Cyber Kill Chain vs MITRE ATT&CK: A Defender's Guide
Ask two defenders to explain an intrusion and you will often hear two different vocabularies. One describes stages — reconnaissance, delivery, command and control. The other reels off technique IDs — T1059, T1003, T1021. Both are describing the same attack. They are just using two different models: the Cyber Kill Chain and the MITRE ATT&CK framework.
These models are frequently presented as competitors. They are not. They answer different questions, at different altitudes, and a capable blue team uses both. This guide explains how each works, how they differ, and how defenders combine them to turn raw attacker behaviour into detections, response playbooks, and measurable coverage. (For the offensive counterpart — how penetration testers use ATT&CK in engagements — see our companion post, MITRE ATT&CK for Pentesters.)
Why these frameworks still matter for cyber defence
Attackers reuse tactics, techniques, and procedures (TTPs) far more than they invent new ones. That predictability is a defender’s advantage — but only if you have a structured way to capture it. The Cyber Kill Chain and MITRE ATT&CK give security teams a shared structure to:
- Recognise attack patterns and anticipate an adversary’s next move.
- Improve detection by mapping alerts and telemetry to known behaviours.
- Strengthen incident response with a common language across the SOC, IR, and threat-intel functions.
- Measure control coverage by comparing what you can detect against what real adversaries actually do.
Without a model, findings and alerts stay disconnected. With one, they form a picture a defender can reason about and act on.
The Cyber Kill Chain: seven stages of an intrusion
Introduced by Lockheed Martin in 2011, the Cyber Kill Chain adapts a military targeting model to cyber intrusions. It breaks an attack into seven sequential phases:
- Reconnaissance – gathering intelligence on the target.
- Weaponisation – pairing an exploit with a deliverable payload.
- Delivery – transmitting the payload to the victim.
- Exploitation – triggering the vulnerability to gain a foothold.
- Installation – establishing persistence on the system.
- Command & Control (C2) – opening a channel to operate the compromised host.
- Actions on Objectives – achieving the goal, such as data theft or disruption.
Its strength is clarity. By framing an attack as a chain, it makes the case for defence in depth: break any single link and you disrupt the whole operation. The trade-off is that real intrusions are rarely so tidy — attackers loop back, skip stages, and operate several at once. The kill chain is a strategic map, not a field manual.
MITRE ATT&CK: a living map of attacker behaviour
Born from MITRE’s Fort Meade Experiment (FMX) in 2013, the MITRE ATT&CK framework catalogues real-world adversary behaviour across platforms — Windows, macOS, Linux, cloud, mobile, and more. It is structured in three layers:
- Tactics — the why: an attacker’s immediate objective (e.g., persistence, credential access, exfiltration).
- Techniques (and sub-techniques) — the how: the method used to achieve a tactic, such as OS Credential Dumping (T1003) or Remote Services (T1021).
- Procedures — the specific way a given actor implements a technique in the wild.
ATT&CK is actively maintained, and the matrix it describes keeps growing. The current release, ATT&CK v19 (April 2026), covers 15 tactics, 222 techniques, and 475 sub-techniques for Enterprise. The headline change in v19 is one defenders should note: the long-standing Defense Evasion tactic was split into two — Stealth (TA0005) and Defense Impairment (TA0112). The distinction matters operationally, because hiding activity (Stealth) and degrading a security control (Defense Impairment) call for different detections and different responses. If your detection coverage was mapped against the old single tactic, v19 is a prompt to revisit it.
Cyber Kill Chain vs MITRE ATT&CK: how they differ — and work together
This is the question most defenders actually ask, so let us answer it directly. The two models are not interchangeable, and neither replaces the other.
| Cyber Kill Chain | MITRE ATT&CK | |
|---|---|---|
| Shape | Linear, seven sequential stages | Non-linear matrix of tactics and techniques |
| Altitude | Strategic — the stage of an intrusion | Tactical — the specific behaviour used |
| Granularity | Coarse (7 phases) | Fine (15 tactics, hundreds of techniques) |
| Best for | Framing a campaign, executive communication, defence-in-depth strategy | Detection engineering, threat hunting, coverage measurement, adversary emulation |
| Maintenance | Fixed model (2011) | Continuously updated (v19, 2026) |
The practical reading: the Kill Chain tells you which stage an attacker has reached, while ATT&CK tells you exactly what they did to get there and what they are likely to do next. A phishing email maps to the Kill Chain’s Delivery phase — and to specific ATT&CK techniques like Phishing and User Execution once you need to write a detection for it.
That is why the two are complementary rather than competing. Many teams use the Kill Chain to brief leadership and structure their defence-in-depth strategy, then drop into ATT&CK to engineer the detections for each stage. The Unified Kill Chain, published by Paul Pols, formalises exactly this marriage — extending the linear stages and mapping them onto ATT&CK’s behavioural detail. You do not have to adopt it formally to benefit from the idea: use the chain for the narrative, use ATT&CK for the evidence.
Putting both models to work on defence
Frameworks only earn their keep when they change what your blue team does day to day. A few concrete applications:
- Detection engineering. Map every detection rule to an ATT&CK technique. The gaps in that map are your blind spots — techniques real adversaries use that you currently cannot see.
- Coverage measurement. Build an ATT&CK Navigator heatmap of what your stack detects, then overlay the techniques associated with threat actors that target your sector. Where the two diverge is your prioritised backlog.
- Threat hunting. Use the Kill Chain to decide where in an intrusion to hunt, and ATT&CK to decide which behaviours to hunt for.
- Pairing offence with defence. When a penetration test or red-team engagement reports its activity in ATT&CK terms, your blue team can replay those exact techniques against its detections — closing the loop between attack and defence.
ATT&CK also has a defensive sibling worth knowing: MITRE D3FEND, an ontology of defensive countermeasures that maps directly onto ATT&CK techniques. We cover it in detail in our MITRE D3FEND guide — together, ATT&CK (what attackers do) and D3FEND (what defenders can do about it) make a complete planning pair.
The role of threat intelligence sharing
Neither model is much use in isolation. Their real power emerges when organisations describe threats in the same language and share what they see. ATT&CK has become that common language, enabling teams to:
- Exchange threat intelligence without translation loss, using shared technique IDs.
- Collaborate across sectors via platforms such as MISP and MITRE CTI.
- Attribute activity by matching observed techniques to known intrusion sets.
- Respond faster, because an alert tagged with an ATT&CK technique already carries context.
For regulated and high-value organisations, this shared vocabulary is increasingly the baseline expectation, not a nice-to-have.
BSG's continuous security services map monitoring and detection to MITRE ATT&CK — so you can see, in one heatmap, which adversary techniques you'd catch and which would slip past.
Request a quote →
Frequently Asked Questions
What is the difference between the Cyber Kill Chain and MITRE ATT&CK?
The Cyber Kill Chain is a linear, seven-stage model of how an intrusion progresses — it tells you which stage an attacker has reached. MITRE ATT&CK is a detailed, non-linear matrix of adversary tactics and techniques — it tells you exactly what an attacker did and is likely to do next. They operate at different altitudes and are most powerful used together: the Kill Chain for strategy and communication, ATT&CK for detection and hunting.
Is the Cyber Kill Chain still relevant in 2026?
Yes, but with a caveat. Its linear model does not capture how modern, non-linear intrusions actually unfold, so most mature teams pair it with — or graduate to — MITRE ATT&CK (or the Unified Kill Chain) for operational detection work. The Kill Chain remains a clear, useful way to frame defence-in-depth and brief non-technical stakeholders.
How many tactics does MITRE ATT&CK have now?
As of ATT&CK v19 (April 2026), Enterprise ATT&CK has 15 tactics, 222 techniques, and 475 sub-techniques. The tactic count rose from 14 to 15 when the Defense Evasion tactic was split into Stealth (TA0005) and Defense Impairment (TA0112).
Should a defender use one framework or both?
Both. Use the Cyber Kill Chain to structure your overall defence strategy and communicate it, and use MITRE ATT&CK to engineer detections, run threat hunts, and measure coverage. They answer different questions, and the combination is stronger than either alone.
Conclusion
The Cyber Kill Chain and MITRE ATT&CK are not competing standards to choose between — they are complementary lenses on the same problem. The Kill Chain gives you the strategic shape of an intrusion; ATT&CK gives you the behavioural detail to detect and respond to it. Defenders who use both — and who keep their ATT&CK mapping current with releases like v19 — turn a pile of disconnected alerts into a coherent, measurable defence.
If you want help mapping your detection and response capability to real-world attacker behaviour, that is exactly the kind of work BSG does.