway domain names so defenders cannot just block one address and be done.

When a lot of infected machines beacon to the same infrastructure, the attacker has a botnet, which gets rented out or used for cryptomining, wiping data, or distributed denial-of-service (DDoS) attacks against other targets.

The infected finance machine beacons out every few minutes asking for instructions. To the company’s firewall it looks like ordinary outbound web traffic.

Phase 7: Actions on Objectives

This is where the attacker does what they came to do. It is sometimes called “hands on keyboard,” because a real person is now working through the network by hand instead of running an automated payload. It can stretch over weeks or months and usually mixes:

  • Lateral movement: moving from the first machine to others, often by reusing stolen credentials or password hashes against other systems.
  • Privilege escalation: going from a normal user account to an administrator or domain admin account, which is what lets you reach systems the first user could not.
  • Internal reconnaissance: mapping the network from the inside to find where the data lives, which servers hold it, and who can reach them.
  • Exfiltration: copying data out to a server the attacker controls, usually in small pieces so it does not stand out. If the goal were ransomware, this is where files get encrypted instead, often after the data has already been copied out for extortion.

Following the example through: the attacker moves from the finance machine to a file server, gives themselves admin rights, finds the customer database, and copies it out in small chunks that blend into normal traffic.

Where the model falls short

The Cyber Kill Chain is a good mental map, but it was built around one kind of attack, malware coming in over the network perimeter, and it misses a few things.

  • It is built around malware and the perimeter. Web application attacks like SQL injection, cross-site scripting (XSS), server-side request forgery (SSRF), and insecure direct object references (IDOR) do not map onto the phases. An attacker who pulls data out through a broken web form never weaponizes malware or phones home, so most of the chain does not apply.
  • It does not cover insider threats or stolen credentials. A current or former employee who already has access, or an attacker logging in with valid stolen credentials, skips the early phases entirely. There is no weapon to deliver and nothing to exploit. Catching that looks less like spotting an intrusion and more like spotting a trusted account behaving oddly.
  • It treats an attack as a straight line. Real intrusions loop. An attacker lands, does more reconnaissance from the inside, builds something new, and repeats across many machines at once. The clean seven-step order is a simplification, and it puts most of its attention on early prevention while saying little about the post-compromise work, lateral movement and exfiltration, where a lot of real damage happens.

How defenders use it

The value of the model is that each phase is a chance to intervene. Lockheed Martin pairs the phases with six actions a defender can take, often called the six Ds:

  • Detect: notice the activity, for example spotting the scanning in reconnaissance.
  • Deny: stop it outright, for example blocking macros in email attachments so weaponized documents cannot run.
  • Disrupt: cut it off while it is happening, for example killing the connection to a C2 server.
  • Degrade: make it slower or less effective so there is time to react, for example rate-limiting outbound traffic.
  • Deceive: feed the attacker false information, for example a decoy system that looks real but is watched.
  • Destroy: take out the attacker’s capability, for example removing the malware and the infrastructure it talks to.

You do not need all six at every phase. You need enough coverage that the attacker cannot get from step one to step seven without tripping over something. Break one link and the chain does not hold.

References