Get fresh insights, pro tips, and thought starters–only the best of posts for you.
The Diamond Model of Intrusion Analysis is a cybersecurity framework for analyzing malicious cyber activity by examining the relationships between four core features: the adversary, capability, infrastructure, and victim. Introduced by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz, the model provides a structured approach for organizing and analyzing intrusion events.
Instead of treating an intrusion as a single event, the Diamond Model represents individual malicious activity events through four interconnected features. Related events can then be linked into activity threads, helping analysts organize evidence, explore relationships, and support threat hunting and incident response.
Each malicious activity event is represented as a diamond with four connected features.
| Element | Description |
| Adversary | The actor associated with the intrusion, including the operator conducting the activity and, where applicable, the customer directing or benefiting from it. |
| Capability | The adversary’s resources or means of affecting the victim, such as malware, exploits, tools, or techniques. |
| Infrastructure | The physical or logical resources used to deliver a capability or support adversary operations, such as domains, IP addresses, servers, accounts, or communication services. |
| Victim | The targeted person or organization and the associated assets against which the capability is directed. |
By examining the relationships among these features, analysts can characterize intrusion events and assess whether they may be connected to other malicious activity.
Security analysts use the Diamond Model to organize observations about malicious activity and correlate potentially related intrusion events.
Common use cases include:
Cybersecurity teams can use the Diamond Model alongside frameworks such as MITRE ATT&CK and the Cyber Kill Chain, since each provides a different perspective on adversary behavior and intrusion analysis.
Intrusion investigations often involve multiple systems, infrastructure components, capabilities, victims, and related events. The Diamond Model provides a structured method for documenting and analyzing these relationships.
Key benefits include:
While Hexnode UEM is an endpoint management platform rather than a dedicated intrusion analysis tool, it provides supported device management capabilities that can assist organizations during security investigations.
With Hexnode, administrators can:
These endpoint management capabilities can complement incident response processes by helping administrators retrieve supported device information and apply available management actions during investigations.
No. Incident responders, DFIR analysts, SOC personnel, and other security practitioners can apply the framework when analyzing intrusion activity.
No. The Diamond Model structures relationships among adversaries, capabilities, infrastructure, and victims, while MITRE ATT&CK organizes knowledge about adversary tactics and techniques.