Skip to content

Explain the Lockheed Martin Cyber Kill Chain and how a blue team uses it.

Short answer

The Cyber Kill Chain models an intrusion as seven sequential stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), and actions on objectives. Defenders map detections and controls to each stage; because the stages are sequential, breaking any single link — blocking the phishing email, killing C2 — disrupts the whole attack. It pushes you to detect early rather than only at the final breach.

The Cyber Kill Chain, from Lockheed Martin, gives the blue team a shared vocabulary for where in an intrusion they are detecting and where they could intervene. Interviewers use it to see whether you think about attacks as a process with many interruption points, not a single moment of "getting hacked."

The seven stages

  1. Reconnaissance — the attacker researches the target (OSINT, scanning, employee lists).
  2. Weaponization — they pair an exploit with a payload, e.g. a malicious macro in a document.
  3. Delivery — they transmit it: phishing email, watering-hole site, USB.
  4. Exploitation — the payload executes by abusing a vulnerability or tricking a user.
  5. Installation — malware establishes persistence on the host.
  6. Command and Control (C2) — the implant calls back to the attacker for instructions.
  7. Actions on Objectives — the attacker achieves their goal: data theft, encryption, sabotage.

How defenders use it

Map a control and a detection to each link: email filtering and user training disrupt delivery; patching and exploit mitigations disrupt exploitation; EDR and application allow-listing catch installation; DNS and egress filtering break C2. Because the stages are sequential, breaking any one link stops the attacker from reaching their objective — and the earlier you break it, the cheaper the response.

Why this matters

The kill chain is intentionally simple, which is its strength and its critique: it is linear and very malware/perimeter-focused, so many teams pair it with MITRE ATT&CK for granular techniques. A strong answer recites the stages, explains "defense in depth = a chance to break the chain at every stage," and acknowledges the model's limits.

Likely follow-ups

  • Why is detecting at the delivery or exploitation stage better than at actions on objectives?
  • What are the main criticisms of the kill chain compared to MITRE ATT&CK?
  • Where would an EDR most likely catch an attacker in this chain?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.