Cyber Kill Chain — Phases and Defensive Controls
Break the chain at any phase and the attack fails. Defenders only need to win once.
Hover any phase for the controls that disrupt it.
flowchart LR
Break["BREAK THE CHAIN — stop the attack at any phase below"]:::breakNode
P1["1. Reconnaissance
attack surface mgmt
domain monitoring"]:::p1 P2["2. Weaponization
threat intel
sandboxing"]:::p2 P3["3. Delivery
email security
URL filtering"]:::p3 P4["4. Exploitation
patching, EDR
app allowlisting"]:::p4 P5["5. Installation
EDR, file integrity
persistence detection"]:::p5 P6["6. Command and Control
egress and DNS filtering
network detection"]:::p6 P7["7. Actions on Objectives
DLP, segmentation
anomaly detection"]:::p7 Break -.-> P1 P1 --> P2 --> P3 --> P4 --> P5 --> P6 --> P7 Break -.-> P4 Break -.-> P7 classDef breakNode fill:#fff3e0,stroke:#ffa000,stroke-width:3px,color:#6d4c00,font-size:15px classDef p1 fill:#1565c0,stroke:#0d3a73,stroke-width:2px,color:#ffffff,font-size:15px classDef p2 fill:#3f6fb5,stroke:#0d3a73,stroke-width:2px,color:#ffffff,font-size:15px classDef p3 fill:#6a72a5,stroke:#3a2a5a,stroke-width:2px,color:#ffffff,font-size:15px classDef p4 fill:#995f7f,stroke:#5a2a3a,stroke-width:2px,color:#ffffff,font-size:15px classDef p5 fill:#bf5563,stroke:#7a2030,stroke-width:2px,color:#ffffff,font-size:15px classDef p6 fill:#d84a4a,stroke:#8a1a1a,stroke-width:2px,color:#ffffff,font-size:15px classDef p7 fill:#e53935,stroke:#8a1010,stroke-width:2px,color:#ffffff,font-size:15px linkStyle default stroke:#90a4ae,stroke-width:2px,font-size:14px
attack surface mgmt
domain monitoring"]:::p1 P2["2. Weaponization
threat intel
sandboxing"]:::p2 P3["3. Delivery
email security
URL filtering"]:::p3 P4["4. Exploitation
patching, EDR
app allowlisting"]:::p4 P5["5. Installation
EDR, file integrity
persistence detection"]:::p5 P6["6. Command and Control
egress and DNS filtering
network detection"]:::p6 P7["7. Actions on Objectives
DLP, segmentation
anomaly detection"]:::p7 Break -.-> P1 P1 --> P2 --> P3 --> P4 --> P5 --> P6 --> P7 Break -.-> P4 Break -.-> P7 classDef breakNode fill:#fff3e0,stroke:#ffa000,stroke-width:3px,color:#6d4c00,font-size:15px classDef p1 fill:#1565c0,stroke:#0d3a73,stroke-width:2px,color:#ffffff,font-size:15px classDef p2 fill:#3f6fb5,stroke:#0d3a73,stroke-width:2px,color:#ffffff,font-size:15px classDef p3 fill:#6a72a5,stroke:#3a2a5a,stroke-width:2px,color:#ffffff,font-size:15px classDef p4 fill:#995f7f,stroke:#5a2a3a,stroke-width:2px,color:#ffffff,font-size:15px classDef p5 fill:#bf5563,stroke:#7a2030,stroke-width:2px,color:#ffffff,font-size:15px classDef p6 fill:#d84a4a,stroke:#8a1a1a,stroke-width:2px,color:#ffffff,font-size:15px classDef p7 fill:#e53935,stroke:#8a1010,stroke-width:2px,color:#ffffff,font-size:15px linkStyle default stroke:#90a4ae,stroke-width:2px,font-size:14px
Early phases (cheaper to stop)
Late phases (higher impact)