Diamond Model of Intrusion Analysis
What is Diamond Model of Intrusion Analysis?
Diamond Model of Intrusion AnalysisAn intrusion analysis framework that ties every malicious event to four linked vertices: adversary, capability, infrastructure, and victim.
The Diamond Model of Intrusion Analysis, introduced by Caltagirone, Pendergast, and Betz in 2013, represents each malicious event as a diamond connecting four core features: Adversary, Capability (tooling, malware, TTPs), Infrastructure (IPs, domains, C2), and Victim. Meta-features such as timestamp, phase, result, direction, methodology, and resources enrich each event. Analysts pivot across vertices to enumerate related activity — for example, from a domain to other domains the same adversary registered, or from a capability hash to other victims it has touched. The model complements MITRE ATT&CK and the Cyber Kill Chain by making relationships explicit, and is widely used in threat intelligence platforms, intrusion-analysis reports, and structured pivoting workflows.
● Examples
- 01
Pivoting from a malware sample (capability) to a registered domain (infrastructure) to map a wider campaign.
- 02
Linking multiple incidents to the same Adversary cluster based on shared TTPs and victimology.
● Frequently asked questions
What is Diamond Model of Intrusion Analysis?
An intrusion analysis framework that ties every malicious event to four linked vertices: adversary, capability, infrastructure, and victim. It belongs to the Defense & Operations category of cybersecurity.
What does Diamond Model of Intrusion Analysis mean?
An intrusion analysis framework that ties every malicious event to four linked vertices: adversary, capability, infrastructure, and victim.
How does Diamond Model of Intrusion Analysis work?
The Diamond Model of Intrusion Analysis, introduced by Caltagirone, Pendergast, and Betz in 2013, represents each malicious event as a diamond connecting four core features: Adversary, Capability (tooling, malware, TTPs), Infrastructure (IPs, domains, C2), and Victim. Meta-features such as timestamp, phase, result, direction, methodology, and resources enrich each event. Analysts pivot across vertices to enumerate related activity — for example, from a domain to other domains the same adversary registered, or from a capability hash to other victims it has touched. The model complements MITRE ATT&CK and the Cyber Kill Chain by making relationships explicit, and is widely used in threat intelligence platforms, intrusion-analysis reports, and structured pivoting workflows.
How do you defend against Diamond Model of Intrusion Analysis?
Defences for Diamond Model of Intrusion Analysis typically combine technical controls and operational practices, as detailed in the full definition above.
● Related terms
- defense-ops№ 265
Cyber Kill Chain
Lockheed Martin's seven-stage model that describes how a targeted intrusion progresses from reconnaissance to actions on objectives.
- compliance№ 687
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.
- defense-ops№ 266
Cyber Threat Intelligence (CTI)
Evidence-based knowledge about adversaries, their motivations, and methods, used to inform defensive decisions and prioritize controls.
- defense-ops№ 1131
Tactics, Techniques and Procedures (TTPs)
A layered description of how a threat actor operates: tactics (the why), techniques (the how), and procedures (the specific implementation).
- defense-ops№ 527
Indicator of Compromise (IoC)
An observable artifact — such as a file hash, IP, domain, URL, or registry key — that suggests a system has been or is being compromised.
- defense-ops№ 057
APT Group
A named, tracked threat actor (usually state-sponsored) that conducts targeted, long-term, well-resourced intrusion campaigns against specific organisations or sectors.
● See also
- № 1201VERIS Framework