The Diamond Model of Intrusion Analysis, Explained

The Diamond Model of Intrusion Analysis is a framework for analyzing and tracking cyber intrusions by mapping the relationships between four core features: adversary, capability, infrastructure and victim. Introduced in 2013, it gives analysts a structured way to think about who is attacking, how, using what, and against whom — and, crucially, to pivot from one known element to discover the others.

It's one of the three foundational models of intrusion analysis, alongside the Cyber Kill Chain and MITRE ATT&CK, and it excels at attribution and investigation.

The four features (the diamond)

Every malicious event can be described by four vertices, which form the diamond shape:

• Adversary — the threat actor behind the attack: the person, group or organization with intent. See types of threat actors.
• Capability — the tools and techniques the adversary uses: malware, exploits, and their TTPs.
• Infrastructure — the physical and logical resources used to deliver capability and maintain control: C2 servers, domains, IP addresses, email accounts.
• Victim — the target of the attack: an organization, person, system or data.

The model connects these with two axes: the social-political axis (between adversary and victim, capturing motivation and intent) and the technical axis (between capability and infrastructure, capturing the how).

The core idea: pivoting

The Diamond Model's real power is the central axiom: the four features are connected, so if you know one or two, you can pivot to discover the others. This mirrors how real investigations work:

• From a piece of infrastructure (a C2 domain), you can pivot to find related domains, the capability communicating with it, and other victims contacting it.
• From a capability (a malware sample), you can identify the infrastructure it talks to and potentially the adversary known to use it.
• From a victim's logs, you can extract the capability and infrastructure used against them.

Each pivot enriches the picture and often reveals previously unknown elements of the campaign — turning a single data point into a fuller understanding of the threat.

A worked example

Suppose an analyst finds a suspicious domain (infrastructure) in their logs. Pivoting on that domain via passive DNS reveals five sibling domains registered the same day. Examining the malware (capability) beaconing to them shows a distinctive technique that a particular APT (adversary) is known to use. Checking which other organizations contacted those domains reveals additional victims in the same industry. From one indicator, the analyst has reconstructed much of the campaign — that's the Diamond Model in action.

Meta-features and activity threads

The full model adds meta-features to each event — such as timestamp, phase (which Kill Chain stage), result, and confidence — and chains related events into activity threads that show how an intrusion progressed over time. This lets analysts group individual events into coherent campaigns and track an adversary's operations across multiple intrusions.

Diamond Model vs Kill Chain vs ATT&CK

The three models complement each other:

• The Cyber Kill Chain describes the linear progression of an attack through stages.
• MITRE ATT&CK catalogs the specific techniques within those stages.
• The Diamond Model structures the relationships between the players and resources, powering attribution and pivoting.

In practice, analysts often combine them: use ATT&CK to describe the capability, the Kill Chain to place an event in the attack's timeline, and the Diamond Model to connect adversary, infrastructure and victims for investigation.

Practical tips for using the Diamond Model

The Diamond Model is most valuable when it becomes a working habit rather than a diagram you admire once. A few practical tips help analysts get real mileage from it during investigations:

• Start from whatever you have. You rarely begin an investigation knowing all four vertices. Maybe you only have a suspicious domain (infrastructure) or an odd process (capability). The model's power is that any starting point lets you pivot toward the others — so begin with your single data point and expand.
• Pivot deliberately and record as you go. Each pivot (infrastructure → related infrastructure → capability → adversary) should be documented, so you build a defensible chain of reasoning rather than a hunch.
• Use it to drive collection. The empty vertices tell you exactly what to look for next. If you know the capability and infrastructure but not the victims, your next question is "who else is contacting this infrastructure?"
• Attach confidence to every assertion. Especially on the adversary vertex, be explicit about how certain you are. Attribution is hard, and false-flag operations exist; the model helps you reason, not leap to conclusions.
• Combine it with other models. Use the meta-feature for "phase" to place each event on the Cyber Kill Chain, and describe the capability's behavior with ATT&CK techniques. The Diamond Model structures the relationships; the others add timeline and technique detail.

Teams that internalize the model find that it quietly changes how they think: every alert becomes a partial diamond waiting to be completed, and every completed diamond enriches their understanding of the campaigns and adversaries they face. Over many investigations, linking events into activity threads reveals the larger shape of an adversary's operations — the same infrastructure reused, the same capabilities refined, the same victims targeted again. That accumulated, structured knowledge is precisely what turns reactive incident response into proactive, intelligence-led defense. The model is simple enough to sketch on a whiteboard yet rich enough to anchor an entire investigation methodology.

Quick recap:

• The Diamond Model analyzes intrusions across four connected features: adversary, capability, infrastructure and victim.
• Its core axiom is pivoting — knowing one feature lets you discover the others, which powers investigation and attribution.
• Meta-features and activity threads chain individual events into coherent campaigns over time.
• It complements the Cyber Kill Chain (timeline) and MITRE ATT&CK (techniques) — use all three together for the richest picture.

The bottom line

The Diamond Model maps every intrusion across adversary, capability, infrastructure and victim, and its central insight — that these are connected, so you can pivot from one to find the rest — makes it a powerful engine for investigation and attribution. Used alongside the Kill Chain and ATT&CK, it turns scattered indicators into coherent campaign understanding. To feed your analysis with fresh infrastructure, capability and adversary reporting, our live threat intelligence feed aggregates research from dozens of authoritative sources, ranked by priority.