Key Takeaways
- The red team kill chain breaks an attack into 7 stages: recon, weaponization, delivery, exploitation, installation, command and control, and actions on objectives.
- Blocking any single stage stops the whole attack, which is why defenders treat the kill chain as a map of chances to intervene, not just a description of how attackers work.
- MITRE ATT&CK adds the technical detail the kill chain leaves out, listing the exact techniques attackers use inside each stage.
- A red team report only reflects your environment on the day it was written. New code, new cloud accounts, and new integrations open gaps the report never covered.
In July 2025, attackers slipped into Allianz Life’s third-party CRM through a social engineering trick and walked out with data on 1.4 million customers. A few weeks later, a flaw in a connected CRM exposed 4.4 million records at TransUnion. Neither company got hit because a hacker found some rare zero-day. They got hit because nobody tested the path the attacker actually took.
That path has a name in offensive security circles: the kill chain. Red teams use it to plan attacks, and defenders use the same map to figure out where to break the chain before it reaches something that matters.
What the Red Team Kill Chain Actually Is
Lockheed Martin built the Cyber Kill Chain in 2011, borrowing a military term for the sequence of steps needed to hit a target. The idea holds up over a decade later: a cyberattack rarely happens in one move. It happens in stages, and each stage depends on the one before it.
Red teams borrow this same structure to plan engagements. Instead of a single test, they walk through each stage the way a real attacker would, checking whether your defenses catch them at any point along the way.
Here’s the part that matters most for your security program. If a defender disrupts even one stage, the whole attack falls apart. That’s the entire logic behind the model. You don’t need to stop every possible attack technique. You need enough friction at enough stages that the attacker gives up, gets caught, or runs out of time.
The 7 Stages of the Kill Chain, Walked Through
Each stage below covers what the attacker is doing and what a defender should be watching for at that exact moment.
The 7 Stages of the Red Team Kill Chain
Every intrusion moves through the same sequence. Stop the attacker at any single link, and the whole chain fails.
Reconnaissance
Scraping LinkedIn, scanning open ports, mapping what software you run — 20–30% of an engagement happens here.
Attacker prepWeaponization
Malware is paired with a delivery method — a rigged PDF or Office file — built entirely off your network.
Attacker prepDelivery
The payload reaches its target — most often phishing, but also USB drops or a weaker vendor’s system.
First contactExploitation
A click, an open file, or a triggered flaw — this is the moment the attacker gets a foothold.
FootholdInstallation
A backdoor goes in so access survives even if the original entry point is discovered and closed.
PersistenceCommand & Control
The compromised system phones home over a channel built to stay under the radar.
Covert channelActions on Objectives
Data theft, ransomware encryption, or a lateral move toward a higher-value target.
End goal1. Reconnaissance
The attacker researches the target before touching anything. This might mean scraping LinkedIn for employee names and titles, scanning for open ports, or looking up what software your company runs. None of this touches your network directly, so it’s easy to miss. Red teams often spend 20 to 30% of an engagement here, because good recon makes every later stage easier.
2. Weaponization
The attacker builds the actual payload, usually a piece of malware paired with a delivery method like a malicious PDF or a rigged Office file. This step happens entirely on the attacker’s side, away from your visibility.
3. Delivery
The payload reaches the target. Phishing emails are the most common route, but delivery can also happen through infected USB drives, compromised websites, or a vendor’s system with weaker defenses.
4. Exploitation
The payload runs. A user clicks the link, opens the file, or the vulnerability triggers on its own. This is the moment the attacker gets a foothold inside your network.
5. Installation
The attacker installs a backdoor or additional malware to make sure they can get back in even if the original entry point gets discovered and closed.
6. Command and Control (C2)
The compromised system phones home to the attacker’s infrastructure over a channel built to avoid detection. From here, the attacker can send instructions and pull data out slowly, staying under the radar.
7. Actions on Objectives
The attacker does whatever they came to do: steal data, encrypt files for ransom, or move laterally toward a higher value target like a domain controller.
A quick note on how strict this order really is. Some critics point out that modern attacks don’t always follow these steps in a straight line, and they’re right. Attackers skip stages, double back, or run several at once. The Unified Kill Chain, a newer model built on both the Cyber Kill Chain and MITRE ATT&CK, was created partly to address that gap. Still, the 7 stage version remains the clearest starting point for understanding how an attack unfolds and where you have a chance to stop it.
How MITRE ATT&CK Fits Into the Picture
The kill chain tells you the story of an attack in broad strokes. MITRE ATT&CK tells you the technical detail underneath each chapter.
How the Kill Chain and MITRE ATT&CK Work Together
The kill chain tells the story of an attack. ATT&CK names the exact technique underneath each chapter — here’s stage 4, Exploitation, mapped both ways.
“Exploitation happened”
The broad-strokes narrative — useful for briefing leadership without drowning them in jargon.
The exact technique
The technical detail your detection engineers need to actually write rules and close gaps.
A working detection
Analysts and threat hunters reproduce the exact steps and test their coverage against it.
Most mature programs use both — kill chain for the executive story, ATT&CK technique IDs for the SOC to reproduce and test.
Where the kill chain says “exploitation happened,” ATT&CK names the exact technique: was it a phishing attachment, a public facing app vulnerability, or valid stolen credentials? That level of detail is what your detection engineering team actually needs to write rules and close gaps.
Most mature security programs use both frameworks together, not one instead of the other:
- Kill chain gives you the narrative arc, which is useful for explaining an incident to leadership without drowning them in jargon.
- ATT&CK gives you the technique IDs, which your SOC analysts and threat hunters use to build and test detections.
A well written red team report often opens with a kill chain style executive summary, then backs it up with ATT&CK technique references in the technical findings. That combination lets a CISO understand the story and lets an analyst reproduce the exact steps.
Why a Once a Year Kill Chain Test Isn’t Enough
Here’s the problem nobody likes to say out loud: a red team report is a snapshot. It proves your defenses worked on the exact day the test ran. Everything you ship after that, new code, new cloud services, new SaaS integrations, sits untested until the next scheduled engagement.
Think about how fast most environments actually change. A team that ships weekly generates 52 rounds of untested change every year against one annual test. That gap is where the two breaches mentioned earlier actually happened. It’s also where most breaches happen in general, according to security teams who track this closely.
This is the exact reason adversary emulation mapped to MITRE ATT&CK has picked up so much traction. Instead of waiting for a scheduled window, autonomous red teaming tools pick up on signals in your environment, like a new deployment or a segmentation change, and test whether that specific change opened a door. That’s a narrower, faster question than a full pentest asks, and you get the answer in hours instead of months.
None of this replaces human red teamers. Creativity, social engineering, and business context still take a person in the loop. But automation is very good at the repeatable layer: running the same known techniques against your environment on a schedule that matches how often things actually change, not how often your budget allows for a consultant.
The kill chain doesn’t wait for
your next scheduled test
Running all 7 stages manually against every new deployment isn’t realistic for most teams. The Infrastructure Security Teammate closes that gap — discovering, benchmarking, and emulating attacks continuously, not once a year.
Meet the Infrastructure TeammateContinuous asset discovery
Finds new assets across cloud, on-prem, SaaS and workloads through agentless scanning — not a quarterly review.
Config benchmarking
Checks against CIS Benchmarks (L1 & L2), DISA STIGs and NCP, flagging drift the moment it appears.
ATT&CK-mapped emulation
Runs adversary emulation against real techniques, not generic scans.
T1566 · T1078Contextual risk scoring
Every finding maps to an ATT&CK technique with CVSS + exploitability + asset criticality — so priority is obvious.
You still get the human-led red team testing for the creative, business-context-heavy work. The Digital Security Teammate handles the part that used to fall through the cracks between engagements: the continuous, repeatable testing that catches a misconfiguration the week it appears instead of the year it gets discovered.
FAQs
What are the 7 stages of the cyber kill chain?
Is autonomous red teaming the same as a traditional pentest?
How is MITRE ATT&CK different from the cyber kill chain?
How often should red teaming happen instead of once a year?
The Bottom Line
The kill chain isn’t just theory for a slide deck. It’s a working map of every point where a defender gets a chance to stop an attack before it turns into a headline. Understanding each stage tells you where your defenses are strong and where they’re still catching up.
An annual report tells you how that map looked on one specific day. Closing the gap between tests, whether through better processes or tools that watch your environment continuously, is what keeps that map accurate the other 364 days of the year.