In December 2013, attackers stole 40 million credit card numbers from Target by first compromising an HVAC vendor's credentials, then moving laterally through Target's network for weeks before touching a single point-of-sale terminal. That progression -- initial access, lateral movement, and final action on objective -- is a kill chain, and it's the reason security teams stopped treating breaches as single events and started treating them as sequences with interruptible steps. A cyber kill chain is a model that breaks an attack into ordered stages, from reconnaissance through data exfiltration, so defenders can identify where in that sequence they have visibility and where they don't. Lockheed Martin published the original seven-stage version in 2011. Since then, MITRE ATT&CK and unified kill chain models have extended it for cloud and software supply chain attacks, but the core idea hasn't changed: break one link, stop the attack.
What is a cyber kill chain?
A cyber kill chain is a staged model of how an attack unfolds, originally defined by Lockheed Martin in a 2011 paper as seven steps: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. Each stage represents a decision point where the attacker must succeed to progress, which means it's also a decision point where a defender can detect or block them. The model borrowed its name and structure from military targeting doctrine, where breaking any single link in the chain defeats the entire operation. In practice, security teams use it to map existing detection and prevention tools against each stage, then find the stages with no coverage -- for example, an organization might have strong email gateway filtering at the delivery stage but zero visibility into command-and-control traffic once a host is compromised.
What are the seven stages of the Lockheed Martin kill chain?
The seven stages are reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), and actions on objectives. Reconnaissance is the attacker researching a target, such as scraping employee names from LinkedIn or enumerating exposed subdomains with a tool like Amass. Weaponization pairs an exploit with a payload, for instance a malicious macro embedded in an Excel file. Delivery gets that payload to the target, commonly through phishing email, which accounted for the initial access vector in 41% of breaches analyzed in Verizon's 2024 Data Breach Investigations Report. Exploitation triggers the vulnerability, installation plants persistent malware like a web shell or backdoor, C2 establishes a remote channel back to the attacker's infrastructure, and actions on objectives is the actual goal -- data theft, ransomware deployment, or destruction. The 2020 SolarWinds compromise moved through all seven stages over roughly nine months before Sunburst malware reached its final objective inside customer networks.
How is the cyber kill chain different from MITRE ATT&CK?
The cyber kill chain describes a linear sequence of attack phases, while MITRE ATT&CK catalogs specific, non-linear techniques attackers use within those phases. Lockheed Martin's model has seven fixed stages and assumes attacks move roughly in order. MITRE ATT&CK, first released in 2013 and now covering 14 tactics and over 600 techniques as of the 2024 Enterprise matrix, documents granular behaviors like T1566.001 (spearphishing attachment) or T1055 (process injection) without forcing them into a strict sequence, because real intrusions loop back, skip steps, or run stages in parallel. A security team investigating an incident might use the kill chain to brief executives on "where in the attack lifecycle we caught this," then use ATT&CK to map the exact technique IDs observed for detection engineering. The two models are complementary rather than competing: one gives you the narrative, the other gives you the forensic detail.
Why doesn't the traditional kill chain work well for software supply chain attacks?
The traditional kill chain assumes a single perimeter and a human attacker executing each stage, but software supply chain attacks compromise a dependency once and let thousands of downstream builds deliver the payload automatically. In the 2021 Codecov incident, attackers modified a Bash uploader script through a Docker image misconfiguration, and that single change silently exfiltrated credentials from every CI pipeline that ran the script for roughly two months, with no phishing email or individual exploitation stage against each victim. Similarly, the 2024 XZ Utils backdoor (CVE-2024-3094) was inserted by a contributor with two years of legitimate commit history, collapsing "weaponization" and "delivery" into routine open-source maintenance. Unified kill chain extensions and supply chain-specific models now add stages like "build compromise" and "distribution," but the practical shift for defenders is that detection has to happen at the artifact and dependency level -- in the SBOM, the build pipeline, the package registry -- not just at the network edge.
How do you use the kill chain model to prioritize defenses?
You use the kill chain to map your existing controls against each stage and invest in the stages with the biggest detection gaps, because stopping an attack early is exponentially cheaper than remediating it after actions on objectives. IBM's 2024 Cost of a Data Breach Report put the average breach lifecycle at 258 days from initial compromise to containment, and breaches contained in under 200 days cost organizations $1.03 million less on average than longer ones. A practical exercise: list your current tools (EDR, WAF, SIEM, SBOM scanner, CI/CD gate) in a grid against the seven stages, mark which stages each tool covers, and look for columns with nothing in them. Most organizations find heavy coverage at delivery and exploitation (email security, vulnerability scanning) and almost nothing at installation or C2 inside cloud workloads and CI runners -- exactly where a compromised open-source package or leaked build credential would surface first.
How Safeguard Helps
Safeguard maps kill-chain thinking directly onto the software supply chain, where the earliest links -- source code, dependencies, and build pipelines -- are the ones most security tools ignore. Our reachability analysis tells you whether a vulnerable function in a dependency is actually called by your code, cutting through the noise so your team investigates the CVEs that sit on a real attack path instead of every CVE in a manifest. Griffin AI correlates findings across your SBOM, source repos, and runtime context to flag which weaknesses chain together into an exploitable path, similar to how a kill chain analysis links stages into a full attack. Safeguard generates and ingests SBOMs across your build pipeline so you have an accurate inventory the moment a new component enters your supply chain -- the "reconnaissance" stage attackers exploit when they target under-monitored dependencies. When a fix is available, Safeguard opens an auto-fix pull request so the vulnerable link gets patched before it becomes the next Codecov or XZ Utils.