With target intelligence in hand, attackers build or acquire their tools. This means pairing an exploit, a mechanism that takes advantage of a specific vulnerability, with a payload such as a Remote Access Trojan, ransomware, or keylogger. Common weapons include malicious Office documents embedded with macros, PDFs with JavaScript payloads, and zero-day exploits targeting unpatched software. This phase happens entirely off-network, making it invisible to defenders. Organizations counter it by consuming threat intelligence, tracking known attacker tooling through frameworks like MITRE ATT&CK, and hardening systems against commonly weaponized vulnerabilities.
Attackers will design a malicious piece of software, typically containing a worm, remote access trojan, rootkit, or ransomware, around one or several vulnerabilities, such as buffers, places where SQL input can be given, Office documents or PDFs embedded with payloads, and zero-day exploits targeting unpatched software.
There isn't much to defend against when it comes to weaponization besides preventing information disclosure and unauthorized access. This is still a preliminary stage in the cyber kill chain that does not involve the defender's hosts.