# Diamond model

> Source: Courseiva IT Certification Glossary — https://courseiva.com/glossary/diamond-model

## Quick definition

The Diamond model is a way to understand a cyberattack by looking at four things: who attacked (adversary), what they used (capability), how they got in (infrastructure), and who was attacked (victim). It helps security teams see the whole picture of an incident. Analysts use it to find patterns and stop future attacks.

## Simple meaning

Imagine you are a detective investigating a burglary. You would want to know who the thief was, what tools they used to break in, how they entered the house (like a broken window), and whose house it was. The Diamond model does the same thing for cyberattacks, but with four main pieces: the adversary (the attacker or group), the capability (the malware or hacking tool), the infrastructure (the computer servers or network paths the attacker controls), and the victim (the person or company being attacked). By looking at all four parts together, investigators can see how an attack worked and find ways to stop similar attacks in the future.

Think of it like a puzzle where each piece gives a clue. If you only know who the attacker is, you might not know the tool they used. If you know the tool but not the victim, you cannot warn the right people. The Diamond model puts all four pieces together so that security teams can connect the dots. For example, if a company finds a malicious file on its network, the Diamond model helps ask: Who sent it? What server did it come from? What does the file do? And which department was targeted? This helps the team respond quickly and learn from the attack to prevent the next one.

## Technical definition

The Diamond model of intrusion analysis is a structured framework developed by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz to model cyber intrusions. It defines four core components: Adversary (the entity behind the attack), Capability (the tools or techniques used), Infrastructure (the physical or virtual resources like command-and-control servers), and Victim (the target organization or system). The model emphasizes relationships between these components, forming a diamond shape when visualized. The edges represent the interactions: the adversary uses a capability to act on infrastructure that affects the victim.

In practice, the Diamond model supports intelligence-driven detection and response. Analysts populate each vertex with specific indicators of compromise (IOCs). For example, an adversary might be identified by an email address or a known threat group. The capability could be a specific malware hash, and the infrastructure might include IP addresses or domain names. The victim may be represented by affected hostnames, user accounts, or data loss details. The model also incorporates meta-features such as timestamp, kill chain phase, and confidence level to enrich each event.

One key strength of the Diamond model is its ability to map multiple events to a single intrusion. A single attack often involves multiple capabilities, multiple infrastructure nodes, and possibly multiple victims. By grouping events that share common adversary, capability, infrastructure, or victim attributes, analysts can build a comprehensive intrusion set. This is critical for threat hunting and attribution. The model also enables pivot analysis: if a new infrastructure IP is discovered, analysts can search for all events involving that IP to find other victims or capabilities.

The Diamond model is often used alongside the Cyber Kill Chain. While the kill chain describes the stages of an attack (reconnaissance, weaponization, delivery, etc.), the Diamond model provides a static snapshot of the key actors and assets at each stage. Together, they give a full operational picture. In the CySA+ exam, the Diamond model is tested as a core analytical framework for security operations. Questions may ask you to identify which component a piece of evidence belongs to, or to use the model to describe an intrusion in a scenario.

## Real-life example

Imagine you are the security manager at a school. One morning, a teacher reports that their computer is acting strangely, with files being deleted and strange messages popping up. Using the Diamond model, you start investigating. First, you ask: Who is the adversary? You check email logs and see that a suspicious email came from an address pretending to be the school district’s IT department. That email is the adversary’s way of getting in.

Next, you look at the capability. The email had an attachment called “Updated_Schedule.xlsx” that actually contained a macro virus. When the teacher opened it, the virus ran and started deleting files. That macro is the capability. Then you identify the infrastructure. The virus tried to connect to a website “download-evil-files.com” to download more harmful software. That website is the infrastructure the attacker controls. Finally, the victim is the teacher’s computer and the school network.

By mapping all four parts, you can now take action. You block the malicious email address, remove the virus from the teacher’s computer, and block the malicious website at your firewall. You also look for other computers that might have received the same email. The Diamond model helped you see the whole attack, not just the strange computer behavior. It turned a confusing incident into a clear, actionable plan.

## Why it matters

In real IT security operations, incidents are rarely simple. Attackers use multiple tools, change their infrastructure, and target different parts of an organization. Without a structured framework, analysts can get lost in a sea of alerts and logs. The Diamond model provides a common language and a systematic way to organize evidence. It ensures that critical questions are not overlooked: Who is doing this? What are they using? How are they reaching us? Who is being targeted?

For example, during a ransomware incident, the Diamond model helps the response team quickly separate the malware (capability) from the command-and-control server (infrastructure) and the affected department (victim). This allows them to contain the damage, preserve evidence, and share intelligence with law enforcement or threat intelligence platforms. The model also supports proactive threat hunting. By tracking adversary infrastructure, analysts can anticipate future attacks and block them before they happen.

In the CySA+ exam, understanding the Diamond model is crucial for the Security Operations domain. It appears in questions about intrusion analysis, threat intelligence, and incident response. The exam expects you to apply the model to realistic scenarios, not just define its components. You need to be able to classify pieces of evidence and identify missing information. Mastering the Diamond model shows that you think like a security analyst, not just a technician.

## Why it matters in exams

The Diamond model is a core concept in the CompTIA CySA+ (CS0-002 and CS0-003) exam, specifically under Domain 1: Security Operations and Domain 2: Vulnerability Management and Incident Response. The exam objectives explicitly state that candidates must “apply the appropriate incident response process” and “analyze threat intelligence data.” The Diamond model is one of the primary frameworks tested for this analysis.

In exam questions, you will see scenarios where a security analyst discovers a suspicious network connection, a malicious file, or a compromised account. You might be asked to identify which component of the Diamond model a specific piece of evidence represents. For example, a malicious IP address used for command and control falls under “infrastructure.” A file hash of a trojan is “capability.” A username of a known threat actor is “adversary.” A group of affected user accounts is part of the “victim” component.

Multiple-choice questions often include distractor options that mix up these categories. A common trap is labeling a victim’s internal IP address as “infrastructure” when it is actually part of the victim category. Another trap is calling the malware “adversary” when it should be “capability.” To avoid these, remember the definitions: adversary is the threat actor (person or group), capability is the tool or technique, infrastructure is the attacker’s resources (servers, domains, IPs), and victim is the target.

Performance-based questions may ask you to fill in a diamond diagram based on a case study. You might be given a list of artifacts and must drag and drop them into the correct diamond vertices. The exam also tests your ability to use the Diamond model for pivoting: if you learn a new infrastructure IP from one victim, you should know to check other events for that IP to find related victims. The CySA+ objectives have “Diamond Model” listed as a key term, so it is highly likely to appear in at least one question, possibly two or three.

## How it appears in exam questions

CySA+ exam questions about the Diamond model come in several flavors. The most straightforward type asks you to classify a given indicator into the correct diamond vertex. For example: “A security analyst discovers an IP address 203.0.113.5 that is communicating with multiple internal hosts over port 443 using an unknown protocol. This IP address is an example of which component of the Diamond model?” The correct answer is “infrastructure.”

Another common pattern is scenario-based analysis. The question describes a full intrusion and then asks which component is missing or needs further investigation. For instance: “An incident response team identified a phishing email with an attachment containing a JavaScript downloader. The downloader contacted a domain ‘malicious-update.com’ to retrieve a remote access trojan. The RAT was installed on five workstations in the finance department. Which component of the Diamond model is the JavaScript downloader?” The answer is “capability.”

Troubleshooting questions may test your ability to pivot. Example: “Analysts identified that the same adversary infrastructure was used against two different companies. What can be inferred using the Diamond model?” Correct inference: the two events are likely part of the same intrusion set, and the adversary may target similar victims. The question tests if you understand that infrastructure links different events.

Some questions integrate the Diamond model with the Cyber Kill Chain. For example: “During the weaponization phase, an adversary creates a custom payload. This payload belongs to which component of the Diamond model?” Again, capability. The exam wants you to see that each kill chain phase can be mapped with diamond components.

Finally, you might see a “match the following” format where you must pair items like “phishing domain” with “infrastructure” and “malware hash” with “capability.” These questions are designed to be quick if you have memorized the definitions, but tricky if you confuse terms like “adversary” and “capability.”

## Example scenario

You are a security analyst at a mid-sized accounting firm. One morning, the helpdesk receives multiple complaints that employees cannot access the company’s financial database. At the same time, the intrusion detection system (IDS) alerts on unusual outbound traffic from a single workstation in accounts payable. You begin your investigation using the Diamond model.

First, you identify the victim. The victim is the accounts payable department and their workstations, as well as the financial database server. The specific workstation that generated the outbound traffic is infected. Next, you look at the capability. You examine the workstation and find a file named “Invoice_June.exe” that was downloaded from an email attachment. A virus scan confirms it is a remote access trojan (RAT). That RAT is the capability.

Then, you check the network logs to find the infrastructure. The infected workstation is communicating with an external IP address 198.51.100.22 on port 443. You also find a domain “data-sync-now.com” that resolves to that IP. That external server is the infrastructure the attacker uses to control the RAT and exfiltrate data.

Finally, you need to determine the adversary. The email the employee received came from “supports@accounting-tools.net,” which is a spoofed address. The email’s language and targeting suggest a known phishing group called “SilentLedger.” You check your threat intelligence and find that SilentLedger has previously targeted accounting firms with similar emails. The adversary is this threat group.

With the full Diamond model, you now have a complete picture. You block the external IP at the firewall, quarantine the infected workstation, remove the RAT, reset the database passwords, and send a warning to all employees about the phishing campaign. You also share the indicators with your industry threat sharing group. The Diamond model helped you go from a single alert to a full understanding of the attack.

## Common mistakes

- **Mistake:** Confusing the victim’s internal resources with attacker infrastructure.
  - Why it is wrong: The victim’s internal IP addresses, servers, and user accounts belong to the “victim” component, not “infrastructure.” Infrastructure is resources controlled by the attacker.
  - Fix: Remember: if the adversary owns and operates it, it is infrastructure. If it belongs to the organization under attack, it is part of the victim.
- **Mistake:** Calling the attacker’s tool (malware) the “adversary.”
  - Why it is wrong: The adversary is the human or group behind the attack. The malware is a tool, which is the “capability.”
  - Fix: Think of it like a burglar using a crowbar. The burglar is the adversary, the crowbar is the capability.
- **Mistake:** Assuming the Diamond model only applies to advanced persistent threats (APTs).
  - Why it is wrong: The Diamond model works for any intrusion, from a simple phishing email to a complex nation-state attack. It is a general framework.
  - Fix: Apply the model to any security incident, no matter how small. It helps organize evidence even for basic malware infections.
- **Mistake:** Ignoring the meta-features like timestamp and kill chain phase.
  - Why it is wrong: The Diamond model is not just four static boxes. The edges and meta-features contain crucial context, like when the attack happened and what stage it was in.
  - Fix: In your analysis, always note the time, phase, and confidence level for each event. This helps connect multiple events into one intrusion.

## Exam trap

{"trap":"A scenario describes a compromised server running a web shell. The question asks: “The web shell is an example of which component?” Learners often choose “adversary” because they think the attacker wrote it, or “infrastructure” because it runs on a server.","why_learners_choose_it":"Learners confuse the tool with the attacker or the location of the tool. They may reason that since the web shell is on a server, it must be infrastructure, or they may think the attacker “is” the web shell.","how_to_avoid_it":"The web shell is a piece of code used to execute commands. It is a tool, so it belongs to “capability.” The server hosting it is either victim (if it is the target’s server) or infrastructure (if it is the attacker’s server). Always separate the tool from where it runs and who runs it."}

## Commonly confused with

- **Diamond model vs Cyber Kill Chain:** The Cyber Kill Chain describes the stages of an attack from recon to actions on objectives, while the Diamond model describes the key entities involved at any stage. The kill chain is a timeline; the diamond is a relationship map. They work together but are not the same. (Example: In a phishing attack, the kill chain would list “delivery” as the stage where the email is sent. The Diamond model would identify the email server as infrastructure and the malicious attachment as capability.)
- **Diamond model vs MITRE ATT&CK:** MITRE ATT&CK is a comprehensive knowledge base of adversary tactics and techniques, while the Diamond model is a framework for analyzing individual intrusions. ATT&CK tells you what techniques exist; the Diamond model helps you apply them to a specific event. (Example: If an attacker uses PowerShell to download a payload, ATT&CK has a technique for that (T1059.001). In the Diamond model, the PowerShell command is part of the capability.)
- **Diamond model vs Indicator of compromise (IOC):** An IOC is a single piece of evidence like an IP address or file hash. The Diamond model groups multiple IOCs into the four vertices. An IOC is a building block; the Diamond model is the structure that organizes them. (Example: A malicious domain name (IOC) would be placed in the “infrastructure” vertex of the Diamond model.)

## Step-by-step breakdown

1. **Identify the Victim** — Start by defining who or what is being attacked. This includes specific users, systems, networks, or data. Knowing the victim helps scope the investigation.
2. **Identify the Capability** — Find the tools or methods the adversary used. This includes malware, exploits, phishing emails, or social engineering scripts. This tells you how the intrusion happened.
3. **Identify the Infrastructure** — Locate the attacker-controlled resources, such as C2 servers, malicious domains, compromised accounts used as relays, or drop sites. This shows the pathways used by the adversary.
4. **Identify the Adversary** — Determine the person or group behind the attack. This may be based on threat intelligence, TTPs, email addresses, or known attribution. This supports long-term defense and legal action.
5. **Map Relationships and Meta-Features** — Draw lines connecting the vertices to show how they interact. Add timestamps, kill chain phases, and confidence levels. This creates a full picture of the intrusion.
6. **Pivot and Enrich** — Use the known values to search for other events. For example, search for the same infrastructure IP across other logs to find related victims. Expand your diamond to include multiple events.

## Practical mini-lesson

The Diamond model is not just a theoretical concept; it is a daily tool for security operations center (SOC) analysts. When a new alert comes in, the first step is to triage it by asking: Is this a real incident? If yes, begin populating the diamond. For example, an alert about a suspicious PowerShell command from a workstation. The victim is that workstation and its user. The capability is the PowerShell script that downloaded an executable. The infrastructure might be the URL used in the download. The adversary might be unknown at first, but you can record “unknown” and later update it if intelligence becomes available.

Professionals use the Diamond model to avoid tunnel vision. If you only focus on the malware (capability), you might miss the fact that the same adversary used a different infrastructure yesterday. By tracking both capability and infrastructure together, you can block all known infrastructure, not just the first one you saw. This is especially important in ransomware incidents where attackers often change C2 servers rapidly.

In practice, the Diamond model is implemented in threat intelligence platforms (TIPs) and SIEM tools. Analysts create “diamond events” with fields for each vertex. They can then search for overlapping adversary names or infrastructure IPs to find related incidents. This enables threat hunting: for instance, searching for all events where a specific file hash (capability) is present, even if the victim is different.

What can go wrong? A common mistake is populating the diamond too rigidly. For example, a single attack may involve multiple capabilities (e.g., a dropper, then a backdoor, then a ransomware). You should create multiple diamond events for each phase, or annotate the same diamond with multiple capabilities. Another pitfall is over-attribution: attributing an attack to a specific adversary too early without enough confidence. Always use confidence levels and mark unknowns.

To master the Diamond model, practice by analyzing real or simulated incidents. Look at a known breach report (like the Target 2013 breach) and try to fill in the four vertices for each stage. This will prepare you for both the exam and real incident response.

## Memory tip

Remember the four vertices with the mnemonic “A CIV” (Adversary, Capability, Infrastructure, Victim). Or think of a baseball diamond: the pitcher is the adversary throwing the pitch (capability) toward the batter (victim) on the field (infrastructure).

## FAQ

**Is the Diamond model only used by advanced security teams?**

No, any security team can use the Diamond model. It is simple enough for small teams and powerful enough for large SOCs. It simply organizes information into four categories.

**Do I need special software to use the Diamond model?**

No, you can use pen and paper or a simple spreadsheet. Threat intelligence platforms and SIEMs often have built-in support, but it is not required.

**Can the Diamond model be used for insider threats?**

Yes, but the adversary would be the insider (employee or contractor). The capability might be their authorized access or a USB drive. The infrastructure could be internal file shares, and the victim is the organization.

**How is the Diamond model different from the STRIDE model?**

STRIDE is used for threat modeling during system design, focusing on categories like spoofing and tampering. The Diamond model is used for analyzing actual intrusions that have already happened.

**What is the most important thing to remember for the CySA+ exam?**

Know the four vertices cold, and be able to correctly classify any given piece of evidence. Also remember that infrastructure belongs to the attacker, not the victim.

**Can there be more than one of each component in a single intrusion?**

Yes, an attack can involve multiple capabilities, multiple infrastructure nodes, and multiple victims. The Diamond model can be expanded to include these by creating multiple events or using a graph database.

## Summary

The Diamond model is an essential framework for analyzing cybersecurity intrusions. It structures incident data into four clear categories: Adversary, Capability, Infrastructure, and Victim. By organizing evidence this way, analysts can see the full picture of an attack, identify patterns, and pivot to find related incidents. It is a core concept for the CompTIA CySA+ exam, where it appears in multiple-choice, scenario-based, and performance-based questions.

Understanding the Diamond model helps you move from reacting to individual alerts to thinking like a threat intelligence analyst. It encourages you to ask deeper questions: Who is behind this? What tools are they using? How do they communicate? Who is the target? These questions lead to more effective detection, response, and prevention.

For exam success, memorize the four vertices and practice classifying sample indicators. Remember common traps like confusing victim assets with infrastructure, or calling a tool an adversary. Use the Diamond model in your study of incident reports and practice scenarios. With this foundation, you will be prepared to answer Diamond model questions confidently on the CySA+ exam and apply the framework in real security operations.

---

Practice questions and the full interactive page: https://courseiva.com/glossary/diamond-model
