Enriching the Diamond Model with TLCTC: Structuring the Empty Spaces
The Diamond Model of Intrusion Analysis is a powerful relational framework for threat intelligence — but its vertices lack internal causal structure. TLCTC fills that gap.
Caltagirone, Pendergast, and Betz's Diamond Model (2013) established the atomic event structure of intrusion analysis: every event has an Adversary using a Capability over Infrastructure against a Victim. This relational model excels at pivoting and correlation. However, it is deliberately silent on what a capability actually is at the causal level, leaving its most analytically rich vertex as an unstructured bag of tools and technique IDs. This article demonstrates how the TLCTC framework — with its 10 non-overlapping threat clusters grounded in generic vulnerabilities — provides the missing internal structure for the Diamond Model's Capability vertex, transforms activity threads into causal chains, and enables a new form of actor profiling that is resilient to tooling changes, infrastructure rotation, and operational security improvements.
The Diamond Model: What It Gets Right
The Diamond Model, published through the Defense Technical Information Center in 2013, introduced a formal method for intrusion analysis built around a simple but powerful idea: every intrusion event can be decomposed into four core features — Adversary, Capability, Infrastructure, and Victim — connected by six bidirectional edges that represent their relationships.
The model's core strengths are well established. Its pivoting capability allows analysts to exploit the edges between features: given a known piece of infrastructure, pivot to discover the adversary; given a capability, pivot to identify the victim population. Its activity threading links events into temporal sequences, and its activity grouping coalesces threads into campaign-level constructs. The meta-features (timestamp, phase, result, direction, methodology, resources) add essential operational context.
These are genuine contributions. The Diamond Model does something that sequential frameworks like the Cyber Kill Chain fundamentally cannot: it captures the relational structure of an intrusion rather than forcing it into a linear narrative.
The Empty Spaces: Where the Diamond Model Leaves Analysts Without Structure
The Diamond Model's authors were admirably precise about what the model is not. The original paper explicitly states: "Our model does not propose an ontology, taxonomy, or sharing protocol." This intellectual honesty is a strength — but it also defines the model's limitations. Several of its vertices and constructs lack the internal structure that analysts need for systematic, repeatable analysis.
1. The Capability Vertex Is an Unstructured Bag
The Diamond Model defines Capability as "the tools and techniques used by the adversary in the event." In practice, analysts populate this vertex with whatever descriptors are available: malware family names, ATT&CK technique IDs, CVE numbers, or informal labels like "spear-phishing toolkit." None of these tell you why the capability works — what generic vulnerability it exploits, what causal mechanism it operates through.
This matters because the Capability vertex is where analysts spend most of their time, and it is where the pivoting logic is weakest. When you pivot from Capability to Victim, you are pivoting on tool signatures. When the adversary changes tools (which sophisticated actors do routinely), the pivot breaks.
2. Activity Threads Lack Causal Logic
The Diamond Model chains events into temporal sequences: Event A happened before Event B happened before Event C. But temporal ordering is not causal ordering. An activity thread tells you what happened when, not why each step enabled the next. This makes it difficult to identify which defensive controls would break the chain at each stage.
3. Activity Groups Are Ad Hoc
Analysts group activity threads into "activity groups" — essentially actor or campaign profiles. The model provides no principled basis for grouping beyond shared features across events. In practice, grouping relies heavily on infrastructure overlap and tooling overlap, both of which are ephemeral.
4. The Result Meta-Feature Conflates Causes and Consequences
The Diamond Model's "Result" meta-feature captures the outcome of an event as "success," "failure," or "unknown," with optional CIA triad tagging. This mixes what TLCTC would separate into two distinct concepts: the System Risk Event (the moment of loss-of-control) and the Data Risk Event (the consequential impact on data: confidentiality, integrity, or accessibility). This conflation obscures the critical "detection window" between compromise and consequence — the operational space where Detect and Respond controls are most effective.
Structuring the Capability Vertex with TLCTC
TLCTC provides exactly what the Capability vertex lacks: a cause-based, non-overlapping taxonomy of how capabilities work. Instead of describing a capability by its tool name or technique ID, TLCTC classifies it by the generic vulnerability it exploits — one of ten fundamental weaknesses inherent in all IT systems.
When you attach a TLCTC cluster to the Capability vertex, you are making a statement about the causal mechanism of the event, not just its tooling. This transforms the vertex from a descriptive label into a structured classification with analytical implications.
Capability: "Cobalt Strike Beacon"
Tells you what tool was used. Breaks when adversary switches to Sliver or Brute Ratel. No guidance on which defensive category applies.
Capability: #7 Malware (Cobalt Strike Beacon)
Tells you the causal mechanism is foreign code execution via designed execution capability. Stable when tooling changes. Maps directly to anti-malware controls (GV, PR, DE for cluster #7).
Capability: "Credential Harvesting"
Ambiguous — does this refer to the phishing that captured the credentials, or the use of stolen credentials to authenticate? Different events, different controls.
Event 1 — Capability: #9 Social Engineering
Event 2 — Capability: #4 Identity Theft
TLCTC's dual-nature rule for credentials enforces the distinction: acquisition (#9 phishing) and use (#4 impersonation) are separate events with separate causal mechanisms and separate control sets.
When you pivot from Capability to Victim using TLCTC clusters, you are pivoting on causal vulnerability — which victims are susceptible to the mechanism, regardless of the specific tool. This pivot is resilient to adversary tool rotation, because the generic vulnerability doesn't change when the exploit kit does.
From Temporal Threads to Causal Chains
The Diamond Model's activity threading links events in temporal order: E₁ → E₂ → E₃ → E₄. With TLCTC cluster annotations on each event's Capability vertex, the same thread becomes a causal chain:
This causal chain — #9 → #4 → #1 → #7 + [DRE: C, A] — tells you something the temporal thread cannot: why each step enabled the next and where defensive controls would break the chain.
- Between #9 and #4: security awareness training, anti-phishing controls, MFA
- Between #4 and #1: privileged access management, behavioral analytics, session monitoring
- Between #1 and #7: application allowlisting, execution prevention, endpoint detection
- After #7 before DRE: data loss prevention, network segmentation, incident response
The Diamond Model alone provides the temporal ordering. TLCTC provides the causal logic that turns that ordering into a defensible architecture.
Actor Profiling: Beyond IOC Overlap
The Diamond Model groups activity threads into "activity groups" — essentially campaign or actor profiles. Grouping traditionally relies on shared infrastructure (same C2 domains), shared tooling (same malware families), or shared victim targeting. All three are unstable: sophisticated actors rotate infrastructure, switch tools, and diversify targets.
TLCTC enables a fundamentally different kind of actor profiling: the causal capability fingerprint. By scoring an actor's demonstrated capability across all 10 TLCTC clusters on a 1–4 scale (Low, Medium, High, Champion), you create a stable, 10-dimensional profile that persists across tooling changes.
Example: Two Actors, Same Cluster Fingerprint Shape
The critical insight: APT-X and RANSOMWARE-Y use completely different tools, infrastructure, and targeting — yet both operate heavily through #9 Social Engineering, #4 Identity Theft, and #7 Malware. A Diamond Model activity group analysis that relies on infrastructure or tool overlap would never connect these actors. A TLCTC capability fingerprint reveals that your defenses against credential abuse and malware execution serve against both — a strategic planning insight the standard Diamond Model cannot surface.
Worked Examples: Diamond Events, Before and After TLCTC
Example 1: SolarWinds Supply Chain Compromise (2020)
Event E₁
- Adversary: APT29 / Cozy Bear
- Capability: SUNBURST backdoor
- Infrastructure: SolarWinds Orion update mechanism
- Victim: 18,000+ organizations
- Result: Success / Confidentiality compromised
Event E₁ → E₂ → E₃
- E₁ Cap: #10 Supply Chain (vendor trust exploited)
- E₂ Cap: #7 Malware (SUNBURST executed via update)
- E₃ Cap: #4 Identity Theft (SAML token forging)
- DRE: Loss of Confidentiality
- Path:
#10 → #7 → #4 + [DRE: C]
The standard Diamond Model collapses this into a single event with "SUNBURST" as the capability. The TLCTC-enriched version reveals three distinct causal mechanisms operating in sequence, each requiring different defensive controls. It also makes explicit what the standard model hides: the supply chain trust relationship (#10) was the enabling condition, not SUNBURST itself.
Example 2: Business Email Compromise
Event E₁
- Adversary: Unknown / financially motivated
- Capability: BEC / CEO fraud
- Infrastructure: Spoofed email domain
- Victim: CFO / Finance department
- Result: Success / Financial loss
Event E₁ → E₂
- E₁ Cap: #9 Social Engineering (psychological manipulation of CFO)
- E₂ Cap: #1 Abuse of Functions (legitimate wire transfer function misused)
- DRE: Loss of Accessibility (funds)
- Path:
#9 → #1 + [DRE: A]
The standard Diamond Model labels this as "BEC" — a category that tells you nothing about the causal mechanism. The TLCTC-enriched version reveals a critical insight: no technical vulnerability was exploited. The attack operated entirely through human psychology (#9) and legitimate system functions (#1). This directly informs the control strategy: technical controls like malware detection are irrelevant here. The defenses must be organizational (awareness, dual-authorization for transfers) and functional (restricting what legitimate functions can do without additional verification).
Example 3: Log4Shell Exploitation
Event E₁
- Adversary: Multiple / opportunistic
- Capability: CVE-2021-44228 exploit
- Infrastructure: LDAP callback servers
- Victim: Java applications using Log4j
- Result: Success / RCE
Event E₁ → E₂
- E₁ Cap: #2 Exploiting Server (server-side code flaw: unintended data→code via JNDI lookup)
- E₂ Cap: #7 Malware (remote class loaded and executed)
- DRE: context-dependent (C, I, and/or A)
- Path:
#2 → #7 + [DRE: ...]
The standard Diamond Model records "CVE-2021-44228 exploit" — which is accurate but analytically thin. The TLCTC enrichment forces the analyst to distinguish between the vulnerability exploitation (#2 — the JNDI lookup flaw is a server-side code defect where data unintentionally becomes code) and the code execution (#7 — the remotely loaded class executing as malware). This distinction maps to different control layers: input validation and patching for #2, execution prevention and runtime monitoring for #7.
Enriching the Victim Vertex: Causal Vulnerability Surface
While the primary TLCTC integration point is the Capability vertex, there is a secondary enrichment opportunity at the Victim vertex. The standard Diamond Model describes the victim by identity (organization, person) and assets (systems, data). TLCTC adds a causal vulnerability surface — which of the 10 generic vulnerabilities is the victim exposed to?
A victim running unpatched Java applications is exposed to #2 (server-side code flaws). A victim with weak MFA adoption is exposed to #4 (identity theft). A victim with a large non-technical workforce is exposed to #9 (social engineering). This transforms the Victim vertex from a static identity into a dynamic risk surface that can be mapped against adversary capability profiles.
When an adversary's TLCTC capability fingerprint overlaps with a victim's TLCTC vulnerability surface, you have a high-probability threat pairing. This is a more principled approach to threat assessment than the Diamond Model's native pivoting, which relies on observed historical targeting rather than structural vulnerability alignment.
Correcting the Result Meta-Feature: System Risk Events vs. Data Risk Events
The Diamond Model's "Result" meta-feature records the outcome of an event as "success," "failure," or "unknown," optionally tagged with CIA impact. TLCTC offers a more precise decomposition using the bow-tie model:
| Diamond Model "Result" | TLCTC Decomposition | Operational Significance |
|---|---|---|
Success / Confidentiality |
System Risk Event: Loss of Control Data Risk Event: Loss of Confidentiality (C) |
The SRE and DRE may be separated by hours or weeks — the detection window. Controls in this window are Detect and Respond functions. |
Success / Availability |
System Risk Event: Loss of Control Data Risk Event: Loss of Accessibility (A) |
TLCTC uses "Accessibility" rather than "Availability" to distinguish data-level impact from system-level service disruption. |
Success / Integrity |
System Risk Event: Loss of Control Data Risk Event: Loss of Integrity (I) |
Integrity loss may go undetected for extended periods. The bow-tie separation highlights the importance of integrity monitoring controls. |
Success (unqualified) |
System Risk Event: System Compromise Data Risk Event: TBD or None Yet |
A successful intrusion without a DRE means the adversary has achieved system compromise but has not yet executed their objective. This is the most critical defensive window. |
This decomposition is not merely terminological. It reveals a temporal and operational gap that the Diamond Model's flat "Result" field obscures. Many modern attacks involve days or weeks between the System Risk Event (compromise) and the Data Risk Event (exfiltration, encryption, manipulation). Defenders who understand this gap can deploy detection and response controls precisely in this window.
Tooling: The TLCTC Actor Profile Designer
The concepts described in this article are not merely theoretical. The open-source TLCTC Tools suite includes a dedicated Actor Profile Designer that implements the TLCTC-enriched approach to Diamond Model actor profiling.
The Actor Profile Designer allows analysts to:
- Build threat actor capability profiles scored across all 10 TLCTC clusters (1=Low to 4=Champion)
- Record typical attack chain sequences in TLCTC notation (e.g.,
#9 → #4 → #7) - Link observed incidents with full path notation and DRE outcomes
- Compare actors side-by-side to identify overlapping causal mechanisms
- Export profiles as JSON for CTI sharing and integration
The tool accepts input in the tlctc-actor-profile.v2 JSON schema, which structures actor data around TLCTC scores, observed attack paths, motivation, target sectors, and source intelligence. Pre-built example datasets include actor profiles derived from the CrowdStrike Global Threat Report 2025 and Google Threat Intelligence APT groups.
The full tool suite — including the Attack Path Architect for incident documentation, the Threat Radar for risk visualization, and the Control Matrix for NIST CSF mapping — is available at github.com/Barnes70/TLCTC/tree/main/tools. All tools are single-file HTML applications requiring no backend, no API keys, and no installation.
Conclusion: Complementary, Not Competing
The Diamond Model and TLCTC are not competing frameworks. They operate at different levels of abstraction and serve different analytical functions. The Diamond Model answers: "Who is doing this, using what, through what channels, against whom?" TLCTC answers: "What is the underlying causal mechanism that makes this work, and how do we break it?"
One serves intelligence. The other serves defense. Linking them through the Capability vertex — and extending to the Victim vertex and Result meta-feature — lets you do both simultaneously.
| Analytical Need | Diamond Model Alone | Diamond + TLCTC |
|---|---|---|
| What tool was used? | ✓ Capability vertex | ✓ Retained as sub-feature |
| Why does the capability work? | ✗ Not addressed | ✓ TLCTC cluster identifies generic vulnerability |
| Which controls apply? | ✗ No mapping | ✓ TLCTC × NIST CSF matrix |
| Pivot on causal mechanism | ✗ Pivots on tool/IOC | ✓ Pivot on generic vulnerability |
| Causal attack chain | ✗ Temporal thread only | ✓ Cluster sequence with control mapping |
| Stable actor fingerprint | ✗ Relies on ephemeral IOCs | ✓ 10-dimension causal capability profile |
| Detection window | ✗ Flat "Result" field | ✓ SRE → DRE separation via bow-tie model |
The Diamond Model gives analysts the relational structure to discover, connect, and track adversary operations. TLCTC gives them the causal vocabulary to understand why those operations succeed and how to break them. Together, they represent a more complete analytical framework than either provides alone.
Try the TLCTC Tools
Build actor profiles, document attack paths, and map controls — all in your browser, no backend required.
View Tools on GitHub Read White Paper V2.0References
- Caltagirone, S., Pendergast, A., & Betz, C. (2013). The Diamond Model of Intrusion Analysis. Defense Technical Information Center. ADA586960.
- Kreinz, B. (2025). TLCTC — Top Level Cyber Threat Clusters V2.0 White Paper. tlctc.net
- TLCTC Tools Suite. github.com/Barnes70/TLCTC/tree/main/tools