The Diamond Model of Intrusion Analysis is the threat intelligence framework that structures every malicious event around four connected vertices: adversary, capability, infrastructure and victim. Sergio Caltagirone, Andrew Pendergast and Christopher Betz formalized it in 2013, and it has since become one of the three analytical lenses that a CTI team routinely cross references. Its distinctive contribution is not describing an intrusion, but enabling pivoting: starting from a known vertex (a command and control domain, for example) to discover the other three and the relationships between events.
The essentials
- The Diamond Model describes each intrusion with four vertices: adversary, capability, infrastructure and victim.
- Every event adds six meta-features: timestamp, phase, result, direction, methodology and resources.
- Its distinctive value is pivoting: starting from a known vertex to discover the others and chain events together.
- It complements the Cyber Kill Chain (sequential phases) and the Pyramid of Pain (the cost of each indicator).
- Findings are translated into MITRE ATT&CK techniques and feed threat hunting hypotheses.
What the Diamond Model of Intrusion Analysis is
The atomic unit of the model is the event: a specific activity in which an adversary uses a capability over some infrastructure against a victim. Each event is drawn as a diamond with those four vertices at its corners. Chaining events by phase produces an activity thread, and grouping threads that share vertices reconstructs a campaign. Compared with a flat feed of indicators, the diamond preserves the relationships, which is exactly what you need in order to attribute and anticipate.
The model rests on two axes that cross the diamond. The socio-political axis joins the adversary with the victim and captures the why: motivation, intent and the persistent relationship between the attacker and the target. The technological axis joins the capability with the infrastructure and captures the how: which tool leans on which network resources. This framework fits into the analysis stage of the threat intelligence lifecycle, where processed data becomes evaluated intelligence.
The four vertices of the Diamond Model
Each vertex is a category of evidence that the analyst fills in and enriches as the investigation advances.
| Vertex | What it represents | Evidence examples |
|---|---|---|
| Adversary | The operator and, when different, the client who benefits | Group alias (APT29), country, motivation, recurring TTPs |
| Capability | The adversary's tools and techniques | Malware, exploits for a CVE, scripts, valid credentials |
| Infrastructure | The network resources used to deliver the capability and control the target | C2 domains, IP addresses, TLS certificates, staging servers |
| Victim | The targeted person, asset or network | Organization, sector, compromised host, mailbox, account |
A central principle of the model is that there is always an adversary, even when unknown. An empty vertex does not invalidate the event: it flags a knowledge gap and points to where the pivoting should go next. That is the difference between an isolated indicator and a piece of intelligence with context, a nuance that also appears when distinguishing IOC from IOA.
The meta-features of each event
Beyond the four vertices, each event is annotated with six meta-features that supply the temporal and analytical context:
- Timestamp: when the event was observed, essential for ordering activity threads and calculating the useful life of an infrastructure.
- Phase: at which moment of the attack it occurs. Here the model leans on a sequential framework such as the Cyber Kill Chain, since an isolated event rarely achieves the objective on its own.
- Result: success, failure or unknown, often mapped to the impact on confidentiality, integrity or availability.
- Direction: the sense in which the event moves through the diamond (for example infrastructure toward victim, or victim toward infrastructure), useful above all in network detection.
- Methodology: the general class of activity, such as spear phishing, port scanning or DNS exfiltration.
- Resources: what the adversary needs to sustain the event, from software and knowledge to funding, access or facilities.
These annotations turn the diamond from a static drawing into a queryable structure, which is what lets you correlate hundreds of events without losing the thread.
Diamond Model versus Cyber Kill Chain and Pyramid of Pain
The three frameworks are not in competition: they answer different questions, and a CTI analyst cross references them in every investigation.
| Framework | Question it answers | Main axis | Typical use |
|---|---|---|---|
| Diamond Model | Who, with what, from where and against whom? | Relationship and pivoting | Attribution and infrastructure discovery |
| Cyber Kill Chain | Which phase of the attack are we in? | Temporal sequence | Placing detections and breaking the chain |
| Pyramid of Pain | How much does it cost the adversary to change this indicator? | Economic cost | Prioritizing which indicators to turn into detection |
The Cyber Kill Chain supplies precisely the phase meta-feature: it places each event of the diamond within a sequence of reconnaissance, delivery, exploitation, installation, command and control and actions on objectives. David Bianco's Pyramid of Pain, by contrast, orders indicators by how much it costs the adversary to replace them: a hash is trivial to change, an IP or a domain are easy, but their tactics, techniques and procedures (TTPs) are painful to redesign. That is why the ultimate goal is to push detection toward the apex, toward behavior.
The Diamond Model occupies the layer of pivoting and attribution. While the Kill Chain tells you at which point of the intrusion you are, and the Pyramid of Pain tells you which indicators are worth turning into a rule, the diamond tells you how the events connect to one another and how to jump from a known vertex to the unknown ones.
Practical example: an intrusion mapped across the four vertices
Take the SolarWinds supply chain campaign (SUNBURST, 2020) to see pivoting in action. The realistic starting point for a defender is not the adversary, but the capability detected inside their own network.
- Capability: a trojanized DLL,
SolarWinds.Orion.Core.BusinessLayer.dll, signed with a legitimate SolarWinds certificate and inserted into an official Orion update. The backdoor stayed dormant for between 12 and 14 days before activating. - Infrastructure: pivoting from the capability, analysis of the binary reveals an initial beacon toward
avsvmcloud[.]com, which used a domain generation algorithm (DGA) to encode victim data in the subdomain. Passive DNS and shared certificates allow related second stage infrastructure to be discovered. - Adversary: the overlap of TTPs with prior activity and the reuse of infrastructure lead to attributing the campaign to UNC2452, later linked to APT29 (the Russian foreign intelligence service, SVR). Attribution is always expressed with a level of confidence, never as certainty.
- Victim: around 18,000 customers downloaded the compromised update, but only a small subset (US federal agencies, technology firms and security companies) was selected for hands on second stage activity through the TEARDROP loader and Cobalt Strike beacons.
The path illustrates the power of the model: starting from a single artifact (the DLL), you pivot to the infrastructure, from there to the adversary and, by cross referencing telemetry, you narrow down which victims moved from infected to genuinely exploited.
From the vertices to MITRE ATT&CK and threat hunting
The diamond organizes the evidence, but to communicate and act on it teams translate it into the common language of MITRE ATT&CK. Each observed capability and infrastructure is mapped to concrete techniques:
| Observation in the diamond | ATT&CK technique |
|---|---|
| Trojanized Orion update | T1195.002 Compromise Software Supply Chain |
| DLL signed with a valid certificate | T1553.002 Code Signing |
| Beacon to avsvmcloud[.]com over DNS | T1071.004 Application Layer Protocol: DNS |
| Subdomains generated by DGA | T1568.002 Dynamic Resolution: DGA |
This mapping closes the loop back to defense. The TTPs at the top of the Pyramid of Pain become threat hunting hypotheses: if an adversary uses DNS exfiltration, the hunter looks for anomalous volumes of queries toward recently registered domains, instead of waiting for a known hash to appear. The identified capabilities feed YARA rules to locate the malware across the estate, and Sigma rules to detect it in the SIEM. On the offensive side, the same diamond serves to design realistic scenarios in a Red Team exercise, replicating the TTPs of a specific adversary to validate detection in a controlled way.
Frequently asked questions
What are the four vertices of the Diamond Model?
Adversary, capability, infrastructure and victim. The adversary is the one who attacks, the capability is their tools and techniques, the infrastructure is the network resources they use and the victim is the target. Every intrusion event connects those four elements, and it is always assumed that there is an adversary even if it is unknown for now.
How does the Diamond Model differ from the Cyber Kill Chain?
The Cyber Kill Chain describes the intrusion as a sequence of phases over time, from reconnaissance to actions on objectives. The Diamond Model describes the relationships between the actors and resources of each event and enables pivoting between vertices. They are complementary: the kill chain phase is, in fact, one of the meta-features of each diamond event.
What is pivoting in the Diamond Model?
Pivoting is the process of starting from a known vertex to discover the others. For example, from a malware sample (capability) you can reach the C2 server (infrastructure) through analysis, and from that server, with passive DNS, to other related domains and victims. It is the main analytical advantage of the model and the basis of attribution.
How does the Diamond Model relate to MITRE ATT&CK?
The diamond structures the evidence and ATT&CK gives it a common vocabulary. The capabilities and infrastructure observed at the vertices are mapped to concrete ATT&CK techniques (for example T1071.004 for C2 over DNS), which lets you measure detection coverage and communicate the TTPs without ambiguity across the CTI, SOC and Red Team teams.
Is the Diamond Model useful for attribution?
Yes, it is one of its main applications. By crossing the socio-political axis (adversary and victim) with the reuse of infrastructure and of TTPs between events, the analyst builds an attribution hypothesis. That said, serious attribution is always expressed with confidence levels and avoids claiming certainties from partial evidence.
Related resources
- Threat intelligence lifecycle: the 6 stages of CTI
- What the Cyber Kill Chain is: phases of a cyberattack
- IOC versus IOA: indicators of compromise and of attack
- What MITRE ATT&CK is: tactics and techniques
- What threat hunting is: methodology and practice
The Diamond Model with Secra
At Secra we integrate the Diamond Model into our threat intelligence service: we map each intrusion across its four vertices, pivot on infrastructure and capabilities to discover related campaigns, and translate the findings into MITRE ATT&CK techniques and actionable detection rules for your SOC.
Discover our threat intelligence service and turn every intrusion into intelligence that reduces risk.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.

