What is the cyber kill chain? Steps, examples and how to disrupt it

Every cyberattack follows a path. The attacker has to get in, establish a foothold, move through the environment and ultimately reach their objective. That path isn’t random. It follows a recognizable sequence of stages, and the cyber kill chain gives security teams a framework for understanding exactly what that sequence looks like and where it can be broken.

For MSPs and IT teams protecting complex, distributed environments, the kill chain is more than a theoretical model. It’s a practical lens for mapping security controls against real attack progression and identifying where gaps in coverage leave organizations exposed. Tools like Datto EDR, Kaseya SIEM and Kaseya MDR are built to interrupt attackers at multiple stages of that chain, before damage reaches the stages that are hardest to recover from.

What is the cyber kill chain?

The cyber kill chain is a framework that maps the stages of a cyberattack from initial reconnaissance through to the attacker achieving their final objective. It was developed by Lockheed Martin in 2011, adapted from the military concept of a “kill chain,” which breaks an enemy engagement into identifiable steps that can each be targeted and disrupted.

In cybersecurity, the model serves the same purpose. By understanding the sequence an attacker must follow, security teams can identify control points at each stage where the attack can be detected, slowed or stopped entirely. An attacker who is blocked at stage two never reaches stage five. An attacker who is detected at stage four can be contained before they reach stage seven.

The framework was originally designed with advanced persistent threats (APTs) in mind: sophisticated, long-running attacks carried out by well-resourced adversaries who plan carefully before acting. It remains most directly applicable to those threat types, though its logic applies broadly to how security teams think about layered defenses across any structured attack.

The 7 steps of the cyber kill chain

Lockheed Martin’s original model defines seven sequential steps. Every step represents a point where defenders can intervene.

Step 1: Reconnaissance

Before launching an attack, the attacker gathers information about the target. This includes identifying publicly available data about the organization’s infrastructure, employee email addresses, job listings that reveal technology in use, social media profiles and any externally facing systems that could serve as entry points.

Reconnaissance can be passive, using open-source intelligence (OSINT) without touching the target’s systems directly, or active, involving scanning for open ports, identifying software versions and probing for vulnerabilities. The more information an attacker collects here, the more precise and convincing the attack becomes downstream.

Defensive focus: monitoring for external scanning activity, limiting publicly available technical information and controlling what employee-facing systems are exposed to the internet.

Step 2: Weaponization

The attacker uses what they learned in reconnaissance to build or assemble their attack payload. This typically involves creating malicious files designed to exploit a specific vulnerability identified in the target’s environment. A phishing document embedded with a macro that delivers a remote access trojan, a weaponized PDF exploiting a reader vulnerability or a dropper that installs ransomware on execution are all examples of weaponization.

Defenders rarely have visibility into this stage directly, since it happens entirely on attacker-controlled infrastructure. The focus here is on reducing the attack surface that reconnaissance exposed: patching known vulnerabilities quickly removes the weapons the attacker was planning to use.

Step 3: Delivery

The attacker delivers the weaponized payload to the target. Email is the most common delivery mechanism, through phishing campaigns carrying malicious attachments or links. Other delivery methods include compromised websites that serve drive-by downloads, malicious USB drives, compromised third-party software updates (supply chain attacks) and exploitation of internet-facing services.

Defensive focus: email filtering, web filtering, DNS protection and user security awareness training all operate at the delivery stage. Blocking delivery before the payload reaches a device is the highest-leverage defensive action available, because it prevents all subsequent stages from occurring.

Step 4: Exploitation

Once the payload reaches the target, it executes and exploits a vulnerability to gain initial access. This might be a software vulnerability in an unpatched application, a browser exploit triggered by visiting a malicious page or a macro executing in an Office document after the user clicks “Enable Content.”

This is where the attacker transitions from outside the environment to inside it. Exploitation is the stage that endpoint detection tools are specifically designed to catch: behavioral analysis identifies the abnormal process activity that follows successful exploitation, even when the vulnerability itself wasn’t known in advance.

Step 5: Installation

With initial access established, the attacker installs persistent malware or a backdoor to maintain their presence even if the original entry point is closed. Common persistence mechanisms include creating registry run keys, installing scheduled tasks, adding startup entries or deploying a remote access trojan that beacons to attacker-controlled command and control infrastructure.

The goal is to survive a reboot, a password change or a patch that closes the original vulnerability. Without persistent installation, the attacker loses access the moment the session ends. EDR tools with continuous endpoint telemetry are specifically capable of detecting the registry modifications, new scheduled tasks and unusual process creation that characterize this stage.

Step 6: Command and control (C2)

The installed malware establishes a communication channel back to attacker-controlled infrastructure. Through this channel, the attacker can issue commands, receive data, deploy additional tools and direct the next phases of the attack remotely. C2 traffic is often disguised as legitimate web traffic, routed through popular cloud services, or encrypted to avoid detection.

This stage represents a critical detection opportunity. C2 communication has to cross the network boundary, which means network monitoring tools and DNS filtering can catch it. An endpoint that has been compromised but whose C2 channel is blocked can’t be directed further. Isolating it at this point contains the incident before lateral movement begins.

Step 7: Actions on objectives

In the final stage, the attacker executes their goal. For financially motivated attackers, this typically means ransomware deployment and encryption, data exfiltration for extortion or sale, or financial fraud. Nation-state actors may pursue espionage, destruction of critical systems or long-term persistent access for future use.

This is the most damaging and most costly stage to recover from. Attacks that reach actions on objectives require full incident response: forensic investigation, system rebuilding, potential regulatory notification and reputation management. The primary purpose of everything that precedes this stage in a defensive strategy is to ensure the attacker never gets here.

Cyber kill chain example: A ransomware attack

Walking the seven steps through a real-world threat type illustrates how the model works in practice:

1. Reconnaissance: The attacker identifies a mid-sized manufacturing company using a job listing that references a specific version of ERP software with a known vulnerability. They also scrape LinkedIn for employee names and email formats.
2. Weaponization: Using the employee data, they craft a phishing email impersonating a vendor, attaching a document that exploits the ERP vulnerability and drops a remote access trojan on execution.
3. Delivery: The phishing email is sent to an accounts payable employee. It passes email filters because the sender domain is a convincing lookalike and the attachment isn’t flagged as a known malicious hash.
4. Exploitation: The employee opens the attachment. The document macro executes, exploiting the vulnerability and running a PowerShell command that downloads the trojan from an attacker-controlled server.
5. Installation: The trojan installs itself as a scheduled task, configured to persist across reboots. It begins beaconing to C2 infrastructure every few minutes over HTTPS.
6. Command and control: The attacker confirms access, deploys credential-dumping tools, and spends several days moving laterally through the environment, mapping file shares and backup systems before acting.
7. Actions on objectives: The attacker deploys ransomware across the network simultaneously from multiple compromised endpoints. File encryption begins across dozens of systems before any alert fires.

Breaking this chain at step three (email filtering catching the phishing delivery), step four (EDR detecting the PowerShell execution), or step six (DNS filtering blocking the C2 beacon) would each have prevented the final outcome. The further along the chain the attacker gets before detection, the more expensive and complex the response becomes.

Cyber kill chain vs. MITRE ATT&CK: What’s the difference?

Both frameworks map attacker behavior, but they operate at different levels of detail and serve different purposes.

The cyber kill chain is a high-level sequential model. It describes the broad phases of an attack in order, making it useful for strategic planning, understanding attack progression and communicating with non-technical stakeholders. Its seven steps give security teams a shared vocabulary for discussing where in an attack lifecycle a threat was detected or where defenses failed.

MITRE ATT&CK is a granular, continuously updated knowledge base of attacker tactics, techniques and procedures (TTPs). Rather than seven sequential phases, it catalogs hundreds of specific techniques organized by tactic, drawn from observed real-world attacks. It isn’t sequential: an attacker might use techniques from multiple MITRE tactics simultaneously or in different orders depending on what they encounter.

The two frameworks complement each other. The kill chain provides the structural view of an attack’s progression. MITRE ATT&CK provides the technical detail of exactly how each stage of that progression is executed. Security operations teams often use the kill chain for incident communication and strategic defense planning while using MITRE ATT&CK for detection engineering, alert mapping and evaluating tool coverage.

Datto EDR maps its detections to the MITRE ATT&CK framework, which means alerts arrive with the context of what tactic and technique is being used. This connects the technical detail of MITRE to the kill chain stage it represents, giving analysts both the specific technique being observed and its place in the broader attack sequence.

Limitations of the cyber kill chain

The kill chain model has real utility, but it also has meaningful limitations that security teams need to understand.

It assumes a linear attack
The original model describes a sequential progression from stage one to stage seven. Real attacks frequently skip stages, execute multiple stages simultaneously or revisit earlier stages. An attacker with existing access to credentials from a previous breach might skip reconnaissance and delivery entirely.

It focuses on perimeter-based threats
The model was designed in an era of on-premises networks with clear boundaries. Insider threats, cloud-native attacks, compromised third-party access and supply chain attacks don’t map cleanly onto the traditional kill chain structure.

It doesn’t account for the speed of modern attacks
The 2026 Unit 42 Global Incident Response Report found that the fastest attacks now reach data exfiltration within 72 minutes of initial access. The kill chain model implies defenders have time to detect and respond at each stage. Against fast-moving automated attacks, that window is often narrower than the model suggests.

It can create a false sense of completeness
An organization that has deployed controls at all seven kill chain stages may still have significant gaps if those controls don’t address the specific techniques attackers use at each stage. MITRE ATT&CK is a better tool for evaluating technique-level coverage.

How can the cyber kill chain improve security?

Despite its limitations, the kill chain remains a practical framework for structured defense planning. Here’s how to apply it:

• Map your controls to each stage: For each of the seven stages, identify what tools and processes you have in place to detect or prevent attacker activity. The gaps that appear when you do this exercise reveal where investment is needed.
• Prioritize early-stage disruption: The earlier in the kill chain you stop an attack, the less damage it causes and the simpler the remediation. Controls at delivery (email filtering, DNS protection) and exploitation (patching, EDR behavioral detection) provide the highest return because they prevent all downstream stages.
• Use kill chain thinking in incident review: After any security incident, walk through the kill chain steps and identify at which step the attacker was detected, how far they progressed before containment and what controls, if present, would have caught the attack earlier. This produces specific, actionable improvements rather than generic “strengthen security” conclusions.
• Don’t rely on the kill chain alone: Complement it with MITRE ATT&CK for technique-level detection coverage assessment and with threat intelligence that reflects the specific TTPs of adversaries targeting your sector.

How Kaseya disrupts the kill chain

Kaseya’s security platform is designed to give MSPs and lean IT teams the capability to detect and interrupt attacks at multiple kill chain stages simultaneously, without requiring a large in-house security team to make it work.

Datto EDR operates at the exploitation, installation and command and control stages. Behavioral monitoring detects abnormal process execution, persistence mechanisms and C2 beaconing, with 65+ automated response actions to isolate, terminate and quarantine before lateral movement begins. Detections are mapped to MITRE ATT&CK, giving analysts immediate context about which technique is in use and where it sits in the attack sequence.

Kaseya SIEM provides cross-surface visibility that spans the entire kill chain, correlating telemetry from 60+ data sources across endpoints, network, identity and cloud. Events that look unrelated in isolation, a failed login, an unusual process launch, anomalous outbound traffic, become a connected kill chain pattern in a single correlated incident. Four hundred days of log retention supports the forensic reconstruction needed to determine dwell time and full scope.

Kaseya MDR adds the analyst layer that turns detection into active defense. U.S.-based security analysts monitor your environment around the clock, investigate confirmed threats and execute containment before attacks progress to later stages, without requiring you to staff a 24/7 SOC to make it work.

Together, these capabilities cover the kill chain from endpoint to cloud, giving MSPs and IT teams the visibility and response depth to stop attacks well before they reach actions on objectives.