Cyber Kill Chain®

Proactively detect persistent threats.

The seven steps of the Cyber Kill Chain® enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques and procedures. Register to view our on-demand webcast on applying intelligence to your cyber defense strategy.


The Cyber Kill Chain®

The Cyber Kill Chain® framework is part of the Intelligence Driven Defense® model for the identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective.

Stopping adversaries at any stage breaks the chain of attack! Adversaries must completely progress through all phases for success – this puts the odds in the defender’s favor. Every intrusion is a chance to understand more about our adversaries and use their persistence to our advantage.

The Cyber Kill Chain®


1: Reconnaissance

Detecting reconnaissance as it happens can be very difficult, but when defenders discover recon – even well after the fact – it can reveal the intent of the adversaries.



2: Weaponization

 This is an essential phase for defenders to understand. Though they cannot detect weaponization as it happens, they can infer by analyzing malware artifacts. Detections against weaponizer artifacts are often the most durable and resilient defenses.



3: Delivery

This is the first and most important opportunity for defenders to block the operation. A key measure of effectiveness is the fraction of intrusion attempts that are blocked at delivery stage. 



4: Exploitation

Here traditional hardening measures add resiliency, but custom capabilities are necessary to stop zero-day exploits at this stage. 



5: Installation

Endpoint instrumentation to detect and log installation activity. Analyze installation phase during malware analysis to create new endpoint mitigations. 



6: Command & Control

The defender’s last best chance to block the operation: by blocking the C2 channel. If adversaries can’t issue commands, defenders can prevent impact. 



7: Actions on Objectives

The longer an adversary has CKC7 access, the greater the impact. Defenders must detect this stage as quickly as possible by using forensic evidence – including network packet captures, for damage assessment. 


Gaining the advantage.

Guide: Download the analyst’s guide to understanding and applying the Cyber Kill Chain® analytic framework to network defense.


Change how your team handles incidents.

White Paper: Examine seven ways to apply the Cyber Kill Chain® with a threat intelligence platform.