The Offensive Lifecycle — Planning to Objective

Why existing frameworks are not enough

The Lockheed Martin Cyber Kill Chain, published in 2011, describes seven stages: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives. The model was a significant advance when it was introduced. It gave defenders a shared vocabulary for describing how intrusions progress. But it was designed around a specific attack pattern: an external adversary delivering malware to a target network via a staged payload. The Kill Chain assumes a linear progression where each stage must succeed before the next begins.

Modern campaigns rarely follow that pattern. Cloud-native attacks skip the Delivery and Exploitation stages entirely by compromising an identity through credential phishing and operating through legitimate APIs. Supply chain attacks like SolarWinds compromise a trusted vendor and arrive as a legitimate software update, bypassing the weaponization-delivery-exploitation sequence. Insider threats start at a post-compromise position with no initial access event at all. The Kill Chain's linear model doesn't accommodate these paths.

ATT&CK solved part of this problem by replacing the Kill Chain's seven linear stages with fourteen tactics and hundreds of techniques. ATT&CK is not a lifecycle model. It is a classification system. It tells you that an attacker used T1566.001 (Spearphishing Attachment) for Initial Access and T1003.001 (LSASS Memory) for Credential Access, but it does not explain the decision that connected those two techniques. It doesn't capture why the attacker chose LSASS dumping over Kerberoasting, or why they attempted lateral movement to the domain controller before moving to the file server.

Paul Pols addressed this with the Unified Kill Chain in 2017, organizing 18 phases into three strategic cycles: In (gaining access), Through (expanding access), and Out (completing objectives). The UKC's key insight is that attacks are iterative. An attacker who fails at one phase loops back to an earlier phase rather than abandoning the campaign. The UKC also makes the distinction between initial foothold and network propagation explicit, filling the Kill Chain's most significant blind spot.

This course builds on the UKC's iterative model but frames each phase from the attacker's operational decision perspective. The question is not "what phase is this?" but "what decision did the attacker make, and what constrained that decision?"

The six phases of the offensive lifecycle

The offensive lifecycle organizes attacker operations into six decision phases. Each phase produces a specific output that the next phase consumes. The phases are not rigid stages. They overlap, repeat, and branch. But the decision logic flows in one direction: from objective to execution.

Phase 1: Target selection

The attacker decides who to attack. You have no telemetry for this phase. A ransomware crew selects targets based on estimated revenue: the ransom payment is sized to what the victim can afford. An espionage operator selects targets based on intelligence requirements. An access broker selects targets based on exploitable attack surface and resale value. The selection criteria predict campaign characteristics. An organization targeted for ransomware will see fast operations compressed into days. An organization targeted for espionage will see patient operations stretched across months. Section 1.2 covers target selection in depth.

Phase 2: Reconnaissance

The attacker builds intelligence about your environment. Most reconnaissance is passive and produces no telemetry you can detect: OSINT collection, LinkedIn profiling, DNS enumeration, technology fingerprinting from publicly visible headers and certificates. Active reconnaissance (port scanning, directory brute-forcing, credential spraying against exposed login pages) generates telemetry, but it is difficult to distinguish from the background scanning noise that every internet-facing service receives. The defensive value of understanding reconnaissance is not in detecting it directly. It is in understanding what the attacker now knows about you. If your LinkedIn profiles reveal your security stack, the attacker knows what to evade. Sections 1.5 and 1.6 cover passive and active reconnaissance.

Phase 3: Infrastructure build

Before the first phishing email is sent, the attacker builds the operational infrastructure: C2 servers, redirectors, phishing domains, payload hosting, exfiltration channels. Domain registration, certificate provisioning, and redirector testing can take days to weeks. This is the pre-attack detection window. Certificate transparency logs show new certificates issued for typosquatting domains. Passive DNS services show domain-to-IP mappings for recently registered domains resolving to cloud hosting ranges. Organizations that monitor these external signals can detect campaigns before the first email arrives. Module 2 covers infrastructure in depth.

Phase 4: Initial access

The attacker makes first contact with your environment. This is your first definitive internal telemetry. The access method reveals information about the attacker: AiTM phishing against a well-defended M365 tenant indicates a sophisticated operator who did thorough reconnaissance. Password spraying against an exposed VPN concentrator indicates an opportunistic one. What ATT&CK doesn't capture is the decision process behind the technique selection. The attacker chose this method because reconnaissance showed it was the path of least resistance given the target's defenses. Module 4 covers initial access.

Phase 5: Post-exploitation

Everything between initial access and objective execution. Discovery, persistence, privilege escalation, credential harvesting, lateral movement, defense evasion. In ATT&CK terms, this spans eight tactics. In operational terms, it is one continuous problem: the attacker is navigating your environment toward their objective.

This is the highest-value detection window. The attacker produces the most telemetry during post-exploitation because every action touches your infrastructure: process creation events from discovery commands, authentication logs from credential operations, network connections from lateral movement, registry modifications from persistence installation. It is also the phase where defenders have the most time to respond. M-Trends 2026 reports a global median dwell time of 14 days, and the majority of that time is spent in post-exploitation as the attacker discovers the environment, harvests credentials, moves laterally, and positions for objective execution.

Post-exploitation is also where the attacker is most careful. They know this phase generates the most evidence. Sophisticated operators space out their actions, operate during business hours to blend with legitimate activity, use living-off-the-land techniques to avoid dropping files, and clear evidence after each step. The operational security decisions the attacker makes during Phase 5 are covered in Section 1.4 and Module 8. Modules 5 through 8 cover post-exploitation techniques in detail.

Phase 6: Objective execution

The attacker achieves their goal: ransomware deployment, data exfiltration, espionage collection, or destructive operations. Detection at this phase limits damage but does not prevent it. Different objectives produce different telemetry profiles. Ransomware is fast, loud, and unmistakable. Data exfiltration can be quiet, particularly when the attacker uses legitimate cloud storage services as the exfiltration channel. Espionage is often invisible until a separate investigation uncovers it months later. Module 9 covers objective execution.

How to read an incident through the lifecycle

When you investigate an incident, annotating each attacker action with its lifecycle phase transforms a chronological timeline into a decision map. You can see where the attacker made choices, where they adapted, and which phases your detection covered.

The lifecycle is iterative, not linear

Real campaigns loop. The attacker attempts initial access and fails, so they return to reconnaissance. They move laterally and encounter a locked system, so they go back to credential operations. They begin objective execution and trigger an alert, so they retreat to a persistence mechanism and wait days before trying again.

Day 1  08:14 UTC   Phase 4   Spearphishing email delivered to finance team
Day 1  08:22 UTC   Phase 4   User clicks link, AiTM proxy captures session token
Day 1  08:24 UTC   Phase 5   Attacker authenticates to M365 using stolen token
Day 1  08:31 UTC   Phase 5   Mailbox search: "wire transfer" "bank details" "payment"
Day 1  09:15 UTC   Phase 5   Inbox rule created: move emails from IT-Security to RSS Feeds
Day 1  14:40 UTC   Phase 5   OAuth app consent grant: Mail.ReadWrite, Files.Read.All
Day 2  02:10 UTC   Phase 5   Credential spray against on-prem AD from compromised account
Day 2  02:14 UTC   Phase 5   FAILED — account locked after 5 attempts
Day 2  02:14 UTC   [LOOP]    Attacker returns to Phase 2 (reconnaissance)
Day 3  11:00 UTC   Phase 2   LinkedIn research: IT admin names, VPN vendor identified
Day 3  16:30 UTC   Phase 4   Voice phishing call to help desk, password reset for admin
Day 3  16:45 UTC   Phase 5   Admin account authenticated, MFA bypass via social engineering
Day 4  01:20 UTC   Phase 5   Lateral movement to file server via RDP
Day 4  03:45 UTC   Phase 6   Data staging: 3.2 GB compressed to C:\Windows\Temp\
Day 4  04:10 UTC   Phase 6   Exfiltration via HTTPS to cloud storage endpoint

The iteration at Day 2 is the pattern that matters for defenders. The credential spray failed, so the attacker looped back to reconnaissance and found a different path. An SOC that treats the locked account as a resolved event misses the loop. The account lockout on Day 2 and the voice phishing call on Day 3 are the same campaign. Retrospective alert correlation (Section 0.1) connects them.

M-Trends 2026 documented that the median handoff time between initial access brokers and secondary operators collapsed from over 8 hours in 2022 to 22 seconds in 2025. Initial access partners now pre-stage the secondary group's malware during the initial infection. This compression means the transition from Phase 4 to Phase 5 happens almost instantaneously in brokered operations. By the time you detect the initial access, post-exploitation has already begun.

Dwell time and the detection window

The time the attacker spends in your environment before detection determines how much damage they can do. Global median dwell time was 14 days in M-Trends 2026, up slightly from 11 days in the prior year, driven by long-running espionage intrusions. Ransomware dwell times have compressed in the opposite direction: Sophos reports a median of 5 days from initial access to ransomware deployment in 2025, down from 9 days in 2022. Some ransomware affiliates deploy within 24 hours of initial access. CrowdStrike measured a median eCrime breakout time (time to first lateral movement) of 62 minutes, with the fastest observed at 2 minutes and 7 seconds.

The implication for defenders: Phase 5 is where you have the most telemetry and the most time. But "the most time" is shrinking. If ransomware operators are deploying within 5 days and your SOC takes 14 days to detect, the attacker finishes before you start.