Skip to content
Log in

Diamond Model

Definition

An analytic framework that structures a cyber intrusion event around four linked elements: adversary, capability, infrastructure, and victim. The model makes explicit the relationships between these elements and supports pivot analysis during an investigation.

Related terms

Indicator of Compromise (IoC)
An observable artefact that suggests a system has been involved in a malicious event. Static analysis produces file-based IoCs: cryptographic hashes, embedded...
MITRE ATT&CK
A publicly available knowledge base of adversary tactics, techniques, and procedures derived from real-world intrusion observations. Maintained by the MITRE Corporation. Techniques...
STIX
Structured Threat Information eXpression. A standardised, machine-readable language for encoding and sharing threat intelligence objects such as indicators, threat actors, campaigns, and...
Tactics, Techniques, and Procedures (TTPs)
A three-level description of adversary behaviour. Tactics are the high-level goals (initial access, persistence, exfiltration). Techniques are the specific methods (spear-phishing, pass-the-hash)....
TAXII
Trusted Automated eXchange of Intelligence Information. The transport protocol used to share STIX content between organisations. TAXII defines server and client roles,...

Explained in

  • Threat Intelligence FundamentalsAn analytic framework that structures a cyber intrusion event around four linked elements: adversary, capability, infrastructure, and victim. The model makes e...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account