When we want to understand complex behaviour, we almost automatically try to create a structure. We break down processes, organise steps and try to recognise patterns. Cyber attacks are no exception: whether it's recreating attacks in pentesting/red teaming or investigating past attacks in IT forensics – structure is what makes events comprehensible and brings order to an initially confusing environment.
The Cyber Kill Chain offers a proven framework for this. The model describes attacks not as isolated individual events or unpredictable chaos, but as a coherent process with clear phases that can be analysed, simulated and interrupted. It thus creates a common basis for thinking across different security-related disciplines.
The Cyber Kill Chain was developed in 2011 by the US defence contractor Lockheed Martin. The term is derived from the military "kill chain", which describes the steps of an attack from target identification to destruction. Translated into the digital world, the model describes how every successful cyber attack must go through a defined chain of seven consecutive phases.
To make the model and the abstract stages more tangible, each of the seven phases is not only described below, but also supplemented with examples and technical details from practic

In the reconnaissance phase, the attacker gathers information about the target in order to prepare the attack in a targeted manner (known as "targeting"). The aim is to identify potential vulnerabilities, structures and points of attack.

Once vulnerabilities or targets have been identified, the attacker prepares the actual attack tools or customises their tools during the weaponisation phase. The aim is to convert the information obtained previously into a concrete attack method that works technically and is as inconspicuous as possible.

In the delivery phase, the attacker brings their prepared attack tool to the target. The decisive factor here is the choice of a transmission path that appears as credible as possible and circumvents existing protection mechanisms.

The exploitation phase is characterised by short-lived, security-critical activities, among other things. The aim of this phase is to gain access to the target object, for example by actively exploiting a vulnerability and circumventing security mechanisms.

A single access is rarely enough for professional attackers. The goal is to gain permanent or at least multiple access and to anchor themselves in the target object. After successful exploitation, the attacker therefore installs components to ensure persistence.

In this phase, the attacker establishes an external communication channel to the compromised target. Commands are received and data is exfiltrated via this channel.

In the final phase, the attacker pursues their actual objectives. These can vary depending on their motivation or be combined with each other. The effects of this phase are immediately apparent to those affected.
While the cyber kill chain is an excellent introductory model, it reaches its limits in modern security architecture.
The model suggests a strictly linear process. In reality, especially in the case of complex attacks (advanced persistent threats), attackers often jump back and forth between phases or skip steps. In addition, the Cyber Kill Chain focuses heavily on defence at the network perimeter and less on the scenario in which an attacker is already moving within the internal network ("assume breach" mentality).
MITRE ATT&CK Framework has therefore established itself as the de facto standard for operational security teams. Unlike the linear kill chain, this is a comprehensive knowledge database in the form of a matrix that describes tactics and techniques in detail based on real attack observations. It is less of a "checklist" and more of a "periodic table" of attack types. Accordingly, the detailed description of the techniques and tactics allows targeted measures for prevention, detection and hardening to be derived at the operational level. Security controls can thus be assigned to specific attack techniques and systematically reviewed.
A hybrid approach is the Unified Kill Chain (UKC). It extends the classic model to 18 steps and recognises that attacks often occur in loops: an attacker breaks in ("In"), spreads ("Through") and then exfiltrates data ("Out").
Conclusion
Despite the limitations of the model, the Cyber Kill Chain (according to Lockheed Martin) is an effective tool for management to develop structured security strategies, make informed budget decisions and explain cyber attacks in a comprehensible manner. The model illustrates why investments in email security (phase 3), endpoint detection and response (phases 4 and 5) and network monitoring (phase 6) are equally necessary and should be considered as a coordinated overall concept.
For technical teams, it provides a strategic framework that is operationalised and deepened by more detailed models such as MITRE ATT&CK. While the Cyber Kill Chain answers the "why" and "where", operational models provide the "how".
Whether it's strategic security planning, realistic attack simulations (pentesting), or the structured investigation of security incidents as part of incident response and forensic investigations – we support you in understanding, testing, and effectively detecting attacks along the entire Kill Chain.

