Page 323 - Cyber Defense eMagazine September 2025
P. 323
What is the Threat Profiling Pyramid? Until now, the Pyramid of Compromise, also called the Pyramid
of Pain, has been a common framework in cybersecurity. But is it still useful in today’s world? The
Pyramid of Pain has served the cybersecurity community well, but it seems to be outdated.
Traditionally, the pyramid focuses on several key indicators:
1. Hash
2. IP Address
3. Domain Names
4. Network/Host Artifacts
5. Tools
6. TTPs (Tactics, Techniques, and Procedures)
Researchers have relied on this pyramid to gather information about malware. But let’s consider some
logical questions:
- What if the attacker adds a null byte to the hash?
- What if the attacker uses Fast Flux or Domain Generation Algorithms (DGA)?
- What if the attacker copies another group’s TTPs or creates a new technique?
The Pyramid of Threat Actor Profiling is a modern cybersecurity framework designed to offer a behavioral
approach to understanding and addressing cyber threats. Unlike traditional models like the Pyramid of
Pain, which focuses on Indicators of Compromise (IOCs) and TTPs that attackers can easily change,
the Pyramid of Threat Actor Profiling goes deeper by examining who the attacker is, why they act, and
how they carry out their attacks.
The Pyramid of Threat Profiling Framework:
- Who: Identifies the threat actor or group behind an attack.
- Why: Understands the threat actor’s goal.
Cyber Defense eMagazine – September 2025 Edition 323
Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.
