Category: Threat Modeling

Kill Chain

Also known as: Cyber Kill Chain, Cyberattack Chain, Cyber Security Kill Chain

Simply put

A kill chain is a model that describes the sequential stages an attacker typically follows to carry out an attack, from initial target identification through to the final objective. In cybersecurity, the model is used to help defenders understand, detect, and interrupt attacks at various points before they succeed. By mapping attacker behavior to distinct phases, security teams can identify where controls may be applied to break the chain.

Formal definition

Originally a military concept identifying the structured phases of an attack (target identification, force dispatch, decision, and engagement), the kill chain was adapted into cybersecurity as a framework for modeling and countering intrusion activity. The Cyber Kill Chain, developed as part of an Intelligence Driven Defense model, describes the stages a threat actor progresses through during a cyberattack, typically spanning reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. In application security and supply chain contexts, the framework is used to structure threat modeling exercises and defensive controls by identifying which phase of an attack a given control addresses. The model is most useful for characterizing multi-stage, targeted intrusions; it may not fully represent attack patterns that do not follow a linear progression, and applying it requires contextual knowledge of the specific threat actors and environments involved.

Why it matters

Understanding the sequential stages of an attack gives security teams the ability to intervene before an attacker reaches their final objective. Rather than treating a breach as a single event, the kill chain model frames an intrusion as a series of dependent steps, each of which represents an opportunity to detect, delay, or stop the attack. This shift in perspective encourages defenders to build layered controls that address multiple phases rather than relying on any single prevention mechanism at the perimeter.

In application security and software supply chain contexts, the kill chain helps practitioners recognize that compromising a target typically requires an attacker to complete several intermediate steps, such as identifying a vulnerable dependency, weaponizing it, delivering a malicious payload, and establishing persistence. Each of those steps may leave observable signals or can be disrupted by targeted controls. For example, supply chain attacks such as the SolarWinds incident demonstrated how adversaries progress through distinct phases, including access to a build environment, trojanization of software, and staged command-and-control activity, before achieving their objectives against downstream targets.

Without a structured model like the kill chain, security programs may focus disproportionately on endpoint detection or perimeter controls while leaving earlier or later phases unaddressed. Mapping existing controls to kill chain phases can reveal gaps in defensive coverage and help prioritize where additional investment or tooling is needed.

Who it's relevant to

Security Architects and Threat Modelers

Security architects and threat modelers use the kill chain to structure threat modeling exercises, ensuring that defensive controls are evaluated across the full progression of a potential attack rather than only at initial entry points. Mapping proposed controls to specific kill chain phases helps identify gaps in coverage and supports more rigorous architectural decision-making.

Application Security Engineers

Application security engineers apply the kill chain framework to understand how vulnerabilities in application code or dependencies fit into a broader attack sequence. Recognizing that exploitation of a single vulnerability is typically one phase in a longer chain helps practitioners prioritize remediation based on how much attacker progress a given flaw enables.

Software Supply Chain Security Teams

Teams responsible for software supply chain security use the kill chain to reason about how adversaries might compromise build pipelines, package repositories, or third-party dependencies as intermediate steps toward a downstream target. The framework supports analysis of where integrity controls, monitoring, and access restrictions can interrupt an attacker's progression through the supply chain.

Security Operations and Incident Responders

Security operations analysts and incident responders use the kill chain model to classify observed attacker activity by phase, which helps prioritize response actions and assess how far an intrusion has progressed. Correlating indicators of compromise with specific phases supports more informed decisions about containment and remediation scope.

Risk and Compliance Professionals

Risk and compliance professionals may use the kill chain as a communication tool to explain to stakeholders how layered defenses reduce the likelihood of a successful attack by requiring an adversary to complete multiple phases without interruption. The model provides a structured basis for discussing where controls exist and where residual risk remains.

Inside Kill Chain

Reconnaissance

The initial phase in which an attacker gathers information about the target, including identifying publicly exposed assets, technologies in use, personnel, and potential entry points. This phase is largely passive and may be difficult to detect.

Weaponization

The phase in which the attacker prepares an exploit or malicious payload, such as coupling a vulnerability exploit with a backdoor or dropper, in anticipation of delivery. This occurs entirely within the attacker's environment and is not visible to defenders.

Delivery

The mechanism by which the weaponized payload is transmitted to the target, such as through phishing email, a malicious web link, a compromised dependency, or a vulnerable API endpoint.

Exploitation

The phase in which the attacker's payload triggers a vulnerability in the target environment, executing code or gaining unauthorized access. This is a key point at which runtime controls and input validation can interrupt the chain.

Installation

The phase in which malware or a persistent mechanism is installed on the compromised system, allowing the attacker to maintain access beyond the initial exploitation event.

Command and Control (C2)

The establishment of a communication channel between the compromised system and attacker-controlled infrastructure, enabling the attacker to issue instructions and exfiltrate data.

Actions on Objectives

The final phase in which the attacker achieves their intended goal, which may include data exfiltration, privilege escalation, lateral movement, destruction of data, or disruption of services.

Common questions

Answers to the questions practitioners most commonly ask about Kill Chain.

Does disrupting one stage of the kill chain stop an attack entirely?

Not necessarily. Disrupting a single stage can delay or complicate an attack, but a determined adversary may adapt, find alternative paths, or have already completed earlier stages before the disruption occurs. The kill chain model is most effective as a layered defense framework where multiple stages are addressed simultaneously, rather than as a sequential checklist where stopping one step guarantees overall protection.

Does the kill chain model apply equally well to all types of attacks?

No. The kill chain model was originally designed around external, targeted intrusion scenarios. It maps less cleanly to insider threats, supply chain compromises, purely opportunistic attacks, or incidents that begin at advanced stages due to stolen credentials or pre-existing access. Practitioners should treat the model as a useful heuristic rather than a universal framework, and supplement it with other models when addressing attack categories that fall outside its original scope.

How can a team use the kill chain model to prioritize defensive investments?

Teams can map their existing controls to each kill chain stage and identify gaps where adversary activity would go undetected or unimpeded. Stages with weak or absent coverage represent higher-priority investment areas. This mapping exercise also helps teams evaluate whether their defenses are concentrated at a single stage, which increases risk if that stage is bypassed, or distributed across multiple stages, which improves overall resilience.

How does the kill chain model support threat intelligence analysis?

Threat intelligence teams use kill chain stage classifications to contextualize indicators of compromise and adversary behaviors. By tagging intelligence with the stage at which an observed technique appears, analysts can assess how far an adversary may have progressed in an intrusion, identify which stages lack visibility in their telemetry, and prioritize detection rule development for stages where adversary activity is known but currently unmonitored.

What is the relationship between the kill chain model and frameworks like MITRE ATT&CK?

The kill chain model provides a high-level sequential structure describing the broad phases of an intrusion. MITRE ATT&CK extends this concept with a more granular, empirically sourced catalog of specific adversary tactics, techniques, and procedures observed in real-world incidents. In practice, many teams use the kill chain as a conceptual organizing layer and ATT&CK as the operational reference for detection engineering, red team planning, and threat modeling at the technique level.

How should incident responders use the kill chain model during an active investigation?

Incident responders can use kill chain stage reasoning to reconstruct attacker timelines and identify evidence gaps. By determining which stage an observed indicator corresponds to, responders can hypothesize what earlier stages may have already occurred and what later stages may be imminent, guiding collection priorities. This approach also helps responders avoid a common scoping error of treating the detected event as the starting point of the incident rather than recognizing it as a mid-intrusion signal.

Common misconceptions

Disrupting one phase of the kill chain is sufficient to stop an attacker.

While interrupting any phase can slow or stop a specific attack attempt, a determined attacker may adapt their approach and attempt alternate delivery or exploitation methods. Defense-in-depth across multiple phases is typically more effective than relying on a single control at one phase.

The kill chain model applies uniformly to all attack types, including insider threats and software supply chain attacks.

The kill chain model was originally designed around external, intrusion-based attacks. Insider threats and software supply chain compromises may bypass early phases entirely, meaning the model may not map cleanly to all threat scenarios without adaptation.

Static analysis and code-level controls can detect and prevent all kill chain phases.

Static analysis tools operate at the code level and can identify certain vulnerability classes relevant to exploitation, but phases such as reconnaissance, weaponization, command and control, and actions on objectives require runtime monitoring, network controls, or deployment-context visibility to detect or disrupt.

Best practices

Map your application's security controls to specific kill chain phases to identify coverage gaps, particularly around delivery and exploitation, where application-layer defenses are most applicable.

Implement monitoring and alerting at multiple phases rather than relying solely on perimeter or pre-deployment controls, since some phases such as command and control are only detectable at runtime.

Use threat modeling to assess which kill chain phases represent the highest risk for your specific application and supply chain, and prioritize controls accordingly rather than applying a generic checklist.

Treat reconnaissance mitigation seriously by reducing unnecessary exposure of technology stack details, API structures, and internal asset information in public-facing interfaces and error messages.

Incorporate software supply chain controls, such as dependency integrity verification and provenance checks, to address delivery-phase risks that may arrive through third-party components rather than direct attacker interaction.

Review and test incident response plans against each kill chain phase so that responders know which signals indicate which phase of an active attack and can act to interrupt progression before objectives are reached.