Connect
Updated on November 21, 2025
The Diamond Model of Intrusion Analysis is a formal scientific framework used by security professionals. It was developed by security analysts Sergio Caltagirone, Andrew Pendergast, and Christopher Betz. The framework provides a structured methodology for analyzing cyber security incidents and synthesizing threat intelligence.
The model conceptualizes any security event as a relationship between four core features. These features are the Adversary, Capability, Infrastructure, and Victim. When mapped out, these points form a metaphorical diamond shape.
By focusing on these relationships, the model enables analysts to move beyond simple event detection. It helps IT professionals understand the context, TTPs, and full scope of a cyber intrusion.
Definition and Core Concepts
The Diamond Model is a foundational model used in Cyber Threat Intelligence (CTI). It is used during incident response to analyze individual intrusions and to characterize complex threat actors.
Its core principle is that for any malicious event to occur, all four features of the diamond must be present and linked.
Foundational Concepts
Event
This is the primary unit of analysis in the Diamond Model. An event is a specific activity observed during an intrusion.
Adversary
The adversary represents the human element of the attack. This is the attacker, group, or organization responsible for the intrusion. Analyzing the adversary focuses on their motivation and intent.
Capability
Capability refers to the tools and techniques used by the adversary. This includes software and TTPs (Tactics, Techniques, and Procedures) used to execute the attack. Examples include custom malware or specific zero-day exploits.
Infrastructure
This feature covers the physical and logical resources the adversary uses. They use these resources to host, deliver, or manage the attack. Examples include Command and Control (C2) servers, botnets, and malicious domains.
Victim
The victim is the target of the intrusion. This feature focuses on the human victim, such as a user or employee. It also includes the target asset, like a system, application, or data.
How It Works: The Four Features and Their Relationships
The model requires analysts to define each feature clearly. They must also analyze the relationship between them, represented by the lines connecting the vertices of the diamond.
Adversary-Capability
This relationship describes the set of tools the adversary possesses. Analyzing this helps define the actor’s sophistication level.
Capability-Infrastructure
This line connects the tools to the systems used to deliver them. An example is a specific C2 server hosting a piece of malware.
Infrastructure-Victim
This represents the connection channel used to deliver the attack to the victim. A common example is a malicious email server used to send a phishing lure to an employee.
Victim-Adversary
This is often called a Meta-Feature. It represents the ultimate connection defined by the motivation and intent of the attack. Analyzing this link helps explain why a specific victim was targeted.
Applying the Model
An analyst starts by filling in the features for a single event. They can then pivot the model to map multiple related events into a single comprehensive “diamond.”
This process reveals the complete operational profile of the adversary. This pivoting allows analysts to predict future actions based on an actor’s past behavior.
Key Features and Components
The Diamond Model includes elements beyond the four core vertices. These additional components add depth and predictive power to the analysis.
Meta-Features
Meta-Features are additional contextual details. They include the Timestamp, which records the start and end of the event. They also include Phase, which maps the event to stages of the attack lifecycle like the Cyber Kill Chain.
Prediction
The model is highly predictive in nature. If an analyst knows three of the four core features, they can often predict the fourth. For example, knowing the Adversary, Capability, and Victim helps predict the likely Infrastructure they will use.
Hypothesis Generation
The framework forces analysts to generate and test hypotheses. They must hypothesize about the threat actor’s identity, methods, and intent. This moves analysis away from simple indicator tracking toward a deeper understanding.
Use Cases and Applications
The Diamond Model is a standard for advanced security analysis. It has several practical applications in modern cybersecurity operations.
Incident Response
Responders use the model to quickly map the elements of a live intrusion. It helps them identify new IOCs (Indicators of Compromise). This allows teams to stop the attack chain effectively.
Threat Actor Tracking
Analysts use the model to build complex profiles for Advanced Persistent Threat (APT) groups. They do this by correlating multiple individual events into large diamonds. These profiles become reusable assets for future investigations.
Defensive Prioritization
The model helps identify “pivot points” in the adversary’s operations. These are areas where defensive intervention will have the greatest impact. Taking down a key piece of infrastructure is a prime example.
Executive Reporting
The framework provides a clear and structured way to communicate security incidents. It explains the who, what, where, and why to non-technical stakeholders. This clarity is essential for decision-making during a crisis.
Advantages and Trade-Offs
Implementing the Diamond Model brings significant benefits to an organization. However, there are challenges to consider before adoption.
Advantages
The model provides a rigorous and scientifically based methodology for forensic analysis. It enhances the quality of threat intelligence by forcing analysts to focus on relationships and context. It is also highly effective for prediction and attribution.
Trade-Offs
The primary trade-off is the skill required to use it. It requires significant training to implement effectively. Analysts must synthesize information from multiple disparate sources. It is also best suited for complex targeted intrusions rather than automated high-volume threats.
Key Terms Appendix
- IOC (Indicator of Compromise): A piece of forensic data.
- TTP (Tactics, Techniques, and Procedures): Attacker methodologies.
- Adversary: The human attacker.
- Capability: The tools and techniques used by the attacker.
- Infrastructure: The resources used to conduct the attack (e.g., C2 servers).
- Cyber Kill Chain: A phased model of an intrusion event.
