Continue your mission
The Diamond Model of Intrusion Analysis is a structured analytic framework built on four vertices (adversary, victim, infrastructure, capability) and the relationships between them, enabling analysts to pivot from any known indicator to discover unknown elements of a threat campaign.
# Diamond Model of Intrusion Analysis
The Diamond Model of Intrusion Analysis is a structured analytic framework developed by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz in 2013. It organizes every intrusion event around four core vertices arranged in a diamond shape: Adversary, Capability, Infrastructure, and Victim. The model asserts that every intrusion event, by definition, involves all four vertices connected by fixed relationships. No intrusion happens without an adversary using a capability delivered through infrastructure against a victim.
What distinguishes the Diamond Model from other attack frameworks is its focus on relationships rather than phases or techniques. The framework treats an intrusion as a set of connected facts. Any fact you know about one vertex can be leveraged to discover facts about the others. This pivot-based reasoning is the operational engine of the model and the reason it remains one of the most analytically powerful tools available to intelligence analysts, incident responders, and threat hunters.
The Diamond Model does not replace MITRE ATT&CK or the Cyber Kill Chain. It complements them by providing a relationship-centric lens that the other frameworks do not offer. Where ATT&CK catalogs what adversaries do and the Kill Chain describes the phases they move through, the Diamond Model captures who is doing it, to whom, with what, and using which channels.
The Four Vertices
The Adversary vertex represents the entity responsible for the intrusion. This may range from a fully attributed nation-state actor (APT29, Lazarus Group) to a loosely described cluster (a financially motivated threat group targeting healthcare in the Eastern United States) to a complete unknown. Attribution confidence lives here. The adversary vertex captures not just the name of the actor but everything known about their intent, motivation, and organizational context.
The Victim vertex represents the entity being targeted. Victims are not always singular. An intrusion may have a direct victim (the compromised organization) and an indirect victim (the customer data that was the actual target). The victim vertex captures industry, geography, size, and any characteristic that explains why this entity was targeted by this adversary. Victim profiling across multiple intrusions is how analysts identify adversary targeting patterns.
The Capability vertex represents every tool, technique, or weapon the adversary uses to conduct the intrusion. This includes custom malware families, commodity off-the-shelf tools (Cobalt Strike, Metasploit), exploits for specific CVEs, phishing lures, valid credential abuse, and living-off-the-land binaries (LOLBins). The capability vertex is where the technical depth of an intrusion lives. A single adversary may have a wide capability portfolio, and the same capability may appear across intrusions by multiple actors.
The Infrastructure vertex represents the resources the adversary uses to deliver capabilities to the victim and maintain operational control. This includes IP addresses, domains, email accounts, social media profiles, cloud storage buckets used for staging, and command and control (C2) servers. Infrastructure is often the most visible element of an intrusion because it leaves network-layer evidence: DNS queries, netflow records, firewall logs, and proxy logs all capture infrastructure activity even when the adversary's identity remains unknown.
The Relationships
The Diamond Model defines fixed relationships between its vertices. The Adversary uses the Capability. The Adversary controls or leverages the Infrastructure. The Infrastructure delivers the Capability to the Victim. These relationships are not arbitrary. They reflect the operational reality of every intrusion, and they are the mechanism by which analysts pivot between vertices.
If you know an IP address (Infrastructure), you can look it up in threat intelligence feeds to identify the hosting provider, registration details, and any associated malware families (Capability). Those malware families may be associated with known threat groups (Adversary). Other organizations in your ISAC network who have seen traffic to that IP may represent other Victims. Four pivots from a single IOC to a partial picture of an entire campaign.
Meta-Features
Beyond the four core vertices, the Diamond Model defines meta-features that annotate events with additional context. Timestamp captures when the event occurred and enables temporal analysis across a campaign. Phase links the event to a stage in the intrusion lifecycle (using Kill Chain or ATT&CK as the phase taxonomy). Result records the outcome of the event from the adversary's perspective (success, partial success, failure). Direction describes whether the event was host-based or network-based and the direction of the communication. Methodology describes the general attack category. Resources captures what the adversary needed (time, money, infrastructure, skill) to execute the event.
Activity Threads and Activity Groups
A single diamond event represents one moment in one intrusion. The Diamond Model scales upward through two aggregation constructs. An activity thread links a series of diamond events from a single intrusion into a chronological chain that describes how the attack unfolded. An activity group clusters multiple intrusions, potentially against different victims, that share enough vertices to suggest a common adversary. If five separate intrusions against five separate organizations all involved the same malware family delivered through domains registered with the same obscure registrar, the Diamond Model provides the analytic structure to recognize them as a single adversary's campaign even before attribution is possible.
The Diamond Model matters because it provides a disciplined answer to one of the hardest questions in threat intelligence: given one piece of evidence, what else can I learn?
Most security teams encounter intrusions through a single artifact: a malicious IP blocked by the firewall, a suspicious domain in a phishing email, a malware hash submitted for sandbox analysis. Without a framework for reasoning about what that artifact implies about the broader intrusion, the response is limited to blocking the one artifact and waiting for the next. The Diamond Model expands the analytical aperture. It gives the analyst a map of what they do not yet know and a set of legitimate inference paths to close those gaps.
For attribution specifically, the Diamond Model provides a rigorous structure for reasoning under uncertainty. True attribution, tying an intrusion to a specific government or organization, is difficult and often impossible. But the Diamond Model enables a weaker and still operationally valuable form of attribution: clustering. If intrusion A and intrusion B share infrastructure, and intrusion B and intrusion C share capability, then A, B, and C are likely the same actor even if no one knows that actor's name. Cluster attribution enables targeted defensive action (hunting for the shared capability across your entire environment) without requiring a definitive geopolitical conclusion.
Pivoting in Practice
The most powerful operational use of the Diamond Model is analytical pivoting. Starting from a known indicator, the analyst identifies what other vertices it implies and then uses intelligence tools to fill in the blanks.
From an Infrastructure indicator (a domain): query WHOIS history to find associated registrant email addresses and registration patterns. Query passive DNS to identify other domains registered by the same entity or resolving to the same IP space. Query malware sandboxes (VirusTotal, Any.run, Joe Sandbox) for samples that beacon to the domain, revealing the Capability vertex. Cross-reference the domain against known threat actor infrastructure databases (MISP, OpenCTI, vendor threat intelligence feeds) to identify potential Adversary attribution.
From a Capability indicator (a malware hash): identify the malware family through sandbox analysis and AV classification. Review published threat intelligence reports describing the family's use in prior campaigns (linking to historical Adversary, Infrastructure, and Victim data). Identify unique behavioral signatures (mutex names, file paths, registry keys, network protocols) that could be used to hunt for other instances of the same capability in your environment.
From a Victim profile: given a confirmed intrusion against a specific type of organization, reason about what adversaries have demonstrated interest in that victim profile and what capabilities those adversaries typically use. This drives proactive hypothesis development (connecting the Diamond Model directly to threat hunting workflows).
Diamond Model vs. Kill Chain vs. ATT&CK
The three frameworks address different analytic needs and are most powerful in combination. The Cyber Kill Chain (Lockheed Martin, 2011) is a linear, phase-based model describing the stages an attacker must traverse to complete an intrusion. It is excellent for communicating attack narratives to non-technical stakeholders and for reasoning about where in the kill chain a defender can most efficiently intervene. Its weakness is that it assumes linear progression and does not capture the relationship between attacker resources and victim characteristics.
MITRE ATT&CK is a technique-level taxonomy mapping adversary behaviors to specific, observable actions with evidence-based data source recommendations for detection. It is excellent for detection engineering, gap analysis, and red team planning. Its weakness is that it is not designed for reasoning about the relationships between attacker, tool, infrastructure, and victim as an integrated system.
The Diamond Model is a relationship framework. It is excellent for pivoting from known indicators to unknown context and for clustering intrusions into campaigns and adversary profiles. Its weakness is that it does not prescribe defensive responses or provide technique-level detection guidance.
Used together: Kill Chain describes the phase of the intrusion, ATT&CK identifies the specific technique used in that phase, and the Diamond Model situates the technique within the broader context of the adversary, their infrastructure, and the victim's exposure. Each framework answers a different question. No single framework answers all three.
WannaCry as a Diamond Model Example
The 2017 WannaCry ransomware attack illustrates all four vertices at scale. The Adversary vertex: Lazarus Group, attributed to the Democratic People's Republic of Korea (DPRK), motivated by financial gain and potentially geopolitical disruption. The Capability vertex: EternalBlue (NSA-developed exploit for MS17-010 leaked by Shadow Brokers), DoublePulsar backdoor implant, and the WannaCry ransomware payload itself. The Infrastructure vertex: command and control domains (the "kill switch" domains accidentally discovered by Marcus Hutchins), Bitcoin wallets used for ransom collection, and the SMB broadcast propagation mechanism (using victim infrastructure as a delivery vector to adjacent systems). The Victim vertex: over 200,000 systems across 150 countries, concentrated in organizations running unpatched Windows 7 and Windows Server 2003, including the UK National Health Service, Telefonica, FedEx, and Renault.
The Diamond Model reveals the structural logic of the attack: a nation-state adversary used a leaked government capability combined with a commodity ransomware payload, delivered through unauthenticated SMB exposure, to achieve maximum spread across unpatched legacy systems globally. That structural analysis informs both the immediate response (patch MS17-010, block SMB externally) and the longer-term intelligence picture (Lazarus Group capability evolution, DPRK use of financially motivated cyberattacks to offset sanctions).
Within the Planetary Defense Model, the Diamond Model of Intrusion Analysis is a foundational tool of the TID domain. TID's Predictive Defense Intelligence (PDI) methodology depends on the ability to reason about adversary behavior before attacks materialize. The Diamond Model is the analytic engine that makes proactive reasoning possible: given what we know about adversaries who target organizations like ours, what capabilities and infrastructure are they likely to use, and what victim characteristics make us a probable target?
CDA incorporates Diamond Model reasoning into adversary profiling work within the TID campaign. When CDA analysts build threat profiles for a client's sector, they structure those profiles as Diamond Model vertex descriptions: who are the relevant adversary groups, what capabilities do they deploy, what infrastructure patterns have they historically used, and what victim characteristics correlate with their targeting decisions. That profiling directly drives threat hunting hypothesis development (linking back to the PDM TID domain's proactive posture) and informs detection coverage gap analysis.
The Diamond Model also maps to the Orbital Alliance Framework (OAF), CDA's cross-domain protocol for supply chain and third-party risk. Third-party intrusions are Diamond events where the Victim vertex includes both the direct target (a supplier) and an indirect target (your organization). Applying the Diamond Model to supply chain risk means reasoning about your suppliers as potential victim profiles for adversaries you care about.
The Diamond Model's four vertices (Adversary, Capability, Infrastructure, Victim) are always present in every intrusion. Understanding the known vertices gives analysts a map of what remains unknown and paths to discover it.
Pivoting is the core operational technique. A single indicator, reasoned through the Diamond Model, can reveal campaign scope, adversary patterns, and defensive priorities that would otherwise remain invisible.
Activity threading and activity grouping transform individual incident analysis into campaign intelligence. Recognizing that five separate intrusions share a common adversary requires the structural logic the Diamond Model provides.
The Diamond Model, Kill Chain, and ATT&CK are complementary. Kill Chain provides the narrative arc, ATT&CK provides technique-level detection guidance, and the Diamond Model provides the relationship context that ties them together.
Cluster attribution is operationally valuable even without definitive attribution. Recognizing that a series of intrusions share infrastructure or capability enables targeted hunting and defensive action without requiring a geopolitical conclusion that may never be possible.
CDA Theater missions that address topics covered in this article.
Lazarus Group is North Korea's primary advanced persistent threat operation, operating under the RGB (Reconnaissance General Bureau), the DPRK's primary foreign intelligence service.
Salt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group that conducts signals intelligence collection operations against telecommunications infrastructure.
Evidence collection, chain of custody, forensic imaging, and analysis techniques for incident investigations.
Written by Evan Morgan
Found an issue? Help improve this article.