- Reconnaissance: attackers research targets and identify vulnerabilities.
- Weaponization: exploit payloads are built for the identified weaknesses.
- Delivery: the weaponized payload reaches the target system.
- Exploitation and installation: the attack gains access and persistence.
- Command and control and actions: attackers execute their objectives.
What is it and why it matters
The cyber kill chain, adapted from military doctrine by Lockheed Martin, models an intrusion as a sequence of stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. Each stage represents a point where defenders can apply detection, prevention, or response controls. While real-world attacks don’t always follow a linear path — adversaries may loop back, skip stages, or blend techniques across phases — the framework remains valuable for organizing threat intelligence, mapping controls to attacker behavior, and communicating findings to non-technical stakeholders.
Real world examples
- Stuxnet (2010) — A multi-stage attack mapped cleanly across the kill chain: reconnaissance of Siemens SCADA configurations, weaponization in air-gapped development environments, delivery via USB, and precise actions on objectives to destroy Iranian centrifuges.
- SolarWinds supply chain attack (2020) — The supply chain compromise collapsed the early kill chain stages by weaponizing a trusted software update, demonstrating that traditional delivery-stage defenses can’t detect attacks embedded in authorized channels.
- APT1 / Mandiant report (2013) — Mandiant’s landmark report traced 141 confirmed intrusions by China’s Unit 61398 across every stage of the kill chain over years of sustained operations, establishing the framework’s value for long-term threat analysis.