← All frameworks
International GLOBAL · reference · Global

UKC

Unified Kill Chain

18 controls · 3 domains
Start assessment in platform →

About this framework

The Unified Kill Chain is a threat model that describes the end-to-end phases of a cyber attack, unifying and extending earlier models (such as Lockheed Martin's Cyber Kill Chain) with MITRE ATT&CK. It lays out 18 ordered attack phases grouped into three broad stages — gaining an initial foothold ("In"), establishing presence and moving through the target environment ("Through"), and acting on objectives such as exfiltration or impact ("Out"). By stitching these phases together, it gives defenders a narrative of how an intrusion progresses from reconnaissance to objective, making it easier to reason about where controls and detections break the chain.

Who needs this

Threat-intelligence analysts, incident responders, detection engineers, and security architects who want to map attacker progression across a full intrusion and identify where in the chain their defenses intervene. Useful alongside MITRE ATT&CK for threat-informed defense and attack-path analysis.

See how UKC connects to the rest → the Security Universe

Control domains

IN · In — Initial Foothold 8
UKC-1
Reconnaissance
Researching, identifying and selecting targets using active or passive reconnaissance.
UKC-2
Weaponization
Preparing the infrastructure and tooling (e.g. malware, payloads) used to conduct the attack.
UKC-3
Delivery
Transmitting the weaponized object to the target environment.
UKC-4
Social Engineering
Manipulating people into performing actions that assist the attacker (e.g. phishing, pretexting).
UKC-5
Exploitation
Triggering a vulnerability or weakness to execute attacker-controlled code or actions.
UKC-6
Persistence
Maintaining access to systems across restarts, credential changes and other interruptions.
UKC-7
Defense Evasion
Avoiding detection and bypassing security controls throughout the intrusion.
UKC-8
Command & Control
Establishing communication with compromised systems to remotely control them.
THR · Through — Network Propagation 6
UKC-9
Pivoting
Tunnelling through a compromised system to reach otherwise unreachable systems.
UKC-10
Discovery
Acquiring knowledge of the internal environment, systems, accounts and data.
UKC-11
Privilege Escalation
Obtaining higher-level permissions on systems or within the domain.
UKC-12
Execution
Running attacker-controlled code on local or remote systems within the environment.
UKC-13
Credential Access
Stealing account names, passwords, keys and other credentials.
UKC-14
Lateral Movement
Moving through the environment by using legitimate access and compromised credentials.
OUT · Out — Action on Objectives 4
UKC-15
Collection
Gathering data of interest from the target environment in preparation for exfiltration.
UKC-16
Exfiltration
Stealing data by transferring it out of the target environment.
UKC-17
Impact
Manipulating, interrupting or destroying systems and data (e.g. ransomware, sabotage).
UKC-18
Objectives
Achieving the strategic goal that motivated the attack (the attacker's end objective).

Ready to assess against UKC?

Start free trial →