built throughORANGEBOX·see what it ships·$1 →

What is the Cyber Kill Chain?

The short answer

The Cyber Kill Chain is a seven-stage model of cyber intrusion published by Lockheed Martin in 2011, defining the sequence an adversary must complete to achieve an objective: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), and Actions on Objectives. Breaking any link in the chain disrupts the attack, which is why it became the foundational framework for intelligence-driven defense before MITRE ATT&CK extended it with post-compromise behavior.

The longer answer

The Cyber Kill Chain was introduced by Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin of Lockheed Martin in the 2011 paper "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains", presented at the 6th International Conference on Information Warfare and Security. The authors adapted the U.S. military's "kill chain" doctrine — find, fix, track, target, engage, assess (F2T2EA) — into a defender's framework for advanced persistent threats (APTs).

The seven stages are sequential and dependent. Reconnaissance is target research — OSINT, harvesting employee emails, scanning for exposed services. Weaponization pairs a remote-access trojan with an exploit, typically into a deliverable payload such as a malicious PDF or Office macro. Delivery is transmission — spearphishing email, USB drop, watering-hole compromise. Exploitation triggers code execution, often against a known CVE in a browser, document reader, or server. Installation establishes persistence via a backdoor, scheduled task, or registry run key. Command and Control opens an outbound channel — historically HTTPS beacons or DNS tunneling — giving the operator hands-on-keyboard access. Actions on Objectives is the final stage: data exfiltration, lateral movement, destruction, or ransomware detonation.

The model's key innovation was treating intrusion as a process with breakable dependencies, not a single event. Lockheed argued that any disruption — block, deny, degrade, deceive, contain — earlier in the chain costs the defender less and the adversary more. The defense matrix mapped the seven stages against six courses of action (detect, deny, disrupt, degrade, deceive, destroy), producing a 42-cell planning grid that became standard in SOC playbooks at large enterprises and government agencies.

The framework has well-documented limitations. It is malware-and-perimeter centric, assumes a linear path, underweights insider threats, and stops at the perimeter breach — saying little about lateral movement, privilege escalation, or living-off-the-land techniques. Those gaps were filled by MITRE ATT&CK, first released publicly in 2015 and now maintained as a knowledge base of 14 tactics and over 600 techniques mapped to real-world adversary tradecraft. ATT&CK does not replace the Kill Chain; the two are commonly used together, with the Kill Chain framing the campaign arc and ATT&CK detailing the techniques within each stage.

A 2017 variant, the Unified Kill Chain by Paul Pols (Fox-IT / Leiden University master's thesis), explicitly merged Lockheed's chain with ATT&CK into 18 phases including pivoting, privilege escalation, and exfiltration — addressing the linearity critique. Other extensions include the Industrial Control System (ICS) Cyber Kill Chain by Michael J. Assante and Robert M. Lee (SANS, 2015), which adds a second stage covering ICS attack development, validation, and execution against operational technology — the model later used to dissect the December 2015 Ukraine power grid attack and the 2017 TRITON/TRISIS attack on a Saudi petrochemical safety system.

In modern practice, the Kill Chain remains the lingua franca for executive briefings and threat intelligence reporting because it tells a coherent story in seven boxes. Tier-1 analysts work the chain; Tier-2/3 analysts pivot to ATT&CK. Detection engineers map alerts to both. The 2024 Verizon DBIR continues to classify breach patterns against kill-chain-style stages, and CISA threat advisories still reference the Lockheed model when narrating campaign timelines.

Key facts

  • The Cyber Kill Chain was published in 2011 by Hutchins, Cloppert, and Amin of Lockheed Martin in Leading Issues in Information Warfare & Security Research, Vol. 1 (LM-White-Paper-Intel-Driven-Defense).
  • The framework adapts the U.S. military F2T2EA targeting cycle (Joint Publication 3-60, Joint Targeting).
  • It contains exactly seven stages — Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives.
  • MITRE ATT&CK, first released January 2015 and maintained by The MITRE Corporation, currently catalogs 14 enterprise tactics (MITRE ATT&CK v15, 2024).
  • The Unified Kill Chain (Pols, 2017, Cyber Security Academy / Fox-IT) extends Lockheed's chain to 18 phases.
  • The ICS Cyber Kill Chain was introduced by Assante and Lee in the SANS Reading Room paper "The Industrial Control System Cyber Kill Chain" (October 2015).
  • NIST SP 800-150 (Guide to Cyber Threat Information Sharing, 2016) references kill-chain models as a structuring framework for indicator sharing.
  • The 2015 Ukraine power grid attack and 2017 TRITON attack (Schneider Electric Triconex) are the canonical case studies for ICS Kill Chain analysis (CISA ICS-CERT IR-ALERT-H-16-056-01; FireEye/Mandiant TRITON report, 2017).
  • Lockheed's 2011 paper explicitly defines the 6×7 "courses of action matrix" pairing detect, deny, disrupt, degrade, deceive, destroy against the seven kill chain phases.
  • The Verizon Data Breach Investigations Report (DBIR), published annually since 2008, classifies breach patterns along kill-chain-aligned action varieties.

Related questions

Sources

  • Hutchins, Cloppert, Amin. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Lockheed Martin, 2011. lockheedmartin.com
  • MITRE ATT&CK Enterprise Matrix. attack.mitre.org
  • Pols, Paul. The Unified Kill Chain. Cyber Security Academy / Fox-IT, 2017. unifiedkillchain.com
  • Assante, M. J., and Lee, R. M. The Industrial Control System Cyber Kill Chain. SANS Institute, October 2015. sans.org
  • NIST Special Publication 800-150, Guide to Cyber Threat Information Sharing. October 2016. doi.org/10.6028/NIST.SP.800-150
  • CISA Alert IR-ALERT-H-16-056-01, Cyber-Attack Against Ukrainian Critical Infrastructure. cisa.gov
  • Verizon. 2024 Data Breach Investigations Report. verizon.com
  • Joint Publication 3-60, Joint Targeting. U.S. Joint Chiefs of Staff. jcs.mil

Published by AtomEons. Part of the /q question index.

LAB · ATOMEONS · MARCO ISLAND FLÆONS RESEARCH · 12 PAPERS · CC-BY 4.0ORANGEBOX v1.0.0-beta · TURBO-OPTIMIZE CLAUDE · SHIPPED 2026-05-30B00KMAKR v3.2.0 · AI PUBLISHING COCKPIT · MAC + WINDOWSFREE LAUNCH WEEK · ENDS JUNE 6 · §4A NO-SAAS LOCKFOUNDER'S VIEW · NEXT BROADCAST IN ...CITE THE WORK · FORWARD THE LINK · NO ALGORITHMLAB · ATOMEONS · MARCO ISLAND FLÆONS RESEARCH · 12 PAPERS · CC-BY 4.0ORANGEBOX v1.0.0-beta · TURBO-OPTIMIZE CLAUDE · SHIPPED 2026-05-30B00KMAKR v3.2.0 · AI PUBLISHING COCKPIT · MAC + WINDOWSFREE LAUNCH WEEK · ENDS JUNE 6 · §4A NO-SAAS LOCKFOUNDER'S VIEW · NEXT BROADCAST IN ...CITE THE WORK · FORWARD THE LINK · NO ALGORITHM