The model visualizes every malicious event as a diamond shape, consisting of four interconnected vertices. For any cyber attack to occur, all four of these elements must exist and interact.
Adversary (Who?)
The threat actor or organization responsible for the event. In the early stages of an investigation, this is often “Unknown.” The ultimate goal of CTI is to profile this vertex and potentially attribute it to a known group (e.g., APT28, Scattered Spider).
Capability (How?)
The tools, malware, or techniques utilized by the adversary. This could be a specific zero-day exploit, a custom ransomware payload, or native “Living off the Land” tools like PsExec or WMI.
Infrastructure (Where?)
The physical and logical structures the adversary uses to deliver capabilities and control the attack. This includes Command and Control (C2) IP addresses, phishing domain names, or compromised legitimate servers used as staging pivots.
Victim (Against Whom?)
The target of the adversary. This vertex is highly granular; it represents not just the corporate entity, but the specific employee (target of spear-phishing), the specific IP address, or the specific database being exfiltrated.
The true power of the Diamond Model does not lie in defining the vertices, but in exploiting the edges (the relationships connecting them). The model formalizes the most critical mental activity of a DFIR analyst: Pivoting.
Pivoting is the analytical process of using one known data point to discover a new, unknown data point along the edges of the diamond.
Capability → Infrastructure: During a Ransomware Investigation, you reverse-engineer a suspicious executable (Capability). Dynamic analysis reveals it beacons out to 198.51.100.42 (Infrastructure).Infrastructure → Adversary: You query the discovered IP address in your Threat Intelligence Platform (TIP). The intelligence feed correlates this IP with the known infrastructure of the Akira Ransomware Group (Adversary).Adversary → Capability: Now that you suspect Akira, you consult their CTI profile. You learn that Akira heavily utilizes rclone for data exfiltration (Capability). You immediately query your SIEM to hunt for rclone execution on the Victim network.Every IOC you uncover is a vertex on the diamond. The model forces the analyst to constantly ask: “Given this artifact, which other vertices can I logically deduce?“
To build a complete narrative, the base model is enriched with “Meta-features” that attach state and time to the event.
The Diamond Model bridges the gap between tactical incident response and strategic threat intelligence.
During an active incident, the Diamond Model serves as a visual checklist. If a SOC team has identified the compromised server (Victim), the malicious domain (Infrastructure), and the dropped webshell (Capability), but cannot identify the Adversary, the model explicitly highlights this critical knowledge gap, directing the CTI team’s research efforts.
A single attack is never a single event; it is a sequence of actions. By chaining multiple diamonds together chronologically (e.g., Diamond 1: Phishing delivery → Diamond 2: Lateral Movement → Diamond 3: Exfiltration), analysts create an Activity Thread.
When multiple distinct Activity Threads (perhaps from different incidents months apart) share the same Infrastructure and Capability vertices but target different Victims, the analyst has successfully uncovered an overarching Threat Campaign.
The Diamond Model maps perfectly to the STIX 2.1 Standard. When organizations automate threat sharing, they are essentially transmitting digitized diamonds:
Threat-Actor = AdversaryMalware / Attack-Pattern = CapabilityIPv4-Addr / Domain-Name = InfrastructureIdentity = VictimBy internalizing the Diamond Model, security professionals stop reacting to isolated SIEM alerts and begin tracking holistic, multi-dimensional adversaries.