The Cyber Kill Chain Explained: 7 Stages of an Attack
The cyber kill chain (from Lockheed Martin) breaks an attack into seven sequential stages — from the attacker's first research to their final goal. Its power for defenders: break the chain at any stage and you stop the attack.
The seven stages
- Reconnaissance — research the target.
- Weaponization — build the malware/payload.
- Delivery — send it (email, USB, web).
- Exploitation — trigger the vulnerability.
- Installation — establish a foothold.
- Command & Control — remote control the victim.
- Actions on Objectives — steal data, encrypt, disrupt.
Breaking the chain
Every stage is a defensive opportunity: email filtering stops delivery, patching blocks exploitation, EDR catches installation, and egress monitoring spots command & control. Understanding the chain turns scattered defences into a strategy — and pairs with MITRE ATT&CK's finer detail.
Frequently asked questions
What is the cyber kill chain?
A seven-stage model of a cyberattack — reconnaissance, weaponization, delivery, exploitation, installation, command & control, and actions on objectives.
How do defenders use the kill chain?
By identifying controls that break the attack at each stage — stopping it anywhere along the chain prevents the final objective.
How is the kill chain different from MITRE ATT&CK?
The kill chain is a high-level linear sequence; ATT&CK is a detailed catalogue of specific techniques within those broad phases.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.