Pyramid of Pain
What is Pyramid of Pain?
Pyramid of PainA model by David Bianco that ranks indicators of compromise by how painful it is for adversaries when defenders detect or block them.
The Pyramid of Pain, introduced by David Bianco in 2013, ranks indicators of compromise (IoCs) from trivial to costly for adversaries to change. From bottom to top: hash values (trivial), IP addresses (easy), domain names (simple), network and host artifacts (annoying), tools (challenging), and TTPs — tactics, techniques, and procedures (tough). Detecting low-pyramid indicators provides short-lived value because attackers rotate them quickly, while detecting tools and TTPs forces them to redesign their operations. The model is widely used to evaluate detection programs, prioritise behavioural analytics over signature-only approaches, and explain to leadership why investing in TTP-based detection (Sigma rules, EDR behaviour) yields more sustainable defence than blocking individual IPs or hashes.
● Examples
- 01
Writing a Sigma rule for kerberoasting behaviour rather than relying solely on hashes of past samples.
- 02
Tracking an adversary's reuse of a custom in-memory loader (tool) across multiple campaigns.
● Frequently asked questions
What is Pyramid of Pain?
A model by David Bianco that ranks indicators of compromise by how painful it is for adversaries when defenders detect or block them. It belongs to the Defense & Operations category of cybersecurity.
What does Pyramid of Pain mean?
A model by David Bianco that ranks indicators of compromise by how painful it is for adversaries when defenders detect or block them.
How does Pyramid of Pain work?
The Pyramid of Pain, introduced by David Bianco in 2013, ranks indicators of compromise (IoCs) from trivial to costly for adversaries to change. From bottom to top: hash values (trivial), IP addresses (easy), domain names (simple), network and host artifacts (annoying), tools (challenging), and TTPs — tactics, techniques, and procedures (tough). Detecting low-pyramid indicators provides short-lived value because attackers rotate them quickly, while detecting tools and TTPs forces them to redesign their operations. The model is widely used to evaluate detection programs, prioritise behavioural analytics over signature-only approaches, and explain to leadership why investing in TTP-based detection (Sigma rules, EDR behaviour) yields more sustainable defence than blocking individual IPs or hashes.
How do you defend against Pyramid of Pain?
Defences for Pyramid of Pain typically combine technical controls and operational practices, as detailed in the full definition above.
● Related terms
- defense-ops№ 527
Indicator of Compromise (IoC)
An observable artifact — such as a file hash, IP, domain, URL, or registry key — that suggests a system has been or is being compromised.
- defense-ops№ 1131
Tactics, Techniques and Procedures (TTPs)
A layered description of how a threat actor operates: tactics (the why), techniques (the how), and procedures (the specific implementation).
- compliance№ 687
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.
- defense-ops№ 1147
Threat Hunting
Proactive, hypothesis-driven search through telemetry to uncover threats that have evaded existing detections.
- defense-ops№ 1041
Sigma Rule
A vendor-neutral, YAML-based detection signature for log events that can be converted into queries for SIEM, EDR, or XDR back-ends.
- defense-ops№ 266
Cyber Threat Intelligence (CTI)
Evidence-based knowledge about adversaries, their motivations, and methods, used to inform defensive decisions and prioritize controls.