Cyber Kill Chain®

Proactively detect persistent threats.

The seven steps of the Cyber Kill Chain® enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques and procedures. Register to view our on-demand webcast on applying intelligence to your cyber defense strategy.


The Cyber Kill Chain®

The Cyber Kill Chain® framework is part of the Intelligence Driven Defense® model for the identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective.

Stopping adversaries at any stage breaks the chain of attack! Adversaries must completely progress through all phases for success – this puts the odds in the defender’s favor. Every intrusion is a chance to understand more about our adversaries and use their persistence to our advantage. The video below steps through a hypothetical attack to illustrate how network defenders can use this proven analytic framework to gain the advantage:


The Cyber Kill Chain®

cyber kill chain step one Reconnaissance

1: Reconnaissance

Detecting reconnaissance as it happens can be very difficult, but when defenders discover recon – even well after the fact – it can reveal the intent of the adversaries.


cyber kill chain step 2 Weaponization

2: Weaponization

 This is an essential phase for defenders to understand. Though they cannot detect weaponization as it happens, they can infer by analyzing malware artifacts. Detections against weaponizer artifacts are often the most durable and resilient defenses.


cyber kill chain step 3 Delivery

3: Delivery

This is the first and most important opportunity for defenders to block the operation. A key measure of effectiveness is the fraction of intrusion attempts that are blocked at delivery stage. 


cyber kill chain step 4 Expolitation

4: Exploitation

Here traditional hardening measures add resiliency, but custom capabilities are necessary to stop zero-day exploits at this stage. 


cyber kill chain step 5 Installation

5: Installation

Endpoint instrumentation to detect and log installation activity. Analyze installation phase during malware analysis to create new endpoint mitigations. 


cyber kill chain step  6 Command and Control

6: Command & Control

The defender’s last best chance to block the operation: by blocking the C2 channel. If adversaries can’t issue commands, defenders can prevent impact. 


cyber kill chain step 7 Actions on Objectives

7: Actions on Objectives

The longer an adversary has CKC7 access, the greater the impact. Defenders must detect this stage as quickly as possible by using forensic evidence – including network packet captures, for damage assessment. 



Leidos Cyber Inc. is a leading provider of cyber security products and services, and was acquired by Leidos through the merger of Lockheed Martin IS&GS and Leidos on August 16th, 2016. Leidos Cyber's products and services leverage heritage Lockheed Martin IS&GS intellectual property and processes, including services provided using Lockheed Martin's Cyber Kill Chain® framework and Intelligence Driven Defense® methodology. (Cyber Kill Chain® and Intelligence Driven Defense® are registered trademarks of Lockheed Martin).

Gaining the advantage.

Guide: Download the analyst’s guide to understanding and applying the Cyber Kill Chain® analytic framework to network defense.


Change how your team handles incidents.

White Paper: Examine seven ways to apply the Cyber Kill Chain® with a threat intelligence platform.