Continue your mission
A comparative analysis of the Cyber Kill Chain and MITRE ATT&CK frameworks, covering their structure, strengths, limitations, and practical applications, with guidance on when to use each and how they work together as complementary models.
# Cyber Kill Chain vs. MITRE ATT&CK
The Cyber Kill Chain and MITRE ATT&CK are the two most widely used attack modeling frameworks in cybersecurity. Both describe adversary behavior, but they do so at different levels of abstraction, from different conceptual perspectives, and with different intended audiences in mind. Using the wrong framework for the wrong purpose produces confusion and wasted effort. Using both together, each for the purpose it was designed for, produces a coherent picture of adversary activity from strategic narrative down to specific detection logic.
The Cyber Kill Chain, developed by Lockheed Martin in 2011, is a linear, seven-phase model describing the stages an attacker must traverse to complete a successful intrusion. It derives its structure from military targeting doctrine, specifically the "kill chain" concept used to describe the steps from target identification to strike execution. Applied to cybersecurity, the model argues that every successful attack must pass through each phase in sequence, and therefore defenders who can interrupt the chain at any point can prevent the attack's completion.
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge), developed by MITRE Corporation starting in 2013 and released publicly in 2015, is a matrix-based framework cataloging observed adversary behaviors organized by tactic and technique. Unlike the Kill Chain, ATT&CK is not linear, not prescriptive about attack sequence, and not simplified for executive communication. It is a reference taxonomy built from real-world intrusion observations, designed to be directly actionable by detection engineers, threat hunters, and red team operators.
Understanding both frameworks, their structure, their trade-offs, and their appropriate use cases, is a prerequisite for building a mature threat-informed defense program.
The Cyber Kill Chain: Structure and Logic
The Kill Chain defines seven sequential phases. Reconnaissance covers information gathering before the attack: passive research using OSINT, social media profiling of employees, technical enumeration of public-facing infrastructure, and identification of potential entry points. Weaponization is the preparation phase where the attacker creates or customizes the payload they will deliver, coupling an exploit with a backdoor or a phishing document with a malicious macro. Delivery is the transmission of the weaponized payload to the victim environment through email, web, USB, or another vector. Exploitation is the moment the payload executes and the exploit triggers, converting delivery success into code execution. Installation is the attacker establishing a persistent foothold (a backdoor, a scheduled task, a registry run key) so they can maintain access even if the initial delivery mechanism is cleaned up. Command and Control (C2) is the establishment of an encrypted, covert channel between the attacker's infrastructure and the compromised system, enabling remote direction of the attack. Actions on Objectives is the attacker achieving their mission goal: data exfiltration, ransomware deployment, destructive action, or lateral movement to a higher-value target.
The linear model carries a strategic implication: defenders who achieve high detection and disruption rates at early phases (Reconnaissance, Delivery) prevent the attacker from ever reaching late phases (Actions on Objectives), where actual damage occurs. This "left of exploit" posture is a core premise of perimeter-heavy security architectures.
MITRE ATT&CK: Structure and Logic
ATT&CK organizes adversary behavior into fourteen tactics for the Enterprise matrix. These tactics are: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact. Each tactic contains multiple techniques, and techniques may have sub-techniques that describe specific procedural variations. As of recent releases, the Enterprise matrix contains over 200 techniques and more than 400 sub-techniques.
Unlike the Kill Chain's sequential phases, ATT&CK tactics are not assumed to occur in a fixed order. An attacker may achieve Persistence before Privilege Escalation, or may loop back to Discovery after lateral movement reveals new assets. The matrix is non-linear by design because real attacks are non-linear. Adversaries skip steps, repeat steps, and adapt based on what they find in the environment.
Each ATT&CK technique entry includes detection guidance (which data sources and event types to monitor), mitigation guidance (which controls reduce exposure to the technique), real-world procedure examples (how specific named threat groups have used the technique in documented intrusions), and references to source reporting. This technical depth makes ATT&CK directly actionable for practitioners, at the cost of complexity that makes it impractical for executive communication.
Key Structural Differences
The Kill Chain has seven phases; ATT&CK has fourteen tactics and hundreds of techniques. The Kill Chain is sequential; ATT&CK is non-linear. The Kill Chain describes phases at a high level of abstraction; ATT&CK describes behaviors at a technique level specific enough to write a detection rule. The Kill Chain was designed with perimeter defense in mind; ATT&CK was designed from the assumption that attackers are already inside the environment. The Kill Chain communicates to executives and board members; ATT&CK communicates to analysts and engineers.
The practical stakes of framework selection are concrete. A CISO who uses ATT&CK to brief the board will lose the room by slide three. A detection engineer who uses the Kill Chain to write Sigma rules will produce seven rules that cover phases, not behaviors, and will miss every technique that the framework does not describe in enough detail to operationalize.
Both frameworks matter because both problems are real. Organizations need executive leadership to understand the adversary narrative and support the security program's budget and priorities. The Kill Chain provides a story structure that non-technical audiences can follow. Organizations also need their detection engineering team to write specific, high-fidelity rules that fire on real adversary behavior rather than abstract phases. ATT&CK provides the technique catalog that makes that specificity possible.
The deeper importance of understanding both frameworks is what they reveal about the limitations of any single model. The Kill Chain's linearity is a simplification. Real attackers do not always move in order, and sophisticated actors often operate simultaneously across multiple phases (establishing persistence while conducting additional Discovery, running exfiltration while maintaining C2). ATT&CK's comprehensiveness is also a limitation in a different direction: no organization can instrument and monitor all 200-plus techniques simultaneously. Both frameworks require judgment and prioritization to use effectively.
Using the Kill Chain for Defensive Architecture
The Kill Chain's phase structure maps naturally to security control layers. Reconnaissance is addressed by minimizing the attack surface visible to external observers (reducing public-facing assets, controlling OSINT exposure, managing DNS and WHOIS footprint). Delivery is addressed by email security gateways, web proxies, and endpoint controls that block malicious payloads at the boundary. Exploitation is addressed by patch management and vulnerability management programs that reduce the exploitable surface. Installation and C2 are addressed by endpoint detection and response (EDR), application allowlisting, and network controls that detect and block unusual outbound communication. Actions on Objectives is addressed by data loss prevention (DLP), privileged access management, and monitoring of sensitive data repositories.
This layered mapping is the Kill Chain's primary value for security architects and program designers. It translates the abstract model into a control gap analysis: "We have strong controls at Delivery but weak controls at Installation. What capabilities do we need to improve Installation-phase detection?"
Using ATT&CK for Detection Engineering
ATT&CK is operationalized through Sigma rules, YARA rules, Splunk SPL queries, and KQL queries that detect specific technique behaviors in log data. The ATT&CK Navigator is a web-based tool that allows teams to color-code the ATT&CK matrix with their current detection coverage, immediately visualizing which tactics and techniques have no detection logic. This coverage mapping drives prioritization: teams can identify which high-prevalence techniques (those used by the most documented threat actors) currently have no detection, and close those gaps first.
ATT&CK also anchors red team planning. A red team operator using ATT&CK can design an engagement that exercises specific techniques across multiple tactics, testing whether the blue team's detection stack fires on the behaviors the attacker would actually use. The resulting gap report is mapped directly to ATT&CK technique IDs, making remediation unambiguous.
The Complementary Workflow
The two frameworks are most effective in a workflow that uses each for its intended purpose. For a board or executive briefing, the Kill Chain provides the narrative: "The attacker sent a phishing email (Delivery), exploited a vulnerability in the attachment (Exploitation), installed a persistent backdoor (Installation), established communication back to their servers (Command and Control), and spent three weeks collecting data before exfiltrating it (Actions on Objectives)." That story is comprehensible to a non-technical audience and communicates risk in human terms.
For the technical post-mortem and detection improvement, ATT&CK provides the specificity: "The attacker used T1566.001 (Spearphishing Attachment) for initial access, T1053.005 (Scheduled Task/Job: Scheduled Task) for persistence, T1071.001 (Application Layer Protocol: Web Protocols) for C2, and T1041 (Exfiltration Over C2 Channel) for data exfiltration. We have detection coverage for T1071.001 but not T1053.005. That gap needs a detection rule."
CDA uses this workflow explicitly: campaign phases (analogous to Kill Chain phases) communicate operational scope and progress to leadership, while ATT&CK technique IDs anchor the technical mission design for practitioners.
ATT&CK Beyond Enterprise: ICS and Mobile
MITRE maintains separate ATT&CK matrices for Industrial Control Systems (ICS) and Mobile platforms, each with tactics and techniques specific to those environments. The ICS matrix, for example, includes tactics like Inhibit Response Function and Impair Process Control that have no equivalent in the Enterprise matrix because they describe behaviors specific to operational technology environments. Organizations with OT environments should incorporate the ICS matrix into their threat modeling alongside the Enterprise matrix.
Mapping Between Frameworks
Several community and vendor resources provide explicit mappings between the Kill Chain and ATT&CK, aligning Kill Chain phases to the ATT&CK tactics that fall within them. Initial Access maps broadly to the Kill Chain's Delivery and Exploitation phases. Persistence, Privilege Escalation, and Defense Evasion map to Installation. Command and Control maps directly to the Kill Chain's C2 phase. Exfiltration and Impact map to Actions on Objectives. These mappings are imperfect (Reconnaissance and Resource Development in ATT&CK precede anything in the traditional Kill Chain's delivery phase) but useful for organizations transitioning from Kill Chain-centric thinking to ATT&CK-centric thinking.
Within the Planetary Defense Model, both the Kill Chain and ATT&CK operate within the TID domain, serving different functions within the Predictive Defense Intelligence (PDI) methodology. PDI's governing principle, "See the threat before it sees you," requires both the strategic narrative the Kill Chain provides and the technical specificity ATT&CK delivers.
CDA uses Kill Chain-aligned language in campaign phase naming (C-RECON, C-BUILD, C-HARDEN, C-DRILL, C-COMMAND) because campaign phase names communicate operational scope to a mixed audience of technical practitioners and business stakeholders. The phase structure creates a shared vocabulary across the organization without requiring everyone to understand technique-level ATT&CK specifics.
At the mission level, CDA mission design references ATT&CK technique IDs directly. A TID domain mission targeting lateral movement defense would specify ATT&CK techniques T1021 (Remote Services), T1550 (Use Alternate Authentication Material), and T1570 (Lateral Tool Transfer) as the technical scope of the mission, providing detection engineers with unambiguous targets for detection rule development and coverage gap analysis.
This two-layer approach reflects a principle embedded throughout the PDM: strategic communication and technical execution require different vocabularies, and confusing them in either direction (using ATT&CK IDs in executive briefings, or using Kill Chain phases to write detection rules) produces friction without value. Using each framework where it is suited produces both organizational alignment and technical precision.
CDA's TID campaign work includes formal ATT&CK coverage mapping as a mission deliverable. A completed TID mission should include a Navigator export showing before and after coverage states, making the improvement measurable and auditable. Kill Chain phase framing is used in mission reporting to provide leadership visibility without requiring them to interpret the Navigator matrix directly.
The Kill Chain and ATT&CK answer different questions. The Kill Chain answers: "What phase of the attack is this?" ATT&CK answers: "What specific technique is being used, how is it detected, and which threat actors use it?" Both questions need answers in a mature threat-informed defense program.
Use the Kill Chain for executive communication. Its seven-phase narrative provides a structure that non-technical audiences can follow, making it effective for board briefings, incident communication, and security program framing.
Use ATT&CK for technical execution. Write detection rules against specific ATT&CK techniques. Build red team scenarios from ATT&CK technique catalogs. Measure detection coverage using the ATT&CK Navigator. Prioritize gap closure based on technique prevalence across threat actor profiles relevant to your sector.
Neither framework is sufficient alone. The Kill Chain's high-level abstraction misses the technique-level specificity needed for detection engineering. ATT&CK's comprehensiveness is a barrier to executive communication. A program that uses only one framework is leaving value on the table.
The Diamond Model is a third complementary lens. Kill Chain provides phase narrative, ATT&CK provides technique specifics, and the Diamond Model provides the relationship context (who is using these techniques, against whom, via what infrastructure) that ties intrusion analysis into campaign intelligence.
ATT&CK is a living framework. New techniques are added as adversary behavior evolves. Detection coverage that was comprehensive a year ago may have gaps today. Coverage assessment should be a recurring program activity, not a one-time project.
CDA Theater missions that address topics covered in this article.
Lazarus Group is North Korea's primary advanced persistent threat operation, operating under the RGB (Reconnaissance General Bureau), the DPRK's primary foreign intelligence service.
Salt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group that conducts signals intelligence collection operations against telecommunications infrastructure.
Evidence collection, chain of custody, forensic imaging, and analysis techniques for incident investigations.
Written by Evan Morgan
Found an issue? Help improve this article.