During the installation phase, the attacker has two aims: to establish persistence and/or a foothold in the targeted system. In the castle example, persistence can be seen as a way of holding the tunnel open. The attackers may put in support beams and reinforce the tunnel walls, or may seek to open the tunnel up so that bigger and better equipment can be conveyed to the inside of the walls. Similarly, they may use this phase to better camouflage the tunnel. Upon establishing a foothold inside the castle, they might move troops and equipment through the tunnel and hide them among the local population for a later assault.

Establishing a foothold can have different meanings, depending on who is asked. It is often considered that establishing a foothold is analogous to establishing persistence of the exploit. This is not necessarily true; once an attacker has tools inside the wall, the initial exploit can be detected, closed, and patched by the defenders without impacting on the attacker. Going back to the castle example, with a small band of attackers inside, what is preventing them from opening the gates from the inside? The exploit isn't always required after the initial break-in.

The principal aim of the incident management team during this phase is to reduce the time to identify, contain, and eradicate the breach, and remediate any after-effects. Estimates for the time between exploitation and discovery range, but an estimate of three months is considered conservative. This is plenty of time for an adversary to accomplish the remaining phases of the kill chain. In fact, it may even be enough for the adversary to loop back through the phases, finding new vulnerabilities from within, and exploiting those too.