Cyber Kill Chain
A model describing the seven phases of a cyberattack - from target reconnaissance to achieving objectives. Helps plan defences at every stage.
What is the Cyber Kill Chain?
The Cyber Kill Chain is a model developed by Lockheed Martin in 2011 that describes the typical phases of an advanced cyberattack. The model identifies seven sequential stages: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), and Actions on Objectives.
The idea behind the model is that an attacker must progress through all phases to achieve their goal. Breaking the chain at any stage prevents the attack from succeeding. The defender therefore has seven opportunities to detect and stop an intrusion - from blocking scanning during the reconnaissance phase to detecting data exfiltration in the final phase.
The Cyber Kill Chain model is sometimes criticised for its overly linear view of attacks and its focus on external threats (it does not account for insider threats or attacks without a malware delivery phase). For this reason, it is often used alongside MITRE ATT&CK, which offers a more detailed and flexible taxonomy.
Why does it matter?
The Cyber Kill Chain helps organisations think about defence systematically - not as a single mechanism that must work, but as a series of layers, each of which increases the chance of detecting an attack. This approach aligns with the philosophy of defense-in-depth.
The model is useful for communicating with senior management, as it presents a cyberattack as an understandable process rather than an abstract threat. It also helps identify gaps in detection capabilities - if an organisation can only detect an attack at the exfiltration stage, it means earlier defensive layers need strengthening.
Related topics
Related terms
Related SEQRED services
Need help in this area?
Our experts will help you assess the risk and plan next steps.