Diamond Model Intrusion Analysis

Did you want to set up your own Intrusion Analysis department? Or at least give a framework for creating a method to understand a breach.

Then read this document at threatconnect.com¹ by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz.

This document goes into the details of what the attacker/adversary can do to your infrastructure and the “Victim” or target machine.

There is a lot more than the Diamond model as there are comprehensive potential angles or as the Cybersecurity industry calls it “the vectors of attack”. (where the attacker comes in and where he goes from there)  each potential target leads to another target and another, until the attacker is in the network and does whatever they please.


Here is the standard Diamond Model:


And here is the extended model of intrusion analysis, where the authors try to insert the flows of where the attacker can go:




This model was created to put something together for when a network is compromised. It is always better to be prepared for when this event happens (not if).

To sell this to management – one always says: “It is needed for compliance”

When you are compromised where in the attack is the compromise located?

In the next table  (page 31) the attacker is pivoting from system to system, delivering his payloads and attack angles as more systems become compromised. Where there is one compromise there could be more.


I have  tried to make these concepts simpler to understand with my SVAPE&C² explanation – Scan, Vulnerability Analysis, Penetrate and Exploit – with the end result being control of systems.

The end result is the same – the hacker does what they please while your admins are running around trying to play catch-up.

The key with the Diamond model is when one finds a compromise one can start to figure out what is really happening in the network (i.e. now need to find where else the hacker has been)


Contact me to get your Compliance and Intrusion analysis program up to speed.  Tony Zafiropoulos – 314-504-3974



  1. https://www.threatconnect.com/wp-content/uploads/ThreatConnect-The-Diamond-Model-of-Intrusion-Analysis.pdf
  2. https://fixvirus.com/svapec/