Breaking down the cyberattack lifecycle: Overview

Nicholas Koken
May 7, 2024

Considering the number of headlines involving successful cyberattacks on organizations big and small, one might think that attacks could happen overnight. The reality is that cyberattacks result from weeks to months’ worth of work and generally follow a prescriptive process known as the cyberattack lifecycle or kill chain.

In this blog series, we’re tackling each aspect of the cyberattack lifecycle to give you insights into how to best defend your organization. First, here’s an overview of the cyberattack lifecycle and what it means to an organization.


Throughout my years in the US Army, NSA, and now MXDR, I have been on the front lines of some of the most sophisticated cyberattacks in recent years. Throughout the large variety of attacks I witnessed, they all possessed a near-identical pattern. This blog post will unpack the cyberattack lifecycle, utilizing insights from my experiences to explain each phase. Throughout the series that follows, we'll delve into the strategies that drive cyber threats, how they are executed, and the importance of understanding these dynamics for robust cybersecurity defense.

Breaking down the cyberattack lifecycle

There are eight stages involved in a typical cyberattack.

1. Reconnaissance

Before an attacker begins, they need to understand their target. This stage involves research and investigation of an organization, identifying its valuables, environments, and potential vulnerabilities.

2. Weaponization

Next, the hacker develops how they will attack the organization. Commonly, this might involve pairing malware like a remote access trojan (RAT) or other infection with a downloadable PDF or a macro-enabled Microsoft Office document.

3. Delivery

Now, the attacker determines the best way to sneak their weapon into the environment. Business email compromise (BEC), phishing, social engineering, and others are all prominent methods today’s attackers use.

4. Exploitation

This is the turning point of the cyberattack lifecycle when preparation turns to action. A successful delivery enables the bad actor to build off the intelligence gathered to this point to exploit vulnerabilities and make their way to sensitive systems.

5. Installation

Attackers leverage their headway within an environment to deploy the weapon. From here, attackers will also seek out any backdoors they can use to establish persistence.

6. Command & control

At this point, the attacker is successfully within the environment, having delivered their payload and engaging the weapon. They usually take advantage of their position within the network to remotely clean up their tracks while having access to other systems within the network.

7. Actions on objective

Lastly, the bad actor completes their objective, exfiltrating or deleting data, as well as potentially affecting other systems down the chain.

8. Monetization

Now that the attacker has completed their objective, they seek out ways to capitalize and profit off their findings, whether that be holding data ransom or selling it to the highest bidder.

Learn more

The cyberattack chain and the threat it represents pose great risk to organizations of all sizes. Read the next installment of our series as we dive into each stage, their strategies, and the techniques you can employ to defend against them and protect your business.

Stay up to date

Subscribe to receive the latest insights, news, and updates from Todyl.

Additional reading

Todyl Success Story: IT Haven improves client satisfaction and security through consolidation
Calculating Cyber Risk Appetite
Breaking down the cyberattack lifecycle: Monetization

Todyl updates

Sign-up to get the latest from Todyl sent straight to your inbox.