Quantum machine learning (QML) systems exhibit hybrid attack surfaces—both classical and quantum-specific—yet existing studies analyze threats in isolation under unrealistic assumptions, yielding fragmented defenses. To address this, we propose the first unified kill-chain model for QML security, adapting the MITRE ATLAS framework to QML for the first time. Our model systematically characterizes multi-stage adversarial pathways across physical, algorithmic, and data layers, explicitly modeling inter-stage dependencies. Through comprehensive literature analysis and threat modeling, we map concrete attack vectors—including side-channel leakage, circuit-level backdoors, and model extraction—to each stage, establishing a fine-grained taxonomy and uncovering critical coupling mechanisms between stages. The resulting model enables rigorous reasoning about realistic threat scenarios and provides a structured theoretical foundation and scalable analytical paradigm for defense-in-depth in QML systems. (149 words)

Quantum Machine Learning (QML) systems inherit vulnerabilities from classical machine learning while introducing new attack surfaces rooted in the physical and algorithmic layers of quantum computing. Despite a growing body of research on individual attack vectors - ranging from adversarial poisoning and evasion to circuit-level backdoors, side-channel leakage, and model extraction - these threats are often analyzed in isolation, with unrealistic assumptions about attacker capabilities and system environments. This fragmentation hampers the development of effective, holistic defense strategies. In this work, we argue that QML security requires more structured modeling of the attack surface, capturing not only individual techniques but also their relationships, prerequisites, and potential impact across the QML pipeline. We propose adapting kill chain models, widely used in classical IT and cybersecurity, to the quantum machine learning context. Such models allow for structured reasoning about attacker objectives, capabilities, and possible multi-stage attack paths - spanning reconnaissance, initial access, manipulation, persistence, and exfiltration. Based on extensive literature analysis, we present a detailed taxonomy of QML attack vectors mapped to corresponding stages in a quantum-aware kill chain framework that is inspired by the MITRE ATLAS for classical machine learning. We highlight interdependencies between physical-level threats (like side-channel leakage and crosstalk faults), data and algorithm manipulation (such as poisoning or circuit backdoors), and privacy attacks (including model extraction and training data inference). This work provides a foundation for more realistic threat modeling and proactive security-in-depth design in the emerging field of quantum machine learning.