The Attacker Mindset & Kill Chain
Attacks are not magic — they are a process, and processes can be modeled, measured, and interrupted.
01 Thinking in adversary, not in checklist
Defenders who only work from compliance checklists tend to lose to attackers who work from goals. An adversary does not care that you patched the server the audit asked about; they care about a path — any path — from where they are to what they want. The attacker mindset is simply the discipline of reasoning about a system the way its designer did not: asking not "does this feature work?" but "what else can this feature be made to do?"
That reframing is the whole game. A password-reset flow is a login bypass waiting to be misused. A file uploader is a way to plant code. A helpful error message is free reconnaissance. None of this requires villainy — it requires curiosity plus a refusal to assume the happy path is the only path.
Crucially, thinking like an attacker is a thinking exercise. You practice it on systems you are authorized to test, in your head, in a lab, or in a bug-bounty scope — never on machines you have no permission to touch. The rest of this module is about the frameworks that turn that mindset into something rigorous and repeatable.
02 The Lockheed Martin Cyber Kill Chain
In 2011, analysts at Lockheed Martin published the Cyber Kill Chain, borrowing a military metaphor: a targeted intrusion is a sequence of stages, and breaking any one link breaks the chain. The seven stages are:
- Reconnaissance — researching the target and its people.
- Weaponization — pairing an exploit with a deliverable payload.
- Delivery — getting that payload to the victim (email, web, USB).
- Exploitation — triggering the code to run.
- Installation — establishing a foothold that survives reboots.
- Command & Control (C2) — opening a channel back to the operator.
- Actions on Objectives — the actual goal: theft, encryption, sabotage.
The model's real value is defensive. Each stage is an opportunity to detect and disrupt, and earlier is cheaper. Blocking a phishing email at Delivery costs you nothing; discovering the adversary at Actions on Objectives means the damage is already done.
The Kill Chain has fair critiques — it is malware- and perimeter-centric, and it undersells insider threats and credential abuse where no "payload" is delivered. That gap is exactly what MITRE ATT&CK fills.
03 MITRE ATT&CK: the adversary's playbook, catalogued
Where the Kill Chain gives you a coarse timeline, MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) gives you a rich, empirically-grounded matrix of how real intrusions actually unfold. First released publicly in 2015, it is now the lingua franca of threat detection.
ATT&CK is organized as tactics (the adversary's goal — the "why") and techniques (the "how"). The Enterprise matrix has 14 tactics, read roughly left to right:
- Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact.
Under each tactic sit dozens of techniques and sub-techniques, each with a stable ID (for example, T1566 is Phishing). Because the taxonomy is shared, a detection engineer, a threat-intel analyst, and a red teamer can all point at the same cell and mean the same thing.
There are companion matrices for Mobile and for Industrial Control Systems (ICS), reflecting that the same adversarial logic applies far beyond office laptops.
04 Red team vs. pentest vs. bug bounty vs. crime
All four use overlapping techniques. What separates them is authorization, scope, and intent — and those differences are the entire line between a security professional and a felon.
| Activity | Goal | Scope | Authorization |
|---|---|---|---|
| Penetration test | Find and report as many vulnerabilities as possible in a defined target | Explicit, usually narrow, time-boxed | Written contract + rules of engagement |
| Red team | Emulate a specific adversary to test detection and response, not just find bugs | Broad, objective-based (e.g. "reach the payroll database") | Contract, often with only a few "trusted agents" aware |
| Bug bounty | Crowdsourced vulnerability discovery, paid per valid finding | Defined by a public program policy and safe-harbor terms | Standing authorization within the published scope |
| Criminal intrusion | Personal gain, disruption, or espionage | None | None — this is the crime |
A red team also differs from a pentest in what it measures: a pentest asks "what is vulnerable?"; a red team asks "would we even notice, and how fast could we respond?" The blue team defends, and when the two work together in a tight feedback loop it is called purple teaming.
05 Rules of engagement, and the law that binds them
Legitimate offensive work begins with paperwork, not payloads. Before a single packet is sent, professionals agree on rules of engagement (RoE): which IP ranges and domains are in scope, which are explicitly off-limits, what times testing may run, which techniques are prohibited (denial-of-service and social engineering are often carved out), and who to call if something breaks or if a real breach is discovered mid-test.
The written authorization — signed by someone who actually owns the systems — is the load-bearing document. Physical red teamers famously carry a "get-out-of-jail letter" naming the client contact, precisely because being caught is a success condition, and they need to prove they were hired.
The law is still being defined. In Van Buren v. United States (2021), the Supreme Court narrowed the CFAA's "exceeds authorized access" clause, ruling that misusing data you are otherwise permitted to access is not automatically a federal crime. That mattered enormously for researchers, but the core prohibition — accessing systems you have no right to — stands firmly. When you find a flaw in the wild, the ethical path is coordinated disclosure: report it privately, give the owner reasonable time to fix it, and never exploit it for gain.
⌘ Field Glossary
- Cyber Kill Chain
- Lockheed Martin's 2011 seven-stage model of a targeted intrusion, from Reconnaissance to Actions on Objectives, used to plan disruption at each stage.
- MITRE ATT&CK
- A publicly maintained knowledge base of real adversary tactics and techniques, organized as a matrix with stable IDs, used as a shared language across offense and defense.
- Tactic vs. technique
- In ATT&CK, a tactic is the adversary's goal (the why, e.g. Persistence) and a technique is the specific method used to achieve it (the how, e.g. a scheduled task).
- Rules of engagement (RoE)
- The agreed constraints on an authorized security test: scope, timing, prohibited techniques, and emergency contacts.
- Purple teaming
- A collaborative exercise where the offensive red team and defensive blue team share findings in real time to improve detection and response together.
- CFAA
- The U.S. Computer Fraud and Abuse Act (1986), the primary federal statute criminalizing unauthorized access to computer systems.
- Coordinated disclosure
- Responsibly reporting a discovered vulnerability privately to the owner and allowing time to remediate before any public detail is released.
Knowledge Check
Field Assessment
01 Why do defenders value catching an adversary early in the Cyber Kill Chain?
02 What primarily distinguishes an authorized penetration test from a criminal intrusion?
03 In MITRE ATT&CK, what is the relationship between a tactic and a technique?