Field Notes · Kill Chain Dynamics
How attackers
move.
Every ribbon below is a path observed in a real cloud incident — an attacker
crossing from one MITRE tactic to the next. The widest ribbons are the routes
most travelled.
Each ribbon traces a tactic-to-tactic transition observed in the attack chain of a real incident.
Ribbon width = number of incidents making that move. Hover to see details.
The Sankey layout requires a strict left-to-right order, so backward transitions
(where attackers revisit an earlier kill-chain stage) are shown in the "Revisits & loops" list below rather than on the diagram.
Chapter Three
Where attackers go next
The ten most common forward tactic transitions in the corpus —
what attackers do as they move through the kill chain.
Chapter Four
Revisits & loops
The ten most common backward transitions — where attackers circled
back to an earlier kill-chain stage. Re-running discovery after privilege
escalation, planting persistence after exfiltration, and similar revisits.