back Diamond ModelCaltagirone, Pendergast & Betz, 2013. Every intrusion event is a connected diamond of Adversary, Capability, Infrastructure and Victim, plus meta-features describing the event itself.
Pairs with the Cyber Kill Chain (where in the timeline) and MITRE ATT&CK (which TTPs).
Adversary ○ empty Capability ○ empty Infrastructure ○ empty Victim ○ empty
Vertices 0 / 4 filled Adversary — Who is behind the activity. Capability — What tools and TTPs they use. Infrastructure — What systems carry their traffic. Victim — The target — people, assets, business processes. Paste any IP / IPv6 / domain / URL / hash / CVE / ransomware-actor-name — we pull context from IOC checker, ip-geo, cross-source correlation, KEV+actor mapping, MalwareBazaar, actor-timeline (MITRE Group), and ransomware-victim cross-match, then populate empty corners. Won't overwrite anything you've already typed.
Intrusion event Load sample Export markdown ResetAdversary — Who is behind the activity. Capability — What tools and TTPs they use. Infrastructure — What systems carry their traffic. Victim — The target — people, assets, business processes.
Extended axes Socio-political What does the adversary gain from a successful operation? Is the victim the goal, or a stepping stone? Does the timing align with a geopolitical event, earnings cycle, or holiday? What relationship pre-existed (vendor, customer, partner)? Technology What protocol carries the C2 traffic? What software stack does the capability rely on? What identity providers / SaaS were leveraged for delivery?