See why 9,000+ companies trust Darktrace
Thanks, your request has been received
A member of our team will be in touch with you shortly.
Oops! Something went wrong while submitting the form.

What is the Cyber Kill Chain?

What is the Cyber Kill Chain in cyber security?

The Cyber Kill Chain is a concept introduced by Lockheed Martin that represents the stages or steps involved in a cyberattack. It serves as a framework for understanding and analyzing the different phases of an attack, from the initial reconnaissance to achieving the attacker’s objective.

What are the key steps or stages in the Cyber Kill Chain framework?

The Cyber Kill Chain typically consists of the following stages:

1. Reconnaissance: Gathering information about the target.

2. Weaponization: Creating or obtaining a malicious payload.

3. Delivery: Transmitting the payload to the target.

4. Exploitation: Taking advantage of vulnerabilities to execute the payload.

5. Installation: Attack vector is installed on the victim’s system.

6. Command & Control (C2): Establishing communication with the compromised system.

7. Actions on Objectives: Achieving the attacker’s ultimate goal.

How does the Cyber Kill Chain model help organizations understand cyber-attacks?

The Cyber Kill Chain model helps organizations by providing a structured framework to:

  • Visualize and understand the stages of an attack.
  • Identify and focus on critical points in the attack process.
  • Develop strategies and defenses to detect and mitigate threats at each stage.
  • Enhance incident response capabilities by recognizing where in the chain an attack can be disrupted or prevented.

What is the first stage of the Cyber Kill Chain?

The first stage of the Cyber Kill Chain is “Reconnaissance." This stage involves the attacker gathering information about the target, such as identifying potential vulnerabilities, key personnel, network configurations, and security measures in place. This phase can include passive techniques like open-source intelligence (OSINT) gathering or active scanning and probing of the target’s system.

What is "Weaponization" in the context of the Cyber Kill Chain?

“Weaponization” is the stage where the attacker creates or obtains a malicious payload, such as malware or a weaponized document. The payload is prepared to exploit specific vulnerabilities, which could have been discovered during the Reconnaissance stage, and achieve the attacker’s objectives when delivered to the target.

What is the significance of the "Delivery" stage in the Cyber Kill Chain?

The “Delivery” stage is where the attacker transmits a malicious payload to the target. This can occur through various means, including phishing emails, infected attachments, or compromised websites. Successful delivery is crucial for the attack to progress to the next stages.

How does "Exploitation" fit into the Cyber Kill Chain, and what does it involve?

“Exploitation” involves taking advantage of vulnerabilities identified during reconnaissance, to execute the malicious payload delivered in the previous stage. This could include exploitation software vulnerabilities, weak configurations, or human errors to gain control over the target system.

How does "Command and Control" function in the Cyber Kill Chain, and why is it important?

“Command and Control” (C2) is the stage where the attacker establishes communication with the compromised system or network. This communication allows the attacker to maintain control, deliver commands, and receive data from the compromised systems. It is a critical stage as it enables ongoing interaction and control over the target.

What is the "Actions on Objective" stage, and why is it the final step in the Cyber Kill Chain?

The “Actions on Objective” stage is the final step in the Cyber Kill Chain, representing the attacker’s ultimate goal, which could include data theft, system disruption, or other malicious activities. It signifies the completion of the attack’s primary objective.

How can security solutions and strategies be applied to detect and prevent cyberattacks at various stages of the Cyber Kill Chain?

Organizations can apply security solutions and strategies to detect and prevent cyberattacks at various stages of the Cyber Kill Chain:


Network monitoring can be used to detect suspicious activity such as unauthorized network scans. Users can also undergo security awareness training to be mindful about what they post online.

Weaponization and Delivery

Email filtering and web filtering solutions to block malicious content and mitigate potential phishing attempts.


Regular vulnerability scans or penetration tests to identify vulnerabilities within the system that need to be patched. Intrusion Detection Systems or Intrusion Prevention Systems can also be used to detect and block exploitation attempts.

Command and Control

Utilize network monitoring and behavior analysis to identify unusual communication patterns. Firewall or DNS filtering can also be used to block unwanted connections.

Actions on Objective

Implement data loss prevention (DLP) and encryption to protect valuable assets.

Besides proactive defense strategies to mitigate attackers from gaining an initial foothold in the system, security teams should also be sufficiently prepared in incident response strategies to deal with the later stages in the Cyber Kill Chain.

Related glossary terms

This is some text inside of a div block.