gouravnagar-infosec/ai-kill-chain — explained in plain English
Analysis updated 2026-05-18
Reference AI-specific attack stages when building SOC detection rules
Compare this kill chain view against MITRE ATLAS and the OWASP LLM Top 10
Study worked case studies of AI supply chain and prompt injection attacks
| gouravnagar-infosec/ai-kill-chain | 28998306/magicalcanvas | aaaa-zhen/siri-glsl | |
|---|---|---|---|
| Stars | 36 | 36 | 36 |
| Language | — | TypeScript | HTML |
| Setup difficulty | easy | moderate | easy |
| Complexity | 1/5 | 3/5 | 2/5 |
| Audience | researcher | general | designer |
Figures from each repo's GitHub metadata at analysis time.
It is a documentation framework, not software, no installation involved.
This repository is a written framework, not a piece of software. It is a defender focused update to the Lockheed Martin Cyber Kill Chain, the seven stage model that security teams have used since 2011 to describe how a network intrusion unfolds. The author, Gourav Nagar, argues that the original model does not cover modern attacks against large language models and AI agents, and proposes an extended version that adds new stages and sub techniques for those cases. The framework makes three additions to the original seven stages. It adds a new pre attack stage called Stage 0, Model Supply Chain Compromise, which describes adversary activity against the AI supply chain itself, such as poisoned training datasets or tampered pre trained models published to public registries. It adds AI specific sub techniques inside each of the original seven stages, each tagged with an EKC identifier so SOC playbooks and detection rules can reference them. And it splits the final stage, Actions on Objectives, into three peer sub stages: classical data exfiltration, model extraction, and agentic pivot. The README explains why the original model needs an update. Attacks now have a pre network stage that a kill chain starting at Reconnaissance has nowhere to place. Large language models cannot reliably separate instructions from content, so Delivery and Exploitation collapse into indirect prompt injection. Model weights, fine tuning data, and system prompts are themselves targets, which means the term data exfiltration is too narrow. And AI agents with tool access can pivot through legitimate permissions instead of using classical lateral movement techniques. The document positions itself relative to other industry references. It is not meant to replace MITRE ATLAS or the OWASP LLM Top 10. ATLAS, in its current version, is a matrix with sixteen tactics and over eighty techniques. OWASP gives a list of risk categories for application builders. The author argues that neither is shaped like a kill chain, and that defenders who already think in stage by stage disruption logic need a kill chain shaped view of the same threat surface. The table of contents shows what else is inside: a stage by stage specification, a section relating the framework to ATLAS, OWASP, and the NIST AI Risk Management Framework, worked case studies, detection and mitigation guidance, an originality statement, citation instructions, and references. License is CC BY 4.0. The full README is longer than what was shown.
A written framework that extends the classic Cyber Kill Chain model to cover attacks against large language models and AI agents.
Setup difficulty is rated easy, with roughly 30min to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.