What is Pyramid of Pain?

The Pyramid of Pain is a cybersecurity model created by David Bianco. It explains a simple idea; some defenses barely slow attackers down, while others force them to change how they work. 

The model organizes indicators of compromise into a hierarchy. At the bottom are technical artifacts that are easy to modify. At the top are behavioral patterns that are much harder to replace. 

Understanding this pyramid helps organizations move beyond surface-level detection toward meaningful adversary disruption. 

The Core Idea Behind the Pyramid 

Every attacker leaves traces. These traces can be grouped into different categories, such as file hashes, IP addresses, domain names, tools, or techniques. 

However, not all traces are equal. 

• If a detection forces an attacker to simply swap an IP address, the operational impact is minimal. 

• If a detection forces an attacker to redesign their lateral movement strategy, the impact is significant. 

The Pyramid of Pain visualizes this difference. 

The higher the indicator sits on the pyramid, the more effort and cost it imposes on the adversary. 

Breaking Down the Pyramid 

Let’s examine the layers from bottom to top. 

Hash Values

Hash values are digital fingerprints of files, such as SHA256 or MD5 signatures. 

They are widely used in antivirus and endpoint detection systems to block known malware. 

The limitation is straightforward. Changing a single line of code generates a new hash. Attackers can automate this process. 

Hash-based detection is useful for known threats and quick containment. However, it creates very little long-term disruption. 

IP Addresses

IP addresses are often used in threat intelligence feeds and firewall policies. 

Blocking malicious IPs can stop active connections and prevent immediate communication with attacker infrastructure. 

But IP addresses are disposable. Cloud hosting providers, compromised servers, and proxy networks allow attackers to rotate infrastructure rapidly. 

The friction created is real but temporary. 

Domain Names

Domains require registration and configuration. Monitoring suspicious domains can expose phishing campaigns or command-and-control activity. 

Replacing a domain is more involved than changing an IP address, but it is still manageable for most threat actors. 

Detection at this level introduces moderate operational inconvenience, especially if domains are part of coordinated campaigns. 

Network and Host Artifacts

This is where detection begins to create meaningful pressure. 

Artifacts include: 

• Suspicious registry modifications 

• Abnormal process execution chains 

• Scheduled task creation 

• Unique HTTP request patterns 

• TLS fingerprint anomalies 

These signals reflect how malware or intrusion tools behave within systems. 

To evade detection at this level, attackers must modify their tooling. That requires development effort and testing. Mistakes become more likely. 

The cost increases. 

Tools

Attackers rely on tools to achieve objectives. These may include credential dumping utilities, remote access implants, exploit frameworks, or custom malware families. 

If defenders consistently detect the use of specific tools, adversaries must: 

• Replace trusted frameworks 

• Develop new variants 

• Retrain operators 

• Accept higher operational risk 

Changing tools is far more complex than changing infrastructure. 

At this level, disruption becomes strategic rather than tactical. 

Tactics, Techniques, and Procedures

At the top of the pyramid are behaviours. 

These align with structured frameworks such as MITRE ATT&CK, which categorizes how adversaries achieve objectives. 

Examples include: 

• Credential dumping 

• Privilege escalation 

• Lateral movement 

• Persistence mechanisms 

• Data exfiltration workflows 

Techniques represent intent and method, not specific tools or infrastructure. 

If detection consistently identifies these behaviors, attackers cannot simply swap components. They must rethink how they accomplish their goals. 

This is the highest level of pain. 

Why the Pyramid Still Matters 

Modern threat actors operate with automation and agility. Infrastructure can be replaced in minutes. Malware can be repacked instantly. 

If defensive strategy relies only on blocking static indicators, it will always trail behind attacker adaptation. 

The Pyramid of Pain encourages a shift in mindset: 

• From reacting to known artifacts 

• To identifying patterns of behavior 

This shift creates resilience. Behavioral detection remains effective even when malware variants change. 

Applying the Pyramid in Practice 

Organizations can use the Pyramid of Pain to evaluate detection maturity. 

Key questions include: 

• How many detections rely solely on threat feeds? 

• Can malicious behavior be detected even if the file has never been seen before? 

• Is lateral movement visible without knowing the exact malware family? 

Moving upward requires deeper visibility across endpoints, networks, identities, and cloud environments. 

It also requires correlation. Single events rarely tell the whole story. Patterns across multiple systems provide stronger signals. 

Why Network Visibility Matters at the Top of the Pyramid 

As you move higher on the Pyramid of Pain, detection shifts from simple indicators to attacker behavior. At this level, visibility becomes critical. 

Files can change. IP addresses can rotate. Domains can be replaced. But attackers still need to communicate, move across systems, and move data. Those actions leave patterns in network traffic. 

This is where network visibility becomes powerful. 

Network Detection and Response, or NDR, focuses on monitoring and analysing network traffic in real time. Instead of looking only for known bad files or addresses, it looks for suspicious activity patterns. 

For example: 

• Repeated outbound beaconing 

• Rapid internal access by one user 

• After-hours data spikes 

• Suspicious encrypted connections 

Even if the malware is new and has never been seen before, these behaviours can still stand out. 

At the top of the pyramid, detection is not about recognizing a specific file or IP. It is about recognizing activity that does not fit normal patterns. 

Network visibility helps uncover: 

• Lateral movement inside the environment 

• Command and control communication 

• Data staging before exfiltration 

• Unusual authentication flows 

These are technique-level signals. They reflect what an attacker is trying to achieve, not just what tool they are using. When organizations rely only on static indicators, they often miss these deeper patterns. But when network behavior is continuously monitored and analysed, it becomes much harder for attackers to operate quietly. 

The clearer the view across your network, the easier it becomes to detect activity at the top of the Pyramid of Pain. And that is where real defensive advantage begins. 

The Strategic Impact 

When detection focuses on higher levels of the pyramid, several benefits emerge: 

• Reduced repeat intrusion patterns 

• Faster identification of new attack variants 

• Shorter attacker dwell time 

• Stronger resilience against infrastructure rotation 

Blocking one hash may stop one version of malware. 

Detecting credential access techniques can stop an entire intrusion campaign. 

The difference lies in whether detection targets artifacts or behavior. 

Conclusion 

The Pyramid of Pain is really about perspective. It pushes us to ask a simple question: are we just blocking what attackers leave behind, or are we making their job harder? 

IPs and hashes are easy to replace but not tradecraft. 

When detection focuses on behavior, attackers lose comfort and predictability. And that is when defense starts to gain the upper hand.