The Pyramid of Pain, Explained
The Pyramid of Pain is a simple model with a profound lesson: detect attackers by their behavior, not their disposable artifacts. Learn all six levels and how to use it.
The Pyramid of Pain is a simple but profound model in threat detection, created by security researcher David Bianco. It ranks the types of indicators you can detect by how much pain it causes an attacker when you deny them that indicator. The higher up the pyramid you operate, the more you disrupt the adversary — and the longer your detections stay effective.
The core lesson is one of the most important ideas in modern defense: blocking an attacker's disposable artifacts (like file hashes) barely inconveniences them, while detecting their fundamental behaviors forces them to rethink their entire operation.
The six levels of the pyramid
From the bottom (trivial for attackers to change) to the top (very painful), the levels are:
1. Hash values — trivial
At the base sit file hashes (MD5, SHA-256). They precisely identify a specific file, but they're worthless the moment an attacker changes a single byte — recompiling malware produces a completely new hash. Blocking a hash stops one file and nothing more.
2. IP addresses — easy
Blocking malicious IPs is useful, but attackers rotate them constantly using cloud hosting, proxies and anonymizers. Denying an IP is a minor inconvenience.
3. Domain names — simple
Domains are slightly more painful to change than IPs because they must be registered and configured, but they're still cheap and fast to replace, especially with automated domain-generation algorithms.
4. Network & host artifacts — annoying
Now we move up into behavior. These are the distinctive traces a tool leaves — a specific user-agent string, a registry key it creates, a particular URI pattern in its C2 traffic. To evade detection here, attackers must modify their tools, which takes real effort. This is where you start causing genuine annoyance.
5. Tools — challenging
Detecting the actual tools an adversary uses — a specific malware family, a particular framework or utility — is painful for them, because finding or building a replacement that does the job is costly and time-consuming. Deny their tools and you force them to retool.
6. TTPs — tough!
At the apex sit tactics, techniques and procedures — how the adversary operates. Detecting at this level targets behavior itself: how they phish, escalate privileges, move laterally and exfiltrate. To evade detection here, an attacker must fundamentally change the way they operate — relearn, retrain and rebuild their approach. That's the maximum pain you can impose.
The big lesson
The pyramid teaches a strategic truth about detection economics. Most security programs spend the bulk of their effort at the bottom — collecting and blocking hashes, IPs and domains — because those indicators are abundant and easy to consume. But that's exactly where it's cheapest for attackers to adapt. Every hash you block, they evade by recompiling; every IP you block, they swap in minutes.
Investing in detection higher up the pyramid — at the artifact, tool and especially TTP levels — yields detections that are far more durable and that genuinely disrupt adversaries. This is the rationale behind behavior-based detection (indicators of attack), the MITRE ATT&CK framework, and proactive threat hunting.
How to apply the Pyramid of Pain
- Keep doing the basics. Still block known hashes, IPs and domains — they're cheap wins and catch low-effort threats.
- But climb the pyramid. Deliberately invest in detecting tools and TTPs, not just artifacts.
- Map detections to ATT&CK. This anchors your work at the TTP level and reveals coverage gaps.
- Measure where you operate. If most of your detections live at the bottom of the pyramid, you're imposing little cost on real adversaries.
- Hunt for behaviors. Use TTP-level hypotheses to find attackers who've evaded your indicator-based defenses.
A maturity perspective: where does your program operate?
One of the most useful exercises a security team can do is to honestly assess where on the pyramid their detection program actually lives. Most programs, if they look closely, discover that the overwhelming majority of their detections sit in the bottom two layers — hashes and IP addresses — because those are the indicators that feeds deliver in bulk and that tools ingest automatically.
That's not wrong; it's just incomplete. Picture two organizations facing the same skilled adversary:
- Organization A relies entirely on blocking known hashes, IPs and domains. The attacker recompiles their malware (new hash), spins up fresh infrastructure (new IPs and domains), and walks straight past every control — a few minutes of effort defeats the entire defense.
- Organization B also blocks those indicators, but additionally detects the attacker's behaviors: the way they escalate privileges, move laterally and exfiltrate data. To evade Organization B, the attacker must redesign their entire methodology — relearning techniques and retraining operators. Most will simply move on to an easier target.
This thought experiment captures the strategic value of climbing the pyramid. It doesn't mean abandoning the lower levels — those cheap, automated blocks still stop a great deal of low-effort, opportunistic activity. It means deliberately investing in detection capability higher up: building behavioral analytics, mapping coverage to ATT&CK, and running TTP-level threat hunts.
A practical way to apply this is to periodically categorize your detections by pyramid level and look at the distribution. If nearly everything sits at the bottom, you have a clear, actionable roadmap: start translating the techniques used by the adversaries who target your sector into behavioral detections. Over time, you shift the center of gravity of your program upward — and with it, the amount of genuine pain you impose on the people trying to break in. That shift, more than any single tool, is what separates programs that frustrate real adversaries from those that merely inconvenience them.
The bottom line
The Pyramid of Pain shows that not all indicators are equal: denying hashes and IPs barely slows attackers, while detecting their tools and TTPs forces them to fundamentally change how they operate. The strategic goal is to climb the pyramid — building durable, behavior-based detection that imposes real cost on adversaries. To fuel both your indicator feeds and your TTP-level hunts, our live threat intelligence feed aggregates breaking research from dozens of authoritative sources, ranked by priority.
Frequently asked questions
What is the Pyramid of Pain?
The Pyramid of Pain is a model by David Bianco that ranks indicators by how much it hurts an attacker when you deny them. From bottom to top: hash values, IP addresses, domain names, network/host artifacts, tools, and TTPs. The higher you detect, the more you disrupt the adversary.
Why are TTPs at the top of the Pyramid of Pain?
Because TTPs describe how an adversary fundamentally operates. To evade detection at this level, attackers must relearn and rebuild their entire approach, which is extremely costly — unlike changing a file hash or IP address, which takes minutes.
What is the main lesson of the Pyramid of Pain?
That detecting attackers by their disposable artifacts (hashes, IPs, domains) barely slows them down, while detecting their behaviors (tools and TTPs) imposes real cost and produces far more durable detections. Programs should invest in climbing the pyramid.
Should I stop using hash and IP indicators?
No — they're cheap, easy wins that catch low-effort threats and support retroactive hunting. The point is not to abandon them but to also invest higher up the pyramid in tool- and TTP-based detection, which is far harder for attackers to evade.