Threat Intelligence
Diamond Model
threat intelligence
intrusion analysis

Diamond Model in cybersecurity: CTI intrusion analysis

What the Diamond Model of Intrusion Analysis is: the four vertices and how it relates to the Cyber Kill Chain and MITRE ATT&CK.

SecraJuly 6, 202610 min read

The Diamond Model of Intrusion Analysis is the threat intelligence framework that structures every malicious event around four connected vertices: adversary, capability, infrastructure and victim. Sergio Caltagirone, Andrew Pendergast and Christopher Betz formalized it in 2013, and it has since become one of the three analytical lenses that a CTI team routinely cross references. Its distinctive contribution is not describing an intrusion, but enabling pivoting: starting from a known vertex (a command and control domain, for example) to discover the other three and the relationships between events.

The essentials

  • The Diamond Model describes each intrusion with four vertices: adversary, capability, infrastructure and victim.
  • Every event adds six meta-features: timestamp, phase, result, direction, methodology and resources.
  • Its distinctive value is pivoting: starting from a known vertex to discover the others and chain events together.
  • It complements the Cyber Kill Chain (sequential phases) and the Pyramid of Pain (the cost of each indicator).
  • Findings are translated into MITRE ATT&CK techniques and feed threat hunting hypotheses.

What the Diamond Model of Intrusion Analysis is

The atomic unit of the model is the event: a specific activity in which an adversary uses a capability over some infrastructure against a victim. Each event is drawn as a diamond with those four vertices at its corners. Chaining events by phase produces an activity thread, and grouping threads that share vertices reconstructs a campaign. Compared with a flat feed of indicators, the diamond preserves the relationships, which is exactly what you need in order to attribute and anticipate.

The model rests on two axes that cross the diamond. The socio-political axis joins the adversary with the victim and captures the why: motivation, intent and the persistent relationship between the attacker and the target. The technological axis joins the capability with the infrastructure and captures the how: which tool leans on which network resources. This framework fits into the analysis stage of the threat intelligence lifecycle, where processed data becomes evaluated intelligence.

The four vertices of the Diamond Model

Each vertex is a category of evidence that the analyst fills in and enriches as the investigation advances.

VertexWhat it representsEvidence examples
AdversaryThe operator and, when different, the client who benefitsGroup alias (APT29), country, motivation, recurring TTPs
CapabilityThe adversary's tools and techniquesMalware, exploits for a CVE, scripts, valid credentials
InfrastructureThe network resources used to deliver the capability and control the targetC2 domains, IP addresses, TLS certificates, staging servers
VictimThe targeted person, asset or networkOrganization, sector, compromised host, mailbox, account

A central principle of the model is that there is always an adversary, even when unknown. An empty vertex does not invalidate the event: it flags a knowledge gap and points to where the pivoting should go next. That is the difference between an isolated indicator and a piece of intelligence with context, a nuance that also appears when distinguishing IOC from IOA.

The meta-features of each event

Beyond the four vertices, each event is annotated with six meta-features that supply the temporal and analytical context:

  • Timestamp: when the event was observed, essential for ordering activity threads and calculating the useful life of an infrastructure.
  • Phase: at which moment of the attack it occurs. Here the model leans on a sequential framework such as the Cyber Kill Chain, since an isolated event rarely achieves the objective on its own.
  • Result: success, failure or unknown, often mapped to the impact on confidentiality, integrity or availability.
  • Direction: the sense in which the event moves through the diamond (for example infrastructure toward victim, or victim toward infrastructure), useful above all in network detection.
  • Methodology: the general class of activity, such as spear phishing, port scanning or DNS exfiltration.
  • Resources: what the adversary needs to sustain the event, from software and knowledge to funding, access or facilities.

These annotations turn the diamond from a static drawing into a queryable structure, which is what lets you correlate hundreds of events without losing the thread.

Diamond Model versus Cyber Kill Chain and Pyramid of Pain

The three frameworks are not in competition: they answer different questions, and a CTI analyst cross references them in every investigation.

FrameworkQuestion it answersMain axisTypical use
Diamond ModelWho, with what, from where and against whom?Relationship and pivotingAttribution and infrastructure discovery
Cyber Kill ChainWhich phase of the attack are we in?Temporal sequencePlacing detections and breaking the chain
Pyramid of PainHow much does it cost the adversary to change this indicator?Economic costPrioritizing which indicators to turn into detection

The Cyber Kill Chain supplies precisely the phase meta-feature: it places each event of the diamond within a sequence of reconnaissance, delivery, exploitation, installation, command and control and actions on objectives. David Bianco's Pyramid of Pain, by contrast, orders indicators by how much it costs the adversary to replace them: a hash is trivial to change, an IP or a domain are easy, but their tactics, techniques and procedures (TTPs) are painful to redesign. That is why the ultimate goal is to push detection toward the apex, toward behavior.

The Diamond Model occupies the layer of pivoting and attribution. While the Kill Chain tells you at which point of the intrusion you are, and the Pyramid of Pain tells you which indicators are worth turning into a rule, the diamond tells you how the events connect to one another and how to jump from a known vertex to the unknown ones.

Practical example: an intrusion mapped across the four vertices

Take the SolarWinds supply chain campaign (SUNBURST, 2020) to see pivoting in action. The realistic starting point for a defender is not the adversary, but the capability detected inside their own network.

  • Capability: a trojanized DLL, SolarWinds.Orion.Core.BusinessLayer.dll, signed with a legitimate SolarWinds certificate and inserted into an official Orion update. The backdoor stayed dormant for between 12 and 14 days before activating.
  • Infrastructure: pivoting from the capability, analysis of the binary reveals an initial beacon toward avsvmcloud[.]com, which used a domain generation algorithm (DGA) to encode victim data in the subdomain. Passive DNS and shared certificates allow related second stage infrastructure to be discovered.
  • Adversary: the overlap of TTPs with prior activity and the reuse of infrastructure lead to attributing the campaign to UNC2452, later linked to APT29 (the Russian foreign intelligence service, SVR). Attribution is always expressed with a level of confidence, never as certainty.
  • Victim: around 18,000 customers downloaded the compromised update, but only a small subset (US federal agencies, technology firms and security companies) was selected for hands on second stage activity through the TEARDROP loader and Cobalt Strike beacons.

The path illustrates the power of the model: starting from a single artifact (the DLL), you pivot to the infrastructure, from there to the adversary and, by cross referencing telemetry, you narrow down which victims moved from infected to genuinely exploited.

From the vertices to MITRE ATT&CK and threat hunting

The diamond organizes the evidence, but to communicate and act on it teams translate it into the common language of MITRE ATT&CK. Each observed capability and infrastructure is mapped to concrete techniques:

Observation in the diamondATT&CK technique
Trojanized Orion updateT1195.002 Compromise Software Supply Chain
DLL signed with a valid certificateT1553.002 Code Signing
Beacon to avsvmcloud[.]com over DNST1071.004 Application Layer Protocol: DNS
Subdomains generated by DGAT1568.002 Dynamic Resolution: DGA

This mapping closes the loop back to defense. The TTPs at the top of the Pyramid of Pain become threat hunting hypotheses: if an adversary uses DNS exfiltration, the hunter looks for anomalous volumes of queries toward recently registered domains, instead of waiting for a known hash to appear. The identified capabilities feed YARA rules to locate the malware across the estate, and Sigma rules to detect it in the SIEM. On the offensive side, the same diamond serves to design realistic scenarios in a Red Team exercise, replicating the TTPs of a specific adversary to validate detection in a controlled way.

Frequently asked questions

What are the four vertices of the Diamond Model?

Adversary, capability, infrastructure and victim. The adversary is the one who attacks, the capability is their tools and techniques, the infrastructure is the network resources they use and the victim is the target. Every intrusion event connects those four elements, and it is always assumed that there is an adversary even if it is unknown for now.

How does the Diamond Model differ from the Cyber Kill Chain?

The Cyber Kill Chain describes the intrusion as a sequence of phases over time, from reconnaissance to actions on objectives. The Diamond Model describes the relationships between the actors and resources of each event and enables pivoting between vertices. They are complementary: the kill chain phase is, in fact, one of the meta-features of each diamond event.

What is pivoting in the Diamond Model?

Pivoting is the process of starting from a known vertex to discover the others. For example, from a malware sample (capability) you can reach the C2 server (infrastructure) through analysis, and from that server, with passive DNS, to other related domains and victims. It is the main analytical advantage of the model and the basis of attribution.

How does the Diamond Model relate to MITRE ATT&CK?

The diamond structures the evidence and ATT&CK gives it a common vocabulary. The capabilities and infrastructure observed at the vertices are mapped to concrete ATT&CK techniques (for example T1071.004 for C2 over DNS), which lets you measure detection coverage and communicate the TTPs without ambiguity across the CTI, SOC and Red Team teams.

Is the Diamond Model useful for attribution?

Yes, it is one of its main applications. By crossing the socio-political axis (adversary and victim) with the reuse of infrastructure and of TTPs between events, the analyst builds an attribution hypothesis. That said, serious attribution is always expressed with confidence levels and avoids claiming certainties from partial evidence.

The Diamond Model with Secra

At Secra we integrate the Diamond Model into our threat intelligence service: we map each intrusion across its four vertices, pivot on infrastructure and capabilities to discover related campaigns, and translate the findings into MITRE ATT&CK techniques and actionable detection rules for your SOC.

Discover our threat intelligence service and turn every intrusion into intelligence that reduces risk.

About the author

Secra Solutions team

Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.

Share article