What Is the Pyramid of Pain?

What Is the Pyramid of Pain, and Why Is It Important in Threat Detection?

October 11, 2022
| David Tidmarsh
| Threat Intelligence

Organizations today face more cyberthreats than ever before and have larger attack surfaces than ever. Given these challenges, companies need to stay ahead of the curve and make intelligent decisions about how they prevent, detect, and mitigate threats.

For this reason, security experts have developed conceptual models such as the Pyramid of Pain to help businesses strengthen their cybersecurity capabilities. Below, we’ll discuss the Pyramid of Pain and how it helps with threat detection and mitigation.

What Is the Pyramid of Pain?

In the field of computer security and threat detection, an indicator of compromise (IOC) is a piece of evidence that some form of cyberattack has occurred, such as an intrusion or data breach. Just as detectives collect clues to trace backward from the crime scene, digital forensics experts search for IOCs to understand how the attack took place and who was responsible. The Pyramid of Pain is a conceptual model for understanding cybersecurity threats that organizes IOCs into six different levels. Information security expert David J. Bianco was the first to formalize this idea in his article “The Pyramid of Pain” (Bianco, 2013). The six levels of IOCs in the Pyramid of Pain are organized in order of how “painful” they would be to the attacker if the victim discovered them and took action against them. From the bottom to the top of the pyramid—from least painful to most painful—these IOCs are:
  • Hash values: A hash value is a software or file “signature” that is the output of a complex cryptographic hash function such as SHA-1 and MD5. These hash functions practically guarantee that two different files will not have the same hash value.
  • IP addresses: An Internet Protocol (IP) address is a set of numbers that uniquely identifies a computer or other device connected to the Internet.
  • Domain names: A domain name is a string of text that uniquely identifies an Internet resource such as a website or server.
  • Network artifacts/host artifacts: A network artifact is produced as the result of some network activity, while a host artifact is produced as the result of some activity on a host machine.
  • Tools: Attackers use various software tools and platforms to carry out attacks (such as backdoors or password crackers).
  • Tactics, techniques, and procedures (TTPs): Attackers often have a modus operandi that identifies them—everything from the initial method of entry to the means of spreading throughout the network and exfiltrating data.

What Are the Types of Threat Detection?

The IOCs on the Pyramid of Pain are just one type of indicator used in threat detection. In turn, indicators are just one form of threat detection in cybersecurity. Below are the four types of threat detection:
  • Configuration: In configuration threat detection, analysts look for signs that a device has deviated from a known standard configuration. For example, if a device on the network is set to communicate using only specific port numbers, any communication on a different port number should be treated as suspicious.
  • Modeling: Beyond configuration changes, analysts can look for deviations from a predefined baseline using mathematical modeling. For example, if a device sends more packets than normal or sends them at unusual times of day, this behavior might be flagged as suspicious.
  • Indicators: An indicator is a piece of information, either “good” or “bad,” that provides some clue as to a device’s state or context. IOCs are the most common indicators, offering evidence that a malicious actor has gained access to the system.
  • Behaviors: Behavioral threat analysis looks for abstract, higher-level techniques and methods used by a malicious actor. For example, a known adversary might use a particular form of spear phishing email to obtain user credentials.

How Does the Pyramid of Pain Help Mitigate Threats?

If a career in threat analysis appeals to you, obtaining a threat analyst certification is an ideal way to get a foothold in the industry while honing your in-demand cybersecurity skills. EC-Council offers the Certified Threat Intelligence Analyst (C|TIA) program, with real-world training in how to identify and thwart active and potential attacks.

Designed in coordination with leading cybersecurity and threat intelligence experts, the C|TIA program teaches students to identify and mitigate critical business risks with both theoretical and practical modules. The C|TIA program offers hands-on experience in the latest tools, techniques, and methodologies at all stages of the threat intelligence lifecycle.

Want to learn more about how to launch a career in the growing field of threat intelligence? Click here to learn more about the C|TIA curriculum and start down the path of becoming a leading threat intelligence expert.


Bianco, D. (2013). The pyramid of pain. Enterprise Detection & Response. https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

About the Author

David Tidmarsh is a programmer and writer. He’s worked as a software developer at MIT, has a B.A. in history from Yale, and is currently a graduate student in computer science at UT Austin.
Share this Article
You may also like
Recent Articles
Become a Certified Threat Intelligence Analyst (C|TIA)

"*" indicates required fields