Attack Lifecycle

An attack lifecycle is the sequence of phases that cybercriminals typically follow when conducting a cyberattack, from initial planning through execution to post-attack activities.

This framework helps cybersecurity professionals understand how attacks unfold and where defensive measures can be most effective.

The typical attack lifecycle includes several key stages: reconnaissance, where attackers gather information about their target; initial access, involving the breach of perimeter defenses; establishment of persistence to maintain access; privilege escalation to gain higher-level permissions; lateral movement through the network; data collection and exfiltration; and finally, covering tracks to avoid detection. Some models also include weaponization and delivery phases.

Understanding the attack lifecycle enables organizations to implement layered security strategies that address each phase. For example, threat intelligence can counter reconnaissance, endpoint protection can prevent initial access, and user behavior analytics can detect lateral movement. By mapping defensive controls to each lifecycle stage, security teams can identify gaps in their protection and prioritize investments. This approach, often called "defense in depth," recognizes that no single security measure is foolproof, but multiple controls across the attack lifecycle can significantly reduce the likelihood of successful breaches.