Why senior detection engineers don’t dismiss the kill chain — and what dismissing it actually reveals about the practitioner.
It is fashionable in 2026 to dismiss the Lockheed Martin Cyber Kill Chain as outdated. The argument runs something like this: “It was written in 2011, the threat landscape has moved on, MITRE ATT&CK is the modern framework, the kill chain is for old-timers.”
The argument is wrong. More importantly, the people making it are revealing how recently they arrived in the field.
The Cyber Kill Chain has not been replaced. It has been abstracted away. MITRE ATT&CK is the same story told at a higher resolution.
I make this point because the dismissal is corrosive. It teaches junior practitioners that frameworks expire, when in fact what changes is the resolution at which the practitioner is operating. Both views are correct. They serve different audiences and answer different questions.
The seven-stage view
Lockheed Martin published the Cyber Kill Chain in 2011 as a model of how an external adversary moves from intent to impact. Seven stages:
— Reconnaissance — gathering information about the target — Weaponization — preparing the payload, infrastructure, capability — Delivery — getting that payload into the target environment — Exploitation — running the payload; gaining a foothold — Installation — establishing persistence — Command and Control — establishing communication back to the operator — Actions on Objectives — doing whatever the adversary came to do
It is a clean, executive-readable model. A board member can absorb it in two minutes. A program lead can use it to organize defensive investment by stage. A risk register can be structured around it. That is what the kill chain was designed to do, and at that level of abstraction, it still does it well.
The fourteen-tactic view
MITRE ATT&CK, first published in 2013 and refined continuously since, takes the same conceptual progression and unfolds it into operational granularity:
Reconnaissance · Resource Development · Initial Access · Execution · Persistence · Privilege Escalation · Defense Evasion · Credential Access · Discovery · Lateral Movement · Collection · Command and Control · Exfiltration · Impact
Each tactic decomposes into techniques, sub-techniques, and procedures (TTPs) — many hundreds of them. ATT&CK is built for the practitioner who is mapping detection coverage, simulating adversary behaviour, and engineering controls. At that level of resolution, the kill chain’s seven stages are too coarse to be useful. You cannot write a Sigma rule against “Exploitation”; you need T1190 (Exploit Public-Facing Application) or T1204 (User Execution).
The mapping is straightforward
Each kill chain stage corresponds to one or more MITRE tactics. The mapping is approximate — practitioners draw the boundaries differently depending on the case — but the conceptual progression is the same:
— Kill Chain Reconnaissance → MITRE Reconnaissance — Kill Chain Weaponization → MITRE Resource Development — Kill Chain Delivery → MITRE Initial Access — Kill Chain Exploitation → MITRE Execution — Kill Chain Installation → MITRE Persistence, with Privilege Escalation, Defense Evasion, and Credential Access as supporting tactics — Kill Chain Command and Control → MITRE Command and Control — Kill Chain Actions on Objectives → MITRE Discovery, Lateral Movement, Collection, Exfiltration, and Impact
Notice what happens at the bottom. Kill chain Actions on Objectives expands into FIVE distinct MITRE tactics. That is not the kill chain failing. That is MITRE giving the practitioner the resolution required to actually defend against modern post-exploitation behaviour. The kill chain still describes the same destination — the adversary doing what they came to do — but ATT&CK gives you the granularity to see WHICH part of the post-exploitation sequence you have detection for and which part you don’t.
Why the abstraction matters
The two frameworks serve different audiences and different decisions.
The kill chain answers boardroom-level questions: “Where in the attack progression are we currently strongest? Where are we weakest? What investment moves us forward?” These are questions a CISO asks an executive sponsor, and the answer needs to fit on a five-stage diagram on a slide.
ATT&CK answers detection-engineering questions: “What percentage of T1059.001 (PowerShell) is covered by our SIEM? Where do our controls fail against T1078 (Valid Accounts)? What MITRE techniques does this red-team campaign exercise?” These are questions an analyst, a detection engineer, or a purple team asks, and the answer requires the resolution that MITRE provides.
A senior practitioner uses both. Not as alternatives, but as different viewing distances of the same landscape — the kill chain when speaking to the business, ATT&CK when speaking to the keyboard.
What the dismissal actually reveals
When a practitioner says “the kill chain is outdated; we use MITRE now,” they are usually betraying one of three things:
— They have not yet operated at the executive abstraction level, so they don’t see the value of a five-stage framework. — They have absorbed a vendor narrative that positioned MITRE as a replacement to drive product positioning. — They mistake fashion for currency, and recency for rigor.
None of these are damning. All of them are signals that the practitioner is on the way to senior, not yet there. The senior detection engineer holds both frameworks in mind simultaneously and uses each at the right moment.
Closing
The kill chain is not dead. ATT&CK has not replaced it. Most importantly, the kill-chain stage at which an attack is detected is also the foundation for a SOC maturity metric model. The kill chain and ATT&CK are not competitors; treating them as such reveals more about the speaker than about the frameworks.
The kill chain is the executive view. ATT&CK is the operational view. Same story, different resolution.
Senior practitioners zoom between the two depending on the question being asked.
— Damanjit Singh Uberoi · Founder, CyberSecure Vertex