Cyber Kill Chain Framework
The Lockheed Martin Cyber Kill Chain defines seven sequential attack phases (Reconnaissance through Actions on Objectives) used to map defensive capabilities and disrupt adversary operations at each stage.
Continue your mission
The Lockheed Martin Cyber Kill Chain defines seven sequential attack phases (Reconnaissance through Actions on Objectives) used to map defensive capabilities and disrupt adversary operations at each stage.
# Cyber Kill Chain Framework
PDM Domain(s): Risk Governance & Assurance (RGA), Threat Intelligence and Detection (TID)
---
The Cyber Kill Chain is a structured attack lifecycle model developed by Lockheed Martin that maps the sequential stages an adversary must complete to execute a successful intrusion. It exists because defenders historically responded to attacks reactively, treating each incident as an isolated event rather than recognizing intrusions as multi-phase processes with multiple intervention points. The framework solves the problem of defensive randomness: without a model that organizes adversary behavior into predictable stages, security teams allocate detection and response resources without strategic logic.
By naming and sequencing each phase from initial reconnaissance through final objective completion, the Kill Chain gives defenders a common operational vocabulary and a structured basis for identifying where existing controls succeed or fail. The seven phases are Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), and Actions on Objectives. Each phase represents a necessary step where an adversary who cannot complete any single phase cannot advance to the next, meaning defenders who successfully disrupt any phase break the entire attack chain.
The framework was introduced in a 2011 Lockheed Martin white paper written by Eric Hutchins, Michael Cloppert, and Rohan Amin, adapted from the military targeting process used in kinetic warfare. Unlike MITRE ATT&CK, which provides a granular taxonomy of specific adversary techniques, the Kill Chain provides a high-level phase model answering "what phase is the adversary in?" rather than "which specific technique is the adversary using?" The frameworks are complementary analytical tools, not competing standards.
---
The Kill Chain functions as an analytical overlay that maps existing detection capabilities, security controls, and intelligence sources to each of the seven phases. Gaps become visible where a phase has no associated detection capability or preventive control, representing unmitigated risk that drives prioritized investment decisions.
Phase 1: Reconnaissance involves adversary collection of information about the target before any attack tooling is deployed. This includes passive collection through open-source intelligence (OSINT): reviewing LinkedIn for employee names and roles, scraping job postings for technology stack information, querying WHOIS records, and examining certificate transparency logs. Active collection includes network scanning, DNS enumeration, and social engineering attempts. Defensive responses include monitoring for external scanning activity using honeypots and network sensors, reviewing what information the organization exposes publicly, and conducting regular OSINT assessments of the organization's own attack surface. Most organizations ignore this phase because it occurs before the adversary touches their systems, but it provides early warning opportunities before any payload is delivered.
Phase 2: Weaponization occurs when the adversary pairs a deliverable payload with an exploit. This phase typically happens entirely off-site and outside the defender's visibility. A threat actor may take a known vulnerability and wrap it in a document that triggers execution when opened, or build a custom implant tailored to the target's detected software environment. Defenders cannot observe this phase directly, but threat intelligence about current weaponization trends (which exploit kits are active, which document formats are being weaponized) informs detection rule tuning and preventive control configuration.
Phase 3: Delivery is when the adversary transmits the weapon to the target. Common delivery vectors include phishing emails with malicious attachments or links, drive-by download attacks through compromised websites, and removable media. This typically represents the highest opportunity for prevention because the payload is crossing a boundary defenders control. Defensive controls include email gateway filtering with attachment sandboxing, web proxy inspection and URL categorization, and network perimeter blocking of known-malicious domains. The most common failure point at this phase is not absent controls but unenforced ones, particularly exception policies that contradict perimeter controls.
Phase 4: Exploitation activates the payload to exploit a vulnerability on the target system. This may be a software vulnerability in an application or operating system, a logic flaw, or social engineering that causes a user to execute the payload manually. Defensive controls include patch management programs that minimize the exploitable vulnerability window, application control policies that restrict execution to approved binaries, and memory protection mechanisms such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). Zero-day exploits represent the highest threat at this phase because they target vulnerabilities for which no patch exists.
Phase 5: Installation establishes a persistent mechanism on the compromised system to maintain access across reboots, user logoffs, or system changes. Common persistence techniques include registry run keys, scheduled tasks, service installation, and modification of startup scripts. Endpoint detection and response (EDR) tools monitoring for these behaviors, file integrity monitoring (FIM) solutions, and behavioral analysis rules in a SIEM are the primary detection mechanisms. Sophisticated adversaries may use legitimate administrative tools to blend persistence activities with normal system administration.
Phase 6: Command and Control (C2) establishes a communication channel to an adversary-controlled server, enabling remote direction of the compromised system. C2 traffic often mimics legitimate protocols: HTTP and HTTPS are common, as are DNS tunneling and use of legitimate cloud services as relay points. Defensive controls include DNS filtering, network traffic analysis to detect beaconing patterns (regular outbound connections at fixed intervals), and TLS inspection at the network perimeter. Advanced adversaries may use domain fronting or other techniques to hide C2 traffic within legitimate services.
Phase 7: Actions on Objectives executes the adversary's mission: exfiltrating data, encrypting files for ransom, disrupting systems, or establishing a staging point for lateral movement into deeper network segments. Detection involves data loss prevention (DLP) tools, anomaly detection on data egress volumes, and privileged account monitoring to detect unexpected access to sensitive data stores. This phase often occurs weeks or months after initial compromise, as adversaries conduct internal reconnaissance and move laterally to locate high-value assets.
A practical scenario illustrates the framework's operational value: A financial services organization receives threat intelligence in Q3 2022 indicating that a ransomware group is targeting firms in their sector using spearphishing emails carrying macro-enabled Excel files exploiting a patched Office vulnerability. Mapping this to the Kill Chain reveals the adversary is conducting Reconnaissance against employee email addresses (Phase 1), has Weaponized an Excel macro payload (Phase 2), and is preparing Delivery via email (Phase 3). The organization's Kill Chain mapping reveals that its email gateway blocks macro-enabled attachments from external senders, but finance staff has an exception policy allowing those file types. Security operations closes the exception, validates patch levels on all Office installations to address Exploitation (Phase 4), and adds detection rules for scheduled task creation (Phase 5) and beaconing traffic to newly registered domains (Phase 6). The adversary's campaign fails at Phase 3 because a targeted gap was identified and closed before the attack reached that phase.
---
The Cyber Kill Chain matters because it forces a shift from reactive incident response to proactive defensive posture management. Without a phase model organizing adversary behavior, security teams respond to alerts individually without understanding where in the attack lifecycle a given indicator sits. An alert on a beaconing connection may be treated as a low-priority network anomaly rather than recognized as Phase 6 activity indicating an active intrusion already past exploitation and installation.
The business impact of failing to apply this thinking is measurable and consequential. The 2020 SolarWinds supply chain intrusion illustrated the cost of incomplete Kill Chain visibility. The threat actors (APT29) conducted meticulous Reconnaissance of SolarWinds' development environment, Weaponized a backdoor into the Orion software build process (a Phase 2 activity occurring inside a trusted vendor's infrastructure), and used Delivery through the legitimate software update mechanism, bypassing every perimeter control at targeted organizations. Exploitation and Installation phases were completed before any victim network was aware an attack was underway. Command and Control operated through legitimate cloud services to blend with normal traffic. By the time Actions on Objectives began against specific high-value targets, the adversaries had maintained access for months undetected.
The lesson is not that the Kill Chain failed but that organizations had no mapping of their detection capabilities to phases 1 through 5, and therefore had no visibility into where the adversary was operating. Organizations that had implemented Kill Chain coverage mapping could identify intervention points and understand the intrusion timeline more rapidly during incident response.
A common misconception holds that the Kill Chain is obsolete because sophisticated adversaries can compress or skip phases. This overstates the case. While some phases may be very brief or occur simultaneously (a drive-by download can collapse Delivery and Exploitation into a single user action), the logical sequence still applies. Defenders who understand the phases understand what the adversary must accomplish and where dependencies exist. A second misconception claims the Kill Chain only applies to external attackers. Insider threats and supply chain compromises challenge the model's perimeter assumptions, but the phase logic (collection, weaponization or preparation, delivery, persistence, exfiltration) remains analytically useful when adapted to the threat context.
Without Kill Chain thinking, security investments follow vendor marketing cycles rather than adversary behavior patterns. Organizations purchase detection tools without understanding which phases they cover, creating expensive blind spots. The framework provides a rational basis for security architecture decisions and budget allocation tied to actual attack progression rather than theoretical threats.
---
CDA approaches the Cyber Kill Chain within the Risk Governance and Assurance (RGA) and Threat Intelligence and Detection (TID) domains of the Planetary Defense Model (PDM). CDA's operational orientation treats the Kill Chain not as a framework to adopt once during an engagement and forget, but as an analytical instrument that must be continuously calibrated against current threat intelligence, control inventories, and detection telemetry.
CDA's Perpetual Compliance Assurance (PCA) methodology reflects the principle that "compliance is not an event. It is a state." Kill Chain coverage mapping is not a point-in-time exercise completed during an annual risk assessment. CDA implements Kill Chain mapping as a living control matrix: each of the seven phases is associated with specific detective and preventive controls drawn from the organization's security stack, and that matrix is reviewed and validated on a defined cycle tied to threat intelligence updates.
When CDA conducts a Kill Chain gap analysis, the process is operational rather than theoretical. CDA inventories the actual detection tools deployed, reviews SIEM rule libraries against each Kill Chain phase, tests detection coverage through adversary simulation exercises (mapping red team TTPs to Kill Chain phases), and produces a phase coverage heat map. That heat map becomes the prioritized input to the remediation roadmap, ensuring investments target the most critical gaps first.
CDA distinguishes its approach by pairing Kill Chain phase coverage with the organization's actual threat profile. A healthcare organization facing ransomware campaigns needs deep coverage at Delivery (email gateway), Installation (EDR behavioral rules), and C2 (DNS filtering and beaconing detection). A financial institution facing advanced persistent threat actors targeting intellectual property needs coverage across all phases with particular emphasis on Reconnaissance monitoring and Actions on Objectives detection through data egress analysis.
Within the RGA domain, Kill Chain mapping informs risk register entries: each unmitigated phase gap is documented as a discrete risk item with likelihood and impact scoring. This creates traceability between technical security gaps and governance-level risk reporting, satisfying board and executive reporting requirements without requiring leadership to understand technical detection mechanics.
---
---
---
CDA Theater missions that address topics covered in this article.
COBIT 2019 is ISACA's IT governance framework with 40 objectives across five domains, featuring a flexible design factor system that aligns IT strategy with business goals and maps to standards like NIST CSF and ISO 27001.
CMMC 2.0 requires defense contractors to demonstrate cybersecurity maturity at three levels.
HITRUST CSF harmonizes multiple frameworks into one certifiable standard for healthcare.
Written by CDA Editorial
Found an issue? Help improve this article.