What is a 'kill chain' model, and how does it guide incident response actions?

A kill chain is a framework that maps an intrusion into sequential stages. This helps incident responders because by recognizing where an attacker is within that sequence, you can tailor actions to disrupt progress and minimize impact. The classic stages include reconnaissance, initial access, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. In practice, defenders use it to guide detection and containment: signals at early stages like reconnaissance or delivery can trigger preventive or monitoring measures, while stopping initial access or interception of command-and-control communications can prevent the attacker from completing their goals. The model also provides a clear structure for evidence collection and post-incident analysis, showing how attacker activity progressed and where defenses failed.