In the cyber kill chain, which stage directly follows exploitation?

Exploitation opens the door by abusing a vulnerability to run code on the target. Immediately after, installation is the stage where the attacker drops malware, installs backdoors or other tools, and sets up persistence so they have a stable foothold. This is necessary to maintain access beyond the initial exploit and to enable ongoing control, data exfiltration, or further tool use. By installing components, the attacker ensures the malware runs automatically, can survive reboots, and can communicate with the attacker's infrastructure through a command-and-control channel. After installation, the attacker moves to establish C2 and then carry out the intended objective. Stages earlier than exploitation are about getting the exploit to the target, while stages after installation handle control and goal achievement.