July 13, 2026
The Diamond Model: structuring how you reason about an intrusion
From a loose indicator to methodical analysis
Every CTI analyst piles up indicators — an IP here, a hash there, a suspicious domain. The challenge isn't collecting: it's turning those fragments into understanding. Who is behind it? With what tools? Against whom? The Diamond Model is the framework that gives structure to how you reason about intrusions.
The four vertices of every event
At the center of the model is the event — the atomic unit of an intrusion. Every event connects four irreducible elements:
- Adversary — who carries out the action.
- Capability — the tools and techniques used (malware, exploits, TTPs).
- Infrastructure — what the adversary uses to operate (domains, IPs, C2 servers).
- Victim — the target (a person, an organization, an asset).
The four link together like the vertices of a diamond. No intrusion exists without all four — and that completeness is exactly what makes the model a "grammar" for analysis.
What changes the analysis: pivoting
The model's power is in pivoting: from any vertex, you discover the others.
- From infrastructure (a C2 domain), you pivot to other victims resolving to it.
- From a capability (a malware sample), you pivot to the adversary who built it and to other campaigns that reuse it.
Each indicator stops being an isolated data point and becomes a starting point to expand what you know about the threat.
Meta-features: context and confidence
Every event carries meta-features that add context — timestamp, phase, result, direction, methodology and resources — and, crucially, a confidence level. Serious intrusion analysis distinguishes fact from hypothesis, and records that difference.
Diamond, Kill Chain and ATT&CK: layers that add up
The Diamond Model doesn't replace other frameworks — it connects them:
- The Diamond answers who, against whom and with what (the relational layer).
- The Cyber Kill Chain answers in which phase (the sequential layer).
- MITRE ATT&CK answers how, at the observable-technique level.
Together, they describe an intrusion end to end — from the isolated fragment to the whole campaign.
Attribution, responsibly
The model is a powerful tool for attribution, but attributing is a high-consequence conclusion. Use confidence levels, back every claim with evidence, and resist the urge to "close" the diamond without a basis. A good analyst knows the difference between likely and proven.
From foundation to practice
The Diamond Model is simple to draw and deep to operate. Mastering its axioms, pivoting and integration with other frameworks is what separates citing the model from using it in a real investigation.
To walk that path, we wrote the e-book Diamond Model — Intrusion Analysis: atomic structure, axioms, pivoting and attribution, from foundations to application.
🔷 Download it for free: Diamond Model — Intrusion Analysis