Every intrusion tells a story — one with characters, tools, staging grounds, and targets. The challenge for security teams is reading that story quickly enough to act on it. The Diamond Model of intrusion analysis gives analysts a structured vocabulary for doing exactly that. First published as a research paper through the Defense Technical Information Center in 2013, the framework has become a cornerstone of cybersecurity frameworks education and a staple of certifications including CompTIA Security+ (SY0-701), CySA+ (CS0-003), and EC-Council CEH. This guide walks through the model's four core components, its deeper theoretical foundations, and how practitioners apply it to real incidents — including extensions no competitor covers.
The Diamond Model of intrusion analysis is a formal framework that describes every cyber intrusion event as four interconnected features — adversary, capability, infrastructure, and victim — arranged in a diamond shape to enable structured, relationship-driven threat intelligence analysis. It was introduced by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz in their original 2013 research paper (PDF).
The core premise is straightforward. Rather than treating intrusions as isolated alerts, the Diamond Model forces analysts to ask four questions about every event. Who is the adversary? What capabilities did they use? What infrastructure supported the operation? And who or what was the victim? The relationships between these four features — not just the features themselves — are where the analytical power lives.
This relational approach sets the Diamond Model apart from sequential frameworks like the cyber kill chain. Where the kill chain describes attack phases in order, the Diamond Model captures the web of connections within each phase. Both perspectives matter, which is why most mature security teams use them together.
The Diamond Model appears in CompTIA CySA+ certification prep and Security+ curricula, making it essential knowledge for analysts at every career stage.
Every Diamond Model event revolves around four features, each occupying a vertex of the diamond.
The four features connect through six edges, and these relationships are what make the Diamond Model analytically powerful. The adversary-infrastructure edge reveals which resources an actor controls. The capability-victim edge shows how specific tools affect specific targets. The infrastructure-victim edge exposes delivery mechanisms.
Each edge is bidirectional, enabling analysts to pivot from any known feature to discover unknowns. If you know the infrastructure (a C2 domain), you can traverse the infrastructure-adversary edge to identify who operates it, or the infrastructure-capability edge to find what tools communicate with it. This pivoting technique transforms isolated indicators of compromise into connected intelligence.
Figure: The Diamond Model's four features (adversary, capability, infrastructure, victim) connected by six bidirectional edges form the basis of structured intrusion analysis.
Most introductory guides stop at the four features. The Diamond Model's deeper theoretical foundations — axioms, meta-features, and activity threading — are what make it a rigorous analytical framework rather than a simple diagram.
The original paper establishes seven formal axioms that govern how the model works.
Axiom 7 is especially important for practitioners. Infrastructure reuse is one of the most reliable ways to link seemingly unrelated events to the same adversary or campaign.
Beyond the four core features, the Diamond Model defines meta-features that add contextual depth.
The socio-political axis captures the relationship between adversary and victim, describing motivations such as nation-state espionage, financially motivated crime, or hacktivism. This axis helps analysts understand why an advanced persistent threat targets specific organizations.
The technology axis connects capability and infrastructure, describing how technical tools interact with supporting resources — protocol types, encryption methods, and communication channels.
Additional meta-features include timestamp, phase (mapping to kill chain stages), result (success or failure), direction, methodology, and resources. Together, these turn each diamond event into a rich analytical record.
Table: Diamond Model meta-features extend core analysis with contextual dimensions.
Individual diamond events rarely occur in isolation. Activity threading connects related events chronologically, using kill chain phases to order them into a coherent narrative. A single thread might trace initial access through lateral movement to data exfiltration — each step represented as its own diamond event, linked by shared features.
Activity groups take this further by clustering multiple activity threads that share adversary, capability, or infrastructure features. When several threads point to the same C2 infrastructure or use the same custom backdoor, analysts can group them into a campaign attributed to a single adversary. This scales the Diamond Model from single-event analysis to campaign-level intelligence.
The Diamond Model does not replace other frameworks. It complements them. Understanding where each framework excels helps analysts choose the right lens for the problem at hand.
Table: Comparing the three major threat intelligence frameworks.
MITRE ATT&CK v18 now includes 216 techniques, 475 sub-techniques, and 172 tracked groups, making it the most granular framework. But granularity alone does not reveal relationships. The Diamond Model's adversary feature maps to ATT&CK groups, and its capability feature maps to ATT&CK techniques — creating a natural integration point.
Consider a spear-phishing campaign targeting a financial institution. The kill chain sequences the phases: reconocimiento, weaponization, delivery, exploitation, installation, command and control, actions on objectives. The Modelo Diamante maps the relational structure within each phase: the adversary (nation-state group), capability (custom loader), infrastructure (compromised WordPress sites), and victim (bank's treasury department). ATT&CK provides the granular technique IDs - T1566.001 for spear-phishing attachment, T1059.001 for PowerShell execution, T1071.001 for web-protocol C2.
Together, the three frameworks give analysts a complete picture: what happened (ATT&CK), in what order (kill chain), and who was connected to what (Diamond Model).
The Diamond Model's real value emerges in structured incident analysis. Here is a six-step workflow that turns a single indicator into a comprehensive threat picture.
Table: Step-by-step Diamond Model analysis workflow.
Pivoting is the analytical engine of the Diamond Model. Start with your strongest indicator and traverse edges systematically. If you have a domain (infrastructure), check passive DNS for IP history, then check those IPs for other domains. Cross-reference domains against threat hunting feeds. Each pivot populates new features and often reveals additional events for threading.
The key discipline is documentation. Every pivot should be recorded so the analysis is reproducible and can be shared with other analysts during incident response.
The Cisco Talos ToyMaker initial access broker analysis demonstrates both the basic Diamond Model and its extended Relationship Layer.
This case exemplifies why the traditional four-feature model needed extension. ToyMaker and Cactus are distinct adversaries with separate capabilities, but the handoff between them — the relationship — is what makes the campaign dangerous. The Cisco Talos extended Diamond Model methodology adds this fifth Relationship Layer to capture ransomware as a service dynamics.
The SolarWinds breach remains one of the most cited Diamond Model case studies, analyzed in a peer-reviewed paper on ResearchGate.
The Diamond Model's relational approach proved more suitable than the linear kill chain for this case, where multiple victim categories and a complex supply chain required mapping connections rather than sequences.
Table: Diamond Model applied to real-world intrusions.
According to the IBM X-Force 2026 Threat Intelligence Index, active ransomware groups surged 49% in 2025 (109 distinct groups, up from 73 in 2024), with 54–58 groups active per month in early 2026. This ecosystem fragmentation makes the Diamond Model's activity threading essential for distinguishing and tracking proliferating groups.
Several platforms support Diamond Model workflows. ThreatConnect — co-founded by Diamond Model co-author Andy Pendergast — natively incorporates the framework. MISP and OpenCTI provide open-source alternatives with entity relationship modeling. Custom spreadsheet and diagramming templates remain common in smaller teams. Integration with STIX/TAXII standards enables automated threat intelligence sharing using Diamond Model structures.
Table: Diamond Model strengths and limitations for threat intelligence teams.
Sources disagree on whether the Diamond Model's simplicity is a strength or limitation. ThreatConnect views it as enabling rapid analysis. Others argue it oversimplifies intrusions. The practitioner consensus resolves this by combining the Diamond Model with MITRE ATT&CK for TTP depth — preserving relational clarity while adding granular behavioral detail. This combined approach strengthens threat detection workflows across the SOC.
The Diamond Model is not static. Several developments over the next 12–24 months will shape how organizations apply it.
The most significant evolution is the Cisco Talos Relationship Layer, published in May 2025. By adding relationship types like "purchased from," "handover from," and "leaked from," this extension addresses the growing complexity of ransomware as a service ecosystems where multiple adversaries collaborate across a single campaign. Expect additional threat intelligence vendors to adopt similar extensions as multi-actor operations become the norm.
AI-augmented threat intelligence is accelerating Diamond Model workflows. Automated entity correlation, pivoting, and activity threading across large datasets reduce the manual burden on analysts. According to the CyberProof 2026 Global Threat Intelligence Report, AI is now integrated into 80% of ransomware campaigns — meaning defenders need AI-assisted analysis tools to keep pace.
The "silent residency" trend identified in the Picus Red Report 2026 — a 38% drop in ransomware encryption paired with an 80% surge in evasion techniques — increases the importance of relational pivoting. When adversaries optimize for long-term stealth rather than immediate disruption, the Diamond Model's capability-infrastructure correlations become essential for detection.
Platform consolidation is also driving adoption. According to Recorded Future, 81% of security professionals plan to consolidate threat intelligence vendors in 2026. Structured frameworks like the Diamond Model provide a common analytical vocabulary across unified platforms, making consolidation more effective.
Organizations should prioritize investing in Diamond Model training alongside MITRE ATT&CK, adopting platforms that support relational threat analysis, and building activity threading into their standard SOC operations playbooks.
Threat intelligence has evolved far beyond static IOC feeds. Today's practitioners combine structured frameworks with behavioral analytics, AI-driven detection, and automated correlation to keep pace with adversaries who share infrastructure and collaborate across organizational boundaries.
The Diamond Model remains foundational because its relational approach mirrors how modern attacks actually work — through connections between actors, tools, infrastructure, and targets. As network detection and response platforms observe attacker behaviors across hybrid environments, the same relational principles the Diamond Model codifies are what separate real threats from noise.
Vectra AI's Attack Signal Intelligence approach aligns with the Diamond Model's philosophy of relational, behavior-driven analysis. By correlating attacker behaviors across the modern network — spanning cloud, identity, SaaS, and on-premises environments — Vectra AI operationalizes the same relational principles the Diamond Model codifies. Connecting adversary actions, capabilities, and infrastructure delivers signal, not noise, to the analysts who need it most.
The Diamond Model of intrusion analysis provides a structured, relationship-driven approach to understanding cyber intrusions that complements sequential and behavioral frameworks. Its four core features, seven axioms, and activity threading capabilities give analysts at every level — from certification candidates to senior threat intelligence practitioners — a rigorous methodology for turning isolated indicators into connected intelligence.
As threat landscapes grow more complex, with ransomware ecosystems fragmenting into dozens of collaborating groups and adversaries prioritizing stealth over disruption, the Diamond Model's relational analysis becomes more valuable, not less. The 2025 Cisco Talos Relationship Layer extension proves the framework continues to evolve with the threat landscape.
Start by applying the six-step workflow to your next incident. Populate what you know, pivot through the edges, and let the relationships guide you to what you do not yet know. For organizations looking to operationalize these principles at scale, explore how Vectra AI's platform delivers the same relational, behavior-driven analysis through Attack Signal Intelligence.
The Diamond Model is a cybersecurity framework created by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz in 2013. It models every intrusion event as four interconnected features — adversary, capability, infrastructure, and victim — arranged in a diamond shape. The model enables structured, relationship-driven threat analysis by focusing on how these features connect through six bidirectional edges. Unlike sequential frameworks, the Diamond Model captures the relational structure of an intrusion, allowing analysts to pivot from known indicators to discover unknown features. It is published through the Defense Technical Information Center and remains one of the most widely taught frameworks in cybersecurity education.
The four components are adversary (the threat actor or group), capability (the tools, techniques, and malware used), infrastructure (the resources like C2 servers, domains, and email addresses that support the operation), and victim (the targeted organization, system, person, or dataset). These features connect via six edges that enable analytical pivoting. For example, knowing a C2 domain (infrastructure) lets an analyst discover what malware communicates with it (capability) and who operates it (adversary). The four features are the minimum required to describe any intrusion event, though meta-features add contextual depth.
The cyber kill chain describes the sequential phases of an attack — from reconnaissance through actions on objectives — providing a temporal view. The Diamond Model maps the relational connections between an adversary, their capabilities, infrastructure, and victim within each phase. Where the kill chain answers "what happened in what order," the Diamond Model answers "who connected to what and how." They are complementary frameworks. Activity threading in the Diamond Model actually uses kill chain phases to order individual diamond events chronologically, creating a natural integration point between the two.
MITRE ATT&CK catalogs specific adversary tactics, techniques, and procedures with granular behavioral detail. The Diamond Model maps the relational structure of an intrusion at a higher level. ATT&CK techniques map directly to the Diamond Model's capability feature, and ATT&CK threat groups map to the adversary feature. Most practitioners use both together — the Diamond Model provides the relational scaffold, while ATT&CK fills in the behavioral specifics. For example, a Diamond Model analysis might identify that an adversary used PowerShell-based tools, and ATT&CK narrows that to specific technique T1059.001 with corresponding detection strategies.
The seven axioms are the formal theoretical foundation of the framework. They establish that every intrusion event involves an adversary using a capability over infrastructure against a victim (Axiom 1), that events follow an ordered sequence (Axiom 2), that capabilities and infrastructure have directionality (Axiom 3), and that a fully described event populates all four features (Axiom 4). Axioms 5 through 7 address adversary personas, capability completeness, and infrastructure reuse. Axiom 7 — that infrastructure is shared and reused — is arguably the most practically valuable, as it enables analysts to link seemingly unrelated intrusions through shared C2 servers or domains.
The Diamond Model is covered in CompTIA Security+ (SY0-701, Domain 4.2), CompTIA CySA+ (CS0-003), and EC-Council CEH. It also appears in TryHackMe SOC Level 1 training rooms and LinkedIn Learning certification prep courses. Sergio Caltagirone, one of the original authors, offers a dedicated Diamond Model course through the Threat Intelligence Academy. For analysts preparing for certification exams, understanding the four core components, their relationships, and how the Diamond Model compares to the kill chain and ATT&CK are the most commonly tested areas.
ThreatConnect — co-founded by Diamond Model co-author Andy Pendergast — natively incorporates the framework into its threat intelligence platform. MISP (Malware Information Sharing Platform) and OpenCTI provide open-source alternatives with entity relationship modeling capabilities. Many teams also use custom spreadsheet templates or diagramming tools like draw.io for smaller-scale analysis. Integration with STIX (Structured Threat Information Expression) and TAXII (Trusted Automated Exchange of Indicator Information) standards enables automated sharing of Diamond Model-structured intelligence across organizations and platforms.