When I was first getting started in cybersecurity, MITRE's ATT&CK had only just launched and wasn't widely known. I'd always thought the Diamond Model and Kill Chain were academic ways of thinking about attacks, not frameworks you could actually align operations to. That changed over time. Working with mentors like Brandon Poole, being part of organizations with strong threat intelligence programs, earning the GCTI, and reading Intelligence-Driven Incident Response 1 all shifted my understanding. I work with each framework actively now, nearly every day. Something that really made them click for me was getting a visual understanding of how they fit together. I'm a very visual person, and once I could see the relationships mapped out, the operational value became obvious. So I thought I'd write a guide showing how you can apply them in practice. I'm going to assume you're familiar with the basics of each framework individually. I'll cover them briefly as a refresher before getting into the real focus: how to layer the Diamond Model with ATT&CK and the Kill Chain into something you can actually use. The Targeted Attack Lifecycle Mandiant's Targeted Attack Lifecycle 2 grew out of the same lineage as Lockheed Martin's Kill Chain, but it better reflects how intrusions actually unfold. The key difference is the loop. After an attacker establishes a foothold, the cycle of escalating privileges, internal reconnaissance, lateral movement, and maintaining presence repeats until the adversary completes their mission or gets caught. That loop matches what I see in real investigations. When an alert fires, my first question is always "where am I in this cycle?" The answer isn't always obvious, but it narrows what to look for next, and I keep working through the loop, following the evidence until I can confirm or rule out a true positive. It's the framework I reach for during an active investigation. For looking at an intrusion retroactively, start to finish, I actually prefer the classic Kill Chain, which is where we'll go next. Targeted Attack Lifecycle Eight phases of the Mandiant Targeted Attack Lifecycle. Six phases along a horizontal arrow, two in an iterative loop above. Targeted Attack Life cycle Initial recon Initial compromise Establish foothold Escalate privileges Internal recon Complete mission Maintain presence Move laterally OSINT gathering Network recon Remote access ID Social engineering Internet-based attack Service provider abuse Insider threat Backdoors Remote access subversion Credential harvesting Password cracking Pass-the-Hash attack Critical system ID System enumeration Account enumeration Data staging Data exfiltration Data modification Data destruction Account abuse Remote access subversion Command and control Remote command execution Remote administration Scroll horizontally or rotate device for best viewing Adapted from Mandiant — Targeted Attack Lifecycle, M-Trends Annual Threat Report The Kill Chain & MITRE ATT&CK The Kill Chain and ATT&CK cover a lot of the same ground. ATT&CK's tactics map roughly to Kill Chain phases, and both describe the progression of an intrusion from initial access through to the adversary's end goal. Where they differ is in granularity and ways they can be used. Let's get a little more granular in both. Cyber Kill Chain × MITRE ATT&CK Tactics Seven phases of the Lockheed Martin Cyber Kill Chain mapped to MITRE ATT&CK Enterprise tactics: Reconnaissance to TA0043, Weaponization to TA0042 Resource Development, Delivery to TA0001 Initial Access, Exploitation to TA0002 Execution and TA0004 Privilege Escalation and TA0005 Defense Evasion, Installation to TA0003 Persistence and TA0005 Defense Evasion, Command and Control to TA0011, Actions on Objectives to TA0006 Credential Access and TA0007 Discovery and TA0008 Lateral Movement and TA0009 Collection and TA0010 Exfiltration and TA0040 Impact. Cyber Kill Chain MITRE ATT&CK Tactics 1 2 3 4 5 6 7 Reconnaissance Harvest employee names, roles, and emails from LinkedIn Weaponization Pair Cobalt Strike beacon with macro-enabled document Delivery Spearphish email targeting HR with weaponized resume Exploitation CVE-2024-21412 — Windows SmartScreen bypass via URL Installation DLL sideloading persists beacon through signed binary Command & Control HTTPS C2 beaconing over Cloudflare-fronted domain Actions on Objectives Exfiltrate sensitive documents through DNS tunneling TA0043 Reconnaissance TA0042 Resource Development TA0001 Initial Access TA0002 Execution TA0004 Privilege Escalation TA0005 Defense Evasion TA0003 Persistence TA0005 Defense Evasion TA0011 Command and Control TA0006 Credential Access TA0007 Discovery TA0008 Lateral Movement TA0009 Collection TA0010 Exfiltration TA0040 Impact Scroll horizontally or rotate device for best viewing Adapted from Hutchins, Cloppert & Amin — Intelligence-Driven Computer Network Defense (2011) · MITRE ATT&CK® Enterprise v16 The Kill Chain Where the Attack Lifecycle is my go-to during an acti...