Key insight

The kill chain describes a typical intrusion as an ordered series of stages, and breaking it at any single stage stops the whole thing, which is why defenses belong at multiple stages, not just the first one. AI agents compress this multi-stage chain dramatically, sometimes into a single moment, because one convincing piece of content can deliver the foothold and the damaging action at once.

A chain is simply a series of connected links, and if any single link breaks, the whole chain falls apart, no matter how strong every other link happens to be. The kill chain borrows that exact idea to describe a typical computer intrusion as an ordered series of stages, rather than one single event, and this article walks through what those stages are and why the metaphor matters so much for defense.

1 · Why a chain, and not just one event

An intrusion is rarely one dramatic moment. It is usually a sequence: research, then entry, then expansion, then finally the action that was the entire point of the intrusion. Describing it as a chain of separate stages, instead of one single event, matters enormously for defense, because it means there are multiple separate opportunities to stop it, not just one.

2 · The typical stages, one at a time

Five sequential stages of a typical intrusion connected as links in a chain Five boxes labelled reconnaissance, initial access, persistence, expansion, and action on objective are connected in sequence by arrows, illustrating the ordered, chain-like structure of a typical intrusion. Reconnaissance Initial access Persistence Expansion Action on objective
Figure 1. Five links in a row. An attacker needs every single one; a defender only needs to break one.

3 · Why breaking any one link stops the whole chain

The single most useful fact about the entire chain is that defenders do not need to stop every stage. Breaking the chain at any one link stops the whole intrusion from completing, exactly the way removing one link from a physical chain leaves two separate, useless pieces instead of one working chain. This is why security teams deliberately place independent defenses at multiple different stages, rather than betting everything on stopping an attacker only at the very first step.

4 · A worked example: a phishing intrusion, stage by stage

An attacker researches a company's public employee directory, reconnaissance. They send a convincing phishing email to one employee, gaining initial access when it is clicked. They quietly install a small program that lets them reconnect later even if the employee changes their password, persistence. They move from that employee's laptop toward a shared file server, expansion. And finally they copy sensitive files off that server, action on objective. A defense that only exists at the phishing email stage misses every other opportunity; a defense at the persistence or expansion stage can still stop the chain even after the phishing email already succeeded.

5 · Why AI agents compress the chain dramatically

An AI agent, software that decides on its own which tools to call based on instructions written in ordinary language, compresses this whole multi-stage chain dramatically, sometimes down to a single stage. One cleverly worded piece of content can simultaneously deliver the initial foothold and the final damaging action in the very same moment, because the agent reads the content and acts on it in one continuous step, skipping several stages a human-driven intrusion would normally need days or weeks to work through one at a time.

6 · Applying the kill chain on purpose

7 · A simple test you can run this week

Try this before an incident forces the question

1. Pick one system, or one AI agent, that matters to you.
2. List a defense you currently have at each of the five stages.
3. Note any stage with no real defense at all.
4. Add one for the stage that worried you most.

8 · Glossary — every short-form term, spelled out

Kill chain
An ordered series of stages a typical intrusion moves through, from research to final damaging action.
Reconnaissance
Researching a target from the outside before ever attempting to get in.
Persistence
A way back into a compromised system that survives even after the original entry point is closed.
AI agent
Software that decides, on its own, which tools to call and which actions to take, based on instructions written in ordinary language.
Key takeaways

The kill chain describes an intrusion as ordered stages, not one single event.
Breaking any one link stops the whole chain, so defenses belong at multiple stages, not just the first.
Persistence and expansion are stages worth catching even after initial access already succeeded.
AI agents can compress the whole chain into a single moment, so do not assume an attacker needs several separate steps.

References

  1. Lockheed Martin, Cyber Kill Chain framework, Lockheed Martin Corporation. lockheedmartin.com
  2. MITRE ATT&CK, Tactics overview, The MITRE Corporation. attack.mitre.org