What is Diamond Model?
The Diamond Model of Intrusion Analysis represents every intrusion event as a relationship between four core features: Adversary, Capability, Infrastructure, and Victim, connected in a diamond shape to facilitate threat intelligence analysis and attribution.
Definition
- Diamond Model
- The Diamond Model of Intrusion Analysis represents every intrusion event as a relationship between four core features: Adversary, Capability, Infrastructure, and Victim, connected in a diamond shape to facilitate threat intelligence analysis and attribution.
How Diamond Model Works
Developed by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz, the Diamond Model provides a structured schema for analyzing intrusions. The four vertices: Adversary (actor identity, motivation, intent), Capability (tools, techniques, malware), Infrastructure (IPs, domains, servers), and Victim (target organization, systems, data).
The model's power comes from pivoting between vertices. Identify a piece of malware (Capability), pivot to find all infrastructure it communicated with, then pivot from that infrastructure to identify other victims targeted by the same attacker, and build an attribution picture about the Adversary. This systematic pivoting is core threat intelligence analysis.
The Diamond Model complements ATT&CK (which describes techniques) by providing the analytical structure for connecting technical artifacts to adversary campaigns and tracking actor behavior across multiple incidents.
Diamond Model in SOC Operations
You use Diamond Model thinking when pivoting through threat intelligence during investigation. Starting from a detected IOC, you explore other vertices: what is the adversary's likely motivation given the victim profile? What other capabilities has this adversary used? What other infrastructure is linked? This structured approach produces richer intelligence than isolated indicator analysis and helps connect individual incidents to larger campaigns.
Practice Diamond Model in a Real SOC
SOCSimulator provides hands-on training with realistic SIEM, XDR, and Firewall interfaces. Build real analyst skills investigating diamond model scenarios with zero consequences — free forever.
Related Terms
MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques observed in...
Threat intelligence is analyzed, contextualized information about current and emerging cyber threats...
An Indicator of Compromise (IOC) is an observable artifact, such as a file hash, IP address, domain ...
An Advanced Persistent Threat (APT) is a sophisticated, often nation-state-sponsored threat actor co...
Threat hunting is the proactive, human-led process of searching through security telemetry to find h...
More Frameworks Terms
Related SOC Training Resources
SOC Manager Career Guide — Salary & Skills
SOC Managers run the operation. You own staffing, playbook development, tool selection, performance metrics, and executi…
Read more Career PathDetection Engineer Career Guide — Salary & Skills
Detection Engineers build the rules, analytics, and automated workflows that determine what the SOC can see. You transla…
Read more Career PathSecurity Engineer Career Guide — Salary & Skills
Security Engineers build and maintain the infrastructure that SOC analysts depend on. You deploy SIEMs, configure firewa…
Read more ComparisonSOCSimulator vs CyberDefenders — Comparison
SOCSimulator trains the operational workflow: alert triage, correlation, and response under pressure. CyberDefenders tra…
Read more ComparisonSOCSimulator vs Security Blue Team — Comparison
SOCSimulator provides continuous operational training that keeps your skills sharp between shifts. Security Blue Team pr…
Read more ToolSIEM Training Console — SOCSimulator
The SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more TechniqueMITRE ATT&CK Techniques — Detection Training Library
Browse all MITRE ATT&CK techniques with detection strategies and example alerts.
Read more Career PathCybersecurity Career Paths — 2026 Guide
Explore SOC analyst career paths with salary data, required skills, and certification roadmaps.
Read more PlaybookSOC Investigation Playbooks — Step-by-Step Guides
Practitioner investigation playbooks with decision trees and real SIEM queries.
Read more FeatureShift Mode — Real-Time SOC Simulation
Practice alert triage under realistic time pressure with SLA timers and noise injection.
Read more FeatureOperations — Guided Training Rooms
Structured CTF-style investigation rooms covering real-world attack scenarios.
Read more BlogSOCSimulator Blog — Security Training Insights
Articles on SOC analyst skills, detection engineering, and career development.
Read more