Cloud Breach Kill Chains

Real attacks. Real post-mortems. Step-by-step attack progression mapped to MITRE ATT&CK Cloud - so you can understand exactly what happened, and break the kill chain next time.

MITRE ATT&CK Cloud Mapped Full Attack Chain Per Incident Official Post-Mortems Sourced

Want to practice these techniques? Try the cloud security CTF challenges - many cover the same attack patterns (SSRF, IAM exploitation, token abuse). Unfamiliar with terms like IMDSv2, OIDC, or Golden SAML? See the cloud security glossary. For the recurring patterns across all of these chains, read Lessons From 13 Cloud Breaches, or the 2025 Cloud Breach Year in Review for the incidents that defined this past year. For broader context on threat actors and trends, browse the cloud threat research directory or the cloud security overview. The 1994 Mitnick/Novell entry below has a personal backstory - CSOH founder Shawn Nunley was Mitnick's target; see also the Kevin Mitnick - In Memoriam tribute.

Close-up of a laptop displaying cybersecurity text, emphasizing digital security themes
Photo by cottonbro studio on Pexels
Wide shot of a control room with operators working in front of large display screens
Photo by SpaceX on Pexels
Cloud breach kill chain Six stages of a typical cloud breach from initial access through impact, mapped to MITRE ATT&CK Cloud. Cloud breach kill chain - mapped to MITRE ATT&CK Cloud Initial Access Phishing, leaked key, SSRF, infostealer Execution & Persistence Run code, plant role, backdoor IAM Privilege Escalation AssumeRole abuse, policy mischief Defense Evasion Disable CloudTrail, delete logs Lateral Movement Pivot accounts, cross-tenant Exfiltration & Impact S3 dump, ransom, data destruction
Every breach below is annotated against this chain - read the cards in any order, but expect to see these stages chained together.
Cloud breach root-cause distribution Approximate share of major cloud breaches by primary root cause. Identity and configuration failures dominate; zero-days are a sliver. Where major cloud breaches actually start (approximate share) 0% 10% 20% 30% 40% Misconfiguration35% Stolen credentials30% Over-privileged IAM15% SSRF / insecure API8% Supply chain7% Insider risk5% Provider zero-day<1% Composite estimate - most real breaches chain 2-3 of these together. The kill-chains below show how.
Two takeaways: provider zero-days are vanishingly rare, and identity-adjacent failures (credentials + IAM + misconfig) account for ~80% of major incidents.

These kill chains span from 1990s social engineering through the 2025 cloud-identity era - the newest full write-up is Salesloft Drift (UNC6395), August 2025. Fast-moving 2026 incidents are tracked first in the news feed, with the recurring root causes distilled in breach lessons and the 2025 year in review; the most instructive graduate into full kill chains here.

Real cloud breaches chain three to six tactics together. Detection content should target the chains, not isolated techniques. - the lesson under every kill chain on this page