CODE418
Blog

July 13, 2026

The Diamond Model: structuring how you reason about an intrusion

FrameworksCTI

From a loose indicator to methodical analysis

Every CTI analyst piles up indicators — an IP here, a hash there, a suspicious domain. The challenge isn't collecting: it's turning those fragments into understanding. Who is behind it? With what tools? Against whom? The Diamond Model is the framework that gives structure to how you reason about intrusions.

The four vertices of every event

At the center of the model is the event — the atomic unit of an intrusion. Every event connects four irreducible elements:

  • Adversary — who carries out the action.
  • Capability — the tools and techniques used (malware, exploits, TTPs).
  • Infrastructure — what the adversary uses to operate (domains, IPs, C2 servers).
  • Victim — the target (a person, an organization, an asset).

The four link together like the vertices of a diamond. No intrusion exists without all four — and that completeness is exactly what makes the model a "grammar" for analysis.

What changes the analysis: pivoting

The model's power is in pivoting: from any vertex, you discover the others.

  • From infrastructure (a C2 domain), you pivot to other victims resolving to it.
  • From a capability (a malware sample), you pivot to the adversary who built it and to other campaigns that reuse it.

Each indicator stops being an isolated data point and becomes a starting point to expand what you know about the threat.

Meta-features: context and confidence

Every event carries meta-features that add context — timestamp, phase, result, direction, methodology and resources — and, crucially, a confidence level. Serious intrusion analysis distinguishes fact from hypothesis, and records that difference.

Diamond, Kill Chain and ATT&CK: layers that add up

The Diamond Model doesn't replace other frameworks — it connects them:

  • The Diamond answers who, against whom and with what (the relational layer).
  • The Cyber Kill Chain answers in which phase (the sequential layer).
  • MITRE ATT&CK answers how, at the observable-technique level.

Together, they describe an intrusion end to end — from the isolated fragment to the whole campaign.

Attribution, responsibly

The model is a powerful tool for attribution, but attributing is a high-consequence conclusion. Use confidence levels, back every claim with evidence, and resist the urge to "close" the diamond without a basis. A good analyst knows the difference between likely and proven.

From foundation to practice

The Diamond Model is simple to draw and deep to operate. Mastering its axioms, pivoting and integration with other frameworks is what separates citing the model from using it in a real investigation.

To walk that path, we wrote the e-book Diamond Model — Intrusion Analysis: atomic structure, axioms, pivoting and attribution, from foundations to application.

🔷 Download it for free: Diamond Model — Intrusion Analysis

We use analytics cookies to understand how the site is used. You decide — nothing is tracked without your consent. Cookie Policy