Cyber Kill Chain
What is Cyber Kill Chain?
Cyber Kill ChainLockheed Martin's seven-stage model that describes how a targeted intrusion progresses from reconnaissance to actions on objectives.
The Cyber Kill Chain, published by Lockheed Martin in 2011, breaks an intrusion into seven sequential phases: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. The model encourages defenders to detect, deny, disrupt, degrade, deceive, or destroy adversary activity at each step, because breaking any single link prevents the campaign from succeeding. It was one of the first widely adopted threat-centric frameworks and remains useful for mapping defences, prioritizing telemetry, and communicating incident timelines. Critics note it fits classic malware-delivered intrusions better than insider abuse, cloud-native attacks, or low-noise espionage; many teams now combine it with MITRE ATT&CK.
● Examples
- 01
Mapping a phishing-to-ransomware incident across the seven phases to identify which controls failed.
- 02
Aligning EDR, email security, and network defences to specific kill-chain stages.
● Frequently asked questions
What is Cyber Kill Chain?
Lockheed Martin's seven-stage model that describes how a targeted intrusion progresses from reconnaissance to actions on objectives. It belongs to the Defense & Operations category of cybersecurity.
What does Cyber Kill Chain mean?
Lockheed Martin's seven-stage model that describes how a targeted intrusion progresses from reconnaissance to actions on objectives.
How does Cyber Kill Chain work?
The Cyber Kill Chain, published by Lockheed Martin in 2011, breaks an intrusion into seven sequential phases: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. The model encourages defenders to detect, deny, disrupt, degrade, deceive, or destroy adversary activity at each step, because breaking any single link prevents the campaign from succeeding. It was one of the first widely adopted threat-centric frameworks and remains useful for mapping defences, prioritizing telemetry, and communicating incident timelines. Critics note it fits classic malware-delivered intrusions better than insider abuse, cloud-native attacks, or low-noise espionage; many teams now combine it with MITRE ATT&CK.
How do you defend against Cyber Kill Chain?
Defences for Cyber Kill Chain typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Cyber Kill Chain?
Common alternative names include: Lockheed Martin Kill Chain, Intrusion Kill Chain.
● Related terms
- defense-ops№ 905
Reconnaissance
The first phase of an attack, in which adversaries gather information about a target's people, technology, and exposure before launching intrusion attempts.
- defense-ops№ 535
Initial Access
The MITRE ATT&CK tactic (TA0001) that covers techniques attackers use to first establish a foothold inside a target environment.
- compliance№ 687
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.
- malware№ 201
Command and Control (C2)
The infrastructure and channels attackers use to maintain communication with compromised systems and send them instructions.
- defense-ops№ 315
Diamond Model of Intrusion Analysis
An intrusion analysis framework that ties every malicious event to four linked vertices: adversary, capability, infrastructure, and victim.
- defense-ops№ 527
Indicator of Compromise (IoC)
An observable artifact — such as a file hash, IP, domain, URL, or registry key — that suggests a system has been or is being compromised.
● See also
- № 397Execution (MITRE Tactic)
- № 817Persistence
- № 298Defense Evasion
- № 325Discovery (MITRE Tactic)
- № 199Collection (MITRE Tactic)
- № 398Exfiltration
- № 518Impact (MITRE Tactic)