Cyber Kill Chain
The cyber kill chain is a framework that breaks an intrusion into sequential stages so defenders can understand, detect, and disrupt attacker activity at multiple points.
What Is the Cyber Kill Chain?
Originally popularized by Lockheed Martin, the cyber kill chain describes how an attack progresses from reconnaissance to actions on objectives. It gives defenders a structured way to map coverage, identify gaps, and understand where a control or detection can interrupt an intrusion.
Typical Kill Chain Stages
- Reconnaissance: Gathering information about the target
- Weaponization: Preparing tools, payloads, or infrastructure
- Delivery: Sending the payload through email, web, or other channels
- Exploitation: Triggering the vulnerability or weakness
- Installation: Establishing persistence or malware execution
- Command and Control: Communicating with compromised assets
- Actions on Objectives: Theft, disruption, exfiltration, or impact
Why It Matters
The kill chain helps teams think in sequences instead of isolated events. Even when an early-stage control fails, there may still be later opportunities to detect, contain, or stop the attack.
How FourCore ATTACK Relates
FourCore ATTACK helps teams emulate multiple stages of an attack chain and measure where controls detect, block, or miss the activity across the intrusion lifecycle.