Lockheed Martin's 7-phase intrusion model. 28 representative techniques across the chain, each cross-linked to MITRE ATT&CK where applicable.
Pairs naturally with the Diamond Model: the kill chain answers where in the intrusion timeline; the diamond answers who and against what.
The attacker harvests information about the target — people, technology, infrastructure, partner networks, certificates, exposed services. Most of this is passive (OSINT) and indistinguishable from legitimate research.
Build a profile rich enough to pick the right initial-access vector.
Reduce attack surface and detect targeted scanning that crosses into active recon.
LinkedIn / GitHub harvesting to identify high-value users, sysadmins, IR responders.
crt.sh / Censys / Shodan to enumerate exposed services and forgotten hosts.
Confirmed name patterns from data brokers, breach corpora, hunter.io-style services.
Lookalike domain registration, IDN homograph staging, MX setup.