Contact Us

Contact Us

Please get in touch using the form below

1000 characters left
View our privacy policy

The Kroll Intrusion Lifecycle, developed by Kroll forensics experts, provides a single framework to help organisations understand and anticipate different types of cyber threats.

In this blog post, we provide a brief overview of the lifecycle and how it enables organisations to enhance their security approach.


A visual timeline for better decision making

Across the thousands of cyber incidents investigated by our team every year, we are constantly working to identify established patterns of threat actor activity and discover new ones. While observing attack patterns, we discovered that threat actors like repeatability. This means that certain actors can be predictable in not only how they attack but also in the tools and tactics they use once they gain access.

Our unique vantage point has allowed us to discern clear and distinct stages relating to the common progress of attacker behaviour, processes and intrusion steps. In response, we have distilled the knowledge and experience from our thousands of investigations and developed a standardised approach to quantify the behavioural elements of the lifecycle from the beginning to the end.


Kroll intrusion lifecycle diagram



Each intrusion threat stage specified

The Kroll Intrusion Lifecycle specifies each stage of the intrusion threat sequence in simple terms, presented in a visual, step-by-step behavioural model, which covers six key stages from external victim scouting to mission execution.

The framework functions as both an overview and a visual timeline to enable greater insight and support better informed security decision-making. It was also designed to allow for overlay and cross-compatibility with existing frameworks, such as MITRE ATT&CK®.

The lifecycle model explains and visually illustrates adversarial actions, regardless of whether the attacker is a lone wolf, an organised crime group or a nation-state-sponsored advanced persistent threat (APT) group. In a similar way, it applies to all types of attacker missions from a business email compromise to a network intrusion resulting in ransomware to an insider threat.


Learn more about the Kroll Intrusion Lifecycle