In the past, we thought of cyber-attacks in terms of recon, port scanning, enumeration, vulnerability identification and exploitation, and we had various approaches to frustrate attackers at every phase. As the cat-and-mouse game of security continued, this morphed into an endpoint compromise-focused process involving initial access, exploitation, persistence, command and control, and lateral movement inside a complex internal network. But with the remote working and SaaS revolution, the way organizations work has changed radically - so what does the cyber kill chain look like now? This talk will consider what a new SaaS cyber kill chain looks like for modern organizations that are SaaS native without an internal network and the surprising number of attacks that are possible without touching company-owned infrastructure. We'll consider topics like how the initial access stage is changing due to the availability of new beachheads, what lateral movement looks like in a world with no internal infrastructure, and how persistence methods have changed and are resilient to common containment measures such as password resets and secure device wipes. Finally, we'll consider how the open-source SaaS attacks matrix can be used by red and blue teams to help navigate this new world.