Security operationsPlanning and scopingIntermediate25 min read

What Is Kill chain? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

A kill chain is a way to think about how a cyberattack happens, one step at a time. It breaks the attack into stages like planning, breaking in, and doing damage. By knowing these stages, security teams can spot and stop an attack early. It helps you understand what attackers do and how to defend against them.

Commonly Confused With

Kill chainvsDiamond Model of Intrusion Analysis

The Diamond Model is a framework that focuses on four core features of any cyber intrusion: adversary, capability, infrastructure, and victim. Unlike the kill chain, which is a linear sequence of phases, the Diamond Model is a matrix that shows relationships between these elements. It is used more for intelligence analysis and attribution, while the kill chain is used for operational defense and incident response.

If you want to know how an attack unfolded step by step, use the kill chain. If you want to map who attacked, what tool they used, and what infrastructure they relied on, use the Diamond Model.

Kill chainvsMITRE ATT&CK Framework

MITRE ATT&CK is a comprehensive knowledge base of adversary tactics and techniques, organized in a matrix. It goes much deeper than the kill chain's seven phases, ATT&CK has 14 tactics (like Persistence, Privilege Escalation, Defense Evasion) and hundreds of techniques. While the kill chain gives you the big picture of an attack from start to finish, ATT&CK gives you the detailed playbook of every possible move an attacker might make. They complement each other: the kill chain provides the narrative, and ATT&CK provides the specific techniques used at each step.

The kill chain says 'Installation,' and ATT&CK lists all the ways an attacker can install malware, including registry run keys, scheduled tasks, and services.

Kill chainvsAttack Lifecycle

The attack lifecycle is a broader, often vendor-specific model that may include more than seven phases, such as pre-attack, attack, and post-attack phases. It may also include recovery and lessons learned. The kill chain is more focused on the attacker's actions leading up to and including the breach. The lifecycle is sometimes used for planning overall security strategy, while the kill chain is more tactical for day-to-day detection.

An attack lifecycle might start with 'Motivation' and end with 'Covering Tracks,' which are not in the kill chain. The kill chain starts with Reconnaissance and ends with Actions on Objectives.

Must Know for Exams

The kill chain concept appears in multiple IT certification exams, most notably CompTIA Security+, CompTIA CySA+, CISSP, and CEH. In Security+ (SY0-601 and SY0-701), the kill chain is covered under domain 1.0 (Attacks, Threats, and Vulnerabilities) and domain 4.0 (Security Operations). You may be asked to identify the phase of an attack based on a description. For example, a question might describe an attacker scanning an organization's network for open ports, and you must recognize that this is Reconnaissance. Another question might describe a user clicking a link in a phishing email that downloads malware, you would identify Delivery and Exploitation phases.

In CySA+, the kill chain is integrated into threat hunting and incident response. You might be given a log file and asked to determine which kill chain phase an event represents, or to propose a detection strategy for a specific phase. The exam often presents scenarios where you must recommend controls to break the chain. For instance, if an attacker has established C2 communication, you might recommend network segmentation or endpoint isolation.

In CISSP, the kill chain appears in the domain of Security Operations (Domain 7). Questions may be more conceptual, asking you to compare the kill chain to other models like the Diamond Model or MITRE ATT&CK. You may also see questions about how the kill chain informs incident response processes, for example, containment strategies should aim to break the chain as early as possible.

For CEH (Certified Ethical Hacker), the kill chain is part of the ethical hacking methodology. You might be asked to sequence the phases or identify tools used at each phase. Questions often test your ability to think like an attacker, a CEH question might ask, 'After successful exploitation, what is the next phase in the kill chain?' The answer is Installation.

Across all exams, common question types include multiple-choice identification, scenario-based analysis, and ordering of phases. Some exams include performance-based questions where you drag phases into the correct order. To prepare, memorize the seven phases in order and be able to give a one-sentence description of each. Practice applying them to real-world stories like the SolarWinds attack or a ransomware incident. Knowing the kill chain will help you answer not just direct questions but also broader questions about defense-in-depth and layered security.

Simple Meaning

Imagine you are a security guard protecting a large office building. A thief wants to steal a valuable painting from a locked room on the top floor. The thief does not just appear in the room, they go through a series of steps. First, they watch the building to see when guards change shifts. Then they figure out which door has a weak lock. Next, they sneak past the front desk by pretending to be a delivery person. Once inside, they find the staircase, pick the lock on the office door, grab the painting, and escape through a window. Each step is a stage in their plan.

A kill chain in cybersecurity works the same way. It is a model that breaks a cyberattack into clear stages, from the very first idea in the attacker’s mind to the final moment when they achieve their goal, like stealing data or locking up a computer system. The most common model is called the Cyber Kill Chain, created by Lockheed Martin. It has seven stages: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives.

In simple terms, the kill chain gives defenders a checklist of where an attack might be happening. If you can stop the attacker at any stage, you prevent the whole attack. For example, if you block a malicious email before someone opens it, you stop the Delivery stage. If you detect strange software running on a computer, you might catch the Installation stage. The idea is to break the chain before the attacker can complete their mission. This is why understanding the kill chain is so powerful, it turns a confusing mess of hacking techniques into a clear, manageable process. You do not have to be a genius to see that stopping the thief at the front door is easier than catching them after they have already stolen the painting.

Full Technical Definition

The term 'kill chain' originates from military doctrine, describing the structure of an attack. In cybersecurity, the most widely adopted model is the Lockheed Martin Cyber Kill Chain, which outlines the sequential phases a threat actor must complete to successfully execute a cyber operation. The seven phases are: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), and Actions on Objectives. Each phase represents a specific type of activity that an adversary must perform, and each provides an opportunity for defenders to detect, disrupt, or mitigate the attack.

Reconnaissance is the phase where the attacker gathers information about the target. This can include scanning network ranges, identifying open ports, collecting email addresses from public sources, or analyzing social media profiles. Tools like Nmap, Shodan, or passive DNS queries are commonly used. Weaponization involves creating a malicious payload, often by pairing an exploit with a delivery mechanism, such as embedding a remote access trojan (RAT) into a PDF document or crafting a malicious macro in an Office file. Delivery is the method used to transmit the weaponized payload to the target, such as through phishing emails, USB drops, or drive-by downloads from compromised websites.

Exploitation occurs when the weaponized payload is triggered, taking advantage of a vulnerability to execute code on the target system. This may involve exploiting a software bug, using default credentials, or leveraging social engineering to trick a user into running a script. Installation follows, where the attacker establishes a persistent foothold, often by installing a backdoor, a service, or a scheduled task that survives reboots. Command and Control (C2) is the phase where the compromised system communicates with an external server controlled by the attacker, allowing them to send commands and receive data. Finally, Actions on Objectives is the end goal, data exfiltration, ransomware deployment, privilege escalation, or lateral movement to other systems.

In practice, the kill chain is not always linear. Advanced persistent threats (APTs) may loop back through phases, and modern attacks often use multiple kill chains simultaneously. Security operations centers (SOCs) use the kill chain to correlate alerts, prioritize incidents, and guide response actions. For example, a detection at the Delivery phase (e.g., a flagged phishing email) might trigger a block at the email gateway, while detection at the C2 phase (e.g., unusual outbound traffic) might prompt network segmentation. Frameworks like MITRE ATT&CK complement the kill chain by providing a more granular taxonomy of tactics and techniques. Understanding the kill chain is essential for IT professionals because it provides a structured way to think about defense, you cannot stop what you cannot see, and the kill chain helps you see where to look.

Real-Life Example

Think about a home security system. You want to protect your house from a burglar. The burglar does not just appear inside your living room. They go through a predictable series of actions. First, they drive through your neighborhood to see which houses have dogs or security cameras. That is reconnaissance. Then they decide to use a crowbar to force open a window, that is weaponization, preparing their tool. Next, they walk up to your back door and try the handle, that is delivery, making contact with your house. If the door is unlocked, they enter easily, that is exploitation, taking advantage of a weakness. Once inside, they might hide in a closet until they know you are gone, that is installation, establishing a hidden presence. Then they might use a cell phone to call a partner to ask where the valuables are, that is command and control. Finally, they grab your laptop and jewelry and leave, that is actions on objectives.

Now map this to the cyber kill chain. The attacker scouts your company’s network by scanning for open ports (reconnaissance). They create a malicious Word document with a macro (weaponization). They email it to an employee (delivery). The employee opens the document, and the macro runs, installing malware (exploitation and installation). The malware phones home to a server the attacker controls (command and control). The attacker then steals customer data (actions on objectives). By understanding this chain, you can add defenses at each step: a firewall blocks reconnaissance scans, email filters block the malicious document, endpoint detection prevents the macro from running, and network monitoring detects the unusual outbound connection. Just like a home security system with cameras, locks, and motion sensors, the kill chain helps you layer defenses so that even if one barrier fails, another stops the attack.

Why This Term Matters

In the real world of IT, attacks are constant and evolving. Security teams deal with hundreds of alerts every day, many of which are false alarms. Without a clear framework like the kill chain, it is easy to get lost in the noise and miss the real threats. The kill chain gives every team member a shared language and a mental model for thinking about attacks. When a SOC analyst sees a suspicious email, they can say, 'This looks like a Delivery event in the kill chain,' and the response team knows immediately what to do, quarantine the email, check if anyone clicked, and scan for related indicators.

For IT professionals, the kill chain is not just theory. It drives practical decisions. When you design a network, you think about how to break the chain. For example, you place firewalls at the perimeter to block reconnaissance scans, you use email security gateways to stop malicious attachments at delivery, you enforce application whitelisting to prevent exploitation and installation, and you restrict outbound traffic to detect command and control channels. The kill chain also helps with incident response. If a breach happens, the team maps the attack back through the chain to understand how it started, what went wrong, and how to prevent it next time.

the kill chain is foundational for many security frameworks and certifications. CompTIA Security+, CISSP, and other exams expect you to know the phases and how they apply to defense. Employers look for candidates who can articulate the kill chain because it shows you understand the big picture of cybersecurity. It is not enough to know how to configure a firewall, you need to know why you are configuring it. The kill chain gives you that 'why.' Without it, security becomes a collection of random tools. With it, you have a strategy.

How It Appears in Exam Questions

On certification exams, the kill chain is tested in several distinct question formats. The most straightforward is the identification question. You are given a short scenario and asked to select which kill chain phase is being described. For example: 'An attacker uses a spear-phishing email to deliver a malicious attachment to an employee. Which phase of the Cyber Kill Chain does this represent?' The answer is Delivery. Another variation might describe the attacker after the malware is installed and is communicating with an external server. That would be Command and Control.

A second common pattern is the order-of-operations question. You might be asked to arrange the kill chain phases in the correct sequence. This often appears as a drag-and-drop question in the CompTIA Security+ exam. You are given seven boxes labeled Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives. You must place them in the correct order. Remembering the mnemonic 'Really Weird Dogs Eat Ice Cream Always' (for Reconnaissance, Weaponization, Delivery, Exploitation, Installation, C2, Actions) can help.

Scenario-based questions test deeper understanding. For instance: 'A company has deployed an email filter that blocks attachments with macros. Which phase of the kill chain does this control primarily target?' The answer is Delivery. Another scenario might ask: 'During an incident response, an analyst discovers that an attacker has been sending commands to a compromised server for three weeks. Which phase should the analyst focus on containing?' That would be Command and Control.

Troubleshooting-style questions may ask you to interpret logs. A sample log entry shows a connection from an internal IP to a known malicious IP on port 443, occurring at regular intervals. The question: 'Which kill chain phase does this activity represent?' The answer is Command and Control because the system is beaconing out.

Some exams, like CISSP, may ask comparative questions: 'How does the Cyber Kill Chain differ from the Diamond Model of intrusion analysis?' You would need to know that the Kill Chain is phase-based and linear, while the Diamond Model focuses on four core features (adversary, capability, infrastructure, victim).

In all cases, the key is to read the scenario carefully and map the action described to the most specific phase. Phases can overlap, for example, exploitation and installation often happen in the same action. But exam questions usually have one clear answer. Focus on the verb in the scenario: scanning = Reconnaissance, sending = Delivery, running code = Exploitation, persisting = Installation, calling home = C2, exfiltrating = Actions.

Practise Kill chain Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are the IT security analyst for a mid-sized company called GreenLeaf Technologies. One morning, you receive an alert from your email security gateway. It flagged an email sent to the finance department from an external address claiming to be a vendor. The email contains an attached invoice.docx file. Your job is to analyze this using the kill chain model.

First, consider Reconnaissance. The attacker likely researched GreenLeaf's vendors and found out that they use a specific accounting software. They may have even visited the company website to find the finance team's email addresses. This phase happened before the email was sent. Next is Weaponization. The attacker took a legitimate invoice template and embedded a malicious macro into it. The macro, when enabled, will download a remote access tool. This step happened on the attacker's computer before the email was composed.

The Delivery phase is the email itself. It was sent and delivered to the finance team's inboxes. One employee, Bob, opens the attachment and ignores the security warning about macros. He clicks 'Enable Content.' That triggers the Exploitation phase, the macro runs and exploits a vulnerability in Microsoft Office to execute code. Immediately after, the Installation phase begins. The code installs a backdoor program that configures itself to start every time Bob logs in.

Now the attacker has a foothold. The malware contacts a remote server on the internet, that is Command and Control. The attacker can now send commands to Bob's computer. Finally, in the Actions on Objectives phase, the attacker searches for financial records, compresses them, and uploads them to a cloud storage account they control.

As the analyst, you notice the email alert early. You block the email from reaching anyone else, quarantine Bob's computer, and check for outbound connections to suspicious IPs. By understanding the kill chain, you realize that you caught the attack at Delivery and Exploitation. You prevented further spread, but Bob's machine is compromised. Your incident response plan now focuses on wiping Bob's computer and restoring from a clean backup. This scenario shows how the kill chain helps you act fast and systematically.

Common Mistakes

Confusing Reconnaissance with Scanning specifically. Learners think every Recon phase only involves active scanning, but it can include passive information gathering like social media research.

Reconnaissance includes both passive and active methods. The exam expects you to recognize passive methods (like looking at LinkedIn profiles) as part of Reconnaissance as well.

Remember that Reconnaissance is any information gathering before the attack. It can be passive (checking websites) or active (port scanning).

Thinking that Exploitation and Installation are always separate steps that happen at different times. In many attacks, they occur in the same action, for example, a drive-by download automatically installs malware without user interaction.

While the kill chain lists them sequentially, real-world attacks often combine them. For exam questions, treat them as separate phases but know they can happen simultaneously.

For exams, learn the definitions separately. Exploitation is the trigger that runs code. Installation is the persistence mechanism. Even if they happen together, the question will likely ask about one specific action.

Believing the kill chain is always a linear, one-direction process. Learners assume an attacker never goes backward. In reality, attackers may repeat phases, especially during lateral movement.

The model is a simplification. Advanced attacks loop back to earlier phases after gaining initial access. For example, after installation, the attacker may perform new reconnaissance on internal systems.

Understand that the kill chain is a guideline, not a rigid law. For exam purposes, assume the linear order, but know that in practice, attackers may cycle through phases multiple times.

Mistaking the Actions on Objectives phase for only data theft. Learners think it always means exfiltration. However, it can also include destroying data, deploying ransomware, or using the compromised system to attack others.

The final phase is whatever the attacker's goal is. It could be encryption for ransom, deletion for sabotage, or pivoting to another system. The exam may test this variety.

Remember that Actions on Objectives equals the attacker's end goal. That goal varies. In questions, look for clues like 'encrypts all files' or 'steals credit card numbers' to identify this phase.

Thinking that the kill chain only applies to external attacks. Learners forget that insider threats also follow a kill chain, the insider may perform reconnaissance on internal systems, escalate privileges, and exfiltrate data.

The model applies to any attacker, internal or external. The phases are the same, though the starting point may be different (e.g., already inside the network).

When studying, remember that the kill chain is attacker-agnostic. It works for insiders, outsiders, nation-states, and script kiddies. Apply the same logic to all threat actors.

Exam Trap — Don't Get Fooled

{"trap":"A question describes an attacker who sends a phishing email with a link to a fake login page. The user enters credentials, and the attacker uses those credentials to log in to the real system. The question asks: 'Which kill chain phase is the attacker in when they log in to the system?'

Many learners choose Exploitation, because the attacker is using stolen credentials to access the system.","why_learners_choose_it":"They see 'log in' and 'access' and think that exploitation means gaining unauthorized access. They confuse the technical exploit of a vulnerability with the use of legitimate credentials."

,"how_to_avoid_it":"Exploitation requires a vulnerability, a flaw in software, configuration, or human behavior that allows code execution or privilege escalation. Using stolen credentials to authenticate is not exploitation; it is simply logging in. In this scenario, the attacker already has the credentials.

The kill chain phase is Actions on Objectives, because the attacker is using the access to achieve their goal (e.g., stealing data). The phishing email was the Delivery phase, and the credential harvesting was part of the attack chain, but the login itself is the objective.

Remember: exploitation = breaking something, actions = using the access."

Step-by-Step Breakdown

1

Reconnaissance

The attacker gathers information about the target. This includes scanning for open ports, identifying software versions, collecting email addresses from public sources, and studying social media profiles. The goal is to find weaknesses to exploit. Defenders can disrupt this phase by limiting publicly available information and using firewalls to block scans.

2

Weaponization

The attacker creates a malicious payload. This often involves pairing an exploit with a delivery mechanism, such as embedding malware in a PDF or Office document, or crafting a malicious link. The payload is designed to be triggered by the target. Defenders have limited visibility into this phase because it happens on the attacker's systems.

3

Delivery

The attacker transmits the weaponized payload to the target. Common delivery methods include phishing emails, USB drops, compromised websites, or direct network attacks. Defenders can block this phase with email filters, web proxies, and user awareness training.

4

Exploitation

The weaponized payload is triggered, exploiting a vulnerability to execute code on the target system. This could be a software bug, a misconfiguration, or a user action like enabling a macro. Defenders can prevent exploitation by patching vulnerabilities, using application whitelisting, and educating users.

5

Installation

The attacker establishes a persistent foothold by installing malware, backdoors, or other mechanisms that ensure continued access. Common methods include adding entries to the Windows registry, creating scheduled tasks, or installing services. Defenders can detect installation by monitoring for new processes, registry changes, and unexpected files.

6

Command and Control (C2)

The compromised system establishes communication with an external server controlled by the attacker. This allows the attacker to send commands and receive data. C2 traffic often uses encrypted channels to evade detection. Defenders can detect C2 by monitoring outbound connections, analyzing network traffic for beaconing patterns, and using threat intelligence feeds.

7

Actions on Objectives

The attacker achieves their goal. This may involve data exfiltration, ransomware deployment, privilege escalation, lateral movement to other systems, or destruction of data. Defenders can disrupt this phase by implementing data loss prevention (DLP), network segmentation, and strict access controls.

Practical Mini-Lesson

The kill chain is not just a theoretical model, it drives real-world security operations. As a security professional, you will use it daily in your SOC, during incident response, and when designing security architectures. The first thing to understand is that the kill chain helps you prioritize your defenses. You do not have to protect everything equally; you focus on breaking the chain at the earliest possible phase. For example, if you can block most attacks at Delivery (via email filtering), you save resources that would otherwise be spent on detecting malware after it is already installed. This is why security awareness training is so important, a user who does not click a phishing link breaks the chain at Delivery.

In practice, security tools are mapped to the kill chain. Your endpoint detection and response (EDR) solution might alert you at the Installation or C2 phases. Your network-based intrusion detection system (NIDS) might catch reconnaissance scans or C2 traffic. Your SIEM (Security Information and Event Management) correlates events across phases to give you the full story. When an incident occurs, your response team will use the kill chain to reconstruct the attack timeline. They will ask: How did the attacker get in? That is Exploitation. How did they stay in? That is Installation. How did they communicate? That is C2. What did they take? That is Actions on Objectives.

One common mistake in practice is over-reliance on the kill chain as a rigid checklist. Real attacks are messy. For instance, a ransomware attack might skip some phases or combine them. WannaCry used a worm that automatically delivered, exploited, installed, and acted on objectives in a single burst, the kill chain collapsed into seconds. In such cases, you still use the model to understand the attack, but you adjust your response accordingly. Another practical challenge is that many organizations do not have visibility into all phases. You might have great email filters but no visibility into outbound C2 traffic. The kill chain helps you identify those gaps.

To apply the kill chain in your job, start by mapping your current security tools to each phase. If you have no tool monitoring the Reconnaissance phase, that is a gap. Consider adding a vulnerability scanner or honeypots to detect early probing. If your users are not trained, your Delivery phase is weak. Implement phishing simulations. If you have no EDR, your Installation and C2 phases are blind spots. Advocate for endpoint monitoring. The kill chain is your roadmap for building a defense-in-depth strategy. It turns security from a guessing game into a structured discipline.

Memory Tip

Remember the seven phases with the mnemonic 'Really Weird Dogs Eat Ice Cream All the Time', Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives. Focus on C2 being the 'phone home' phase.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

SY0-601SY0-701(current version)

Related Glossary Terms

Frequently Asked Questions

Is the kill chain only for advanced persistent threats (APTs)?

No, the kill chain applies to any cyberattack, from a simple phishing scam to a nation-state intrusion. It describes the general process an attacker follows, regardless of skill level. However, simple attacks may skip or combine phases.

How is the kill chain different from the MITRE ATT&CK framework?

The kill chain is a high-level model with seven phases. MITRE ATT&CK is a detailed matrix with 14 tactics and hundreds of specific techniques. Think of the kill chain as the main plot points and ATT&CK as the script with every line of dialogue.

Can the kill chain be used to defend against insider threats?

Yes, because an insider also goes through phases like reconnaissance (learning the network), exploitation (using legitimate access to gain more permissions), and actions on objectives (stealing data). The model helps identify insider activity at each stage.

What is the most important phase to block in the kill chain?

Blocking the Delivery phase is often the most effective because it prevents the attacker from reaching the internal network. However, you need defenses at every phase because no single control is foolproof. Defense in depth is the goal.

Do all attacks follow the kill chain order strictly?

Not always. The kill chain is a model, not a law. Attacks may loop, skip phases, or combine them. For example, a waterhole attack combines Delivery and Exploitation in one step. But the model still helps you understand the attack logic.

How do I remember the 7 phases for an exam?

Use the mnemonic 'Really Weird Dogs Eat Ice Cream All the Time', for Reconnaissance, Weaponization, Delivery, Exploitation, Installation, C2, Actions. Practice listing them in order until it becomes automatic.

Summary

The kill chain is a foundational concept in cybersecurity that every IT professional should understand. It breaks a cyberattack into seven clear, sequential phases: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives. This model gives defenders a shared language and a structured approach to detecting, analyzing, and stopping attacks. By knowing each phase, you can implement targeted controls, from firewalls that block reconnaissance scans to email filters that block malicious attachments, from endpoint detection that catches malware installation to network monitoring that spots command and control traffic.

For certification exams, the kill chain appears in CompTIA Security+, CySA+, CISSP, CEH, and others. You will face identification questions, ordering questions, and scenario-based analysis. Memorize the seven phases in order and practice applying them to real-world stories like phishing attacks and ransomware outbreaks. The kill chain is not just exam material, it is a practical tool you will use every day in security operations. It helps you prioritize threats, guide incident response, and communicate clearly with your team.

The key takeaway is that the kill chain turns the chaos of cyberattacks into a manageable process. You do not need to be a security expert to benefit from it. By thinking in terms of the chain, you can answer questions like 'What just happened?' and 'What do I do next?' with confidence. Keep the mnemonic in mind, study the phases, and remember that breaking the chain at any point stops the attack. This is the core of defense-in-depth, and it is exactly what your certifications, and your future job, will demand.