In plain English
The kill chain maps how an attack unfolds step by step: reconnaissance, weaponisation, delivery, exploitation, installation, command and control, and actions on objectives. Understanding this model helps defenders identify which phase a detected attack is in and which controls would have broken the chain earlier.
Full definition
Attacks do not happen in a single moment. They unfold in stages, and defenders who understand that sequence can intervene before an attacker reaches their objective.
The kill chain model maps those stages: (identifying the target), weaponisation (building or buying an exploit), delivery (sending a , for example), exploitation (gaining initial access), installation (planting or a backdoor), (establishing a communication channel back to the attacker), and then actions on objectives, which might be data theft, deployment, or something else entirely. Each stage is a potential intervention point. A well-configured email gateway stops delivery. breaks exploitation even when credentials are stolen. limits what an attacker can reach once they are past the perimeter.
When a security team detects an alert, the kill chain tells them which stage they are looking at. An attacker who has reached command and control but has not yet exfiltrated data is a very different situation from one who is still at reconnaissance. The response is different. The urgency is different. Penetration testers use the same model to plan their engagements, working through each phase to identify where a client's defences break down and which controls would have stopped the attacker earlier.
