A cyber kill chain is a staged model used to describe how an attack or intrusion can progress from early activity to later impact.
A kill chain is a staged model used to describe how an attack or intrusion can progress from early activity to later impact. In plain language, it breaks a campaign into phases so defenders can think about where to prevent, detect, or interrupt it.
Kill-chain thinking matters because security teams need frameworks that make complex attacks easier to reason about. Staged models can help teams organize detections, understand which controls matter at which point, and explain incidents more clearly after the fact.
It also matters because a campaign does not need to reach its final objective to be dangerous. The earlier a team can recognize and interrupt the progression, the less opportunity the attacker has to expand the incident.
| Phase focus | Defensive goal |
|---|---|
| Early activity | Prevent or detect quickly |
| Mid-stage movement | Contain and limit spread |
| Later-stage impact | Protect critical assets |
| Defensive question | Example outcome |
|---|---|
| Where did we detect the activity? | Identify visibility gaps in earlier stages |
| Where could we have interrupted it? | Improve controls at higher-leverage points |
| Which stage caused the most risk? | Focus follow-up on the most damaging progression |
Kill chains appear in Threat Intelligence, Detection Engineering, Threat Hunting, post-incident analysis, and adversary-simulation exercises. Teams connect them to Attack Path, Attack Graph, Credential Theft, Lateral Movement, and Attack Campaign.
Security teams use the model to ask where defenses are strongest, where visibility is weak, and which stages would most reduce impact if interrupted earlier.
A team reviewing a phishing-driven incident maps the sequence from deceptive email to credential theft, broader access, and attempted internal spread. The kill-chain view helps the team see where email filtering, identity controls, and internal detections each did or did not interrupt the progression.
A kill chain is not the same as one Attack Path. Attack paths focus on routes through the environment. A kill chain focuses on stages in the broader progression of an attack or campaign.
It is also different from a complete incident timeline. A timeline records what happened in one case. A kill-chain model provides a more general staged framework for reasoning about attack progression.