The Kill Chain is a framework for understanding how attacks unfold in seven phases -- from initial reconnaissance to the final destructive action. Breaking any link in the chain stops the attack. Click each phase to explore it and see how IRON CHIMNEY maps onto it.
The Kill Chain is a mental model, not a law of physics. Real attacks do not always follow a strict sequential path -- phases can overlap, repeat, or be skipped. An attacker who already has credentials (from a previous breach) may enter at installation rather than starting at reconnaissance.
Where the model is most useful: it forces defenders to think about where in the chain they can intervene. Most organizations invest heavily in detection and response (phases 5-7) but have weak controls at delivery and exploitation (phases 3-4). Blocking a phishing email at delivery is cheaper than hunting for lateral movement three weeks after initial access.
The Kill Chain is also linear where MITRE ATT&CK is not. ATT&CK maps the same techniques to multiple phases and is more granular. For most conversations and briefings, the Kill Chain gives a clearer narrative arc; ATT&CK gives the technical precision. Use both.
Highest leverage -- early phases: Disrupting reconnaissance (honeypots, limited public footprint) or weaponization (threat intel feeds, malware detection in email sandboxing) stops an attack before it reaches the network. These controls are hard to measure because you do not see the attacks you deflected.
Most practical -- delivery and exploitation: Email security gateways, phishing training, EDR signatures, and patching address delivery and exploitation. These are measurable and most organizations have controls here.
Last line of defense -- installation through actions: If the attacker reaches installation (C2 beacon, persistence), you are in incident response. Detection at this phase requires good behavioral monitoring (SIEM rules, EDR telemetry) and fast response. Every hour of dwell time increases the blast radius.