Skip to main content
ConceptsSIEMXDRFirewall

What is Kill Chain?

The Cyber Kill Chain is a framework developed by Lockheed Martin that describes seven sequential stages of a targeted cyberattack: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives.

Definition

Kill Chain
The Cyber Kill Chain is a framework developed by Lockheed Martin that describes seven sequential stages of a targeted cyberattack: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives.

How Kill Chain Works

The model was adapted from military targeting doctrine to describe how APT actors conduct campaigns. Each stage must complete for the attack to succeed, which means defenders have multiple opportunities to detect and disrupt.

Reconnaissance: the attacker gathers target information (OSINT, scanning). Weaponization: a delivery mechanism is created (exploit, macro document). Delivery: the weapon reaches the target (phishing email, compromised website). Exploitation: the vulnerability is triggered. Installation: malware establishes persistence. Command and Control (C2): the attacker establishes a communication channel. Actions on Objectives: the attacker achieves their goal (data theft, ransomware, sabotage).

The earlier in the chain a defender detects and disrupts, the lower the impact. Blocking at Delivery (catching the phishing email) is far better than detecting at Actions on Objectives (noticing ransomware during encryption). Defense-in-depth and proactive controls at each stage are superior to purely reactive detection.

Kill Chain in SOC Operations

Kill Chain thinking helps you contextualize where in an attack you are seeing activity. Detecting C2 beaconing means the attacker has already completed Reconnaissance through Installation. You must immediately scope for lateral movement and data access, not just block the C2. Detecting a phishing delivery attempt means you can prevent the entire attack by blocking delivery and warning the targeted user.

Free forever

Practice Kill Chain in a Real SOC

SOCSimulator provides hands-on training with realistic SIEM, XDR, and Firewall interfaces. Build real analyst skills investigating kill chain scenarios with zero consequences — free forever.

Start Free — No Credit CardTry Shift Mode

Related Terms

MITRE ATT&CKFrameworks

MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques observed in...

TTPsConcepts

Tactics, Techniques, and Procedures (TTPs) describe the behavioral patterns, methods, and operationa...

Lateral MovementThreats

Lateral movement is the attack phase where adversaries expand access from an initial foothold to add...

Command and ControlThreats

Command and Control (C2) refers to the infrastructure and communication channels adversaries use to ...

Defense in DepthConcepts

Defense in depth layers multiple independent defensive controls across the network, endpoint, applic...

More Concepts Terms

IOCIOATTPsFalse PositiveTrue PositiveAlert TriageAll Concepts

Related SOC Training Resources

Career Path

SOC Analyst (Tier 1) Career Guide — Salary & Skills

Tier 1 SOC Analysts are the front line. You monitor alert queues, triage incoming detections, classify them as true or f…

Read more Career Path

Detection Engineer Career Guide — Salary & Skills

Detection Engineers build the rules, analytics, and automated workflows that determine what the SOC can see. You transla…

Read more Career Path

Security Engineer Career Guide — Salary & Skills

Security Engineers build and maintain the infrastructure that SOC analysts depend on. You deploy SIEMs, configure firewa…

Read more Comparison

SOCSimulator vs LetsDefend — Comparison

SOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…

Read more Comparison

SOCSimulator vs CyberDefenders — Comparison

SOCSimulator trains the operational workflow: alert triage, correlation, and response under pressure. CyberDefenders tra…

Read more Tool

SIEM Training Console — SOCSimulator

The SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…

Read more Tool

XDR Training Console — SOCSimulator

The XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…

Read more Tool

Firewall Training Console — SOCSimulator

The Firewall console in SOCSimulator replicates the log analysis experience of enterprise platforms like Palo Alto Netwo…

Read more Technique

MITRE ATT&CK Techniques — Detection Training Library

Browse all MITRE ATT&CK techniques with detection strategies and example alerts.

Read more Career Path

Cybersecurity Career Paths — 2026 Guide

Explore SOC analyst career paths with salary data, required skills, and certification roadmaps.

Read more Playbook

SOC Investigation Playbooks — Step-by-Step Guides

Practitioner investigation playbooks with decision trees and real SIEM queries.

Read more Feature

Shift Mode — Real-Time SOC Simulation

Practice alert triage under realistic time pressure with SLA timers and noise injection.

Read more

We use cookies to improve your experience and measure usage. Learn more