Read as

Last updated: April 29, 2026

Bianco’s Pyramid of Pain, IOC lifecycle, 90-day rule, TTP-focused detection priorities.

Not all indicators are equal. Blocking an IP the attacker can change in 30 seconds is low-value work. Detecting their TTPs forces them to rewrite their playbook — high-value work. The Pyramid of Pain, introduced by David Bianco, is the framework that organises this difference. This module covers the pyramid, the IOC lifecycle, and how to structure detection priorities around both.

The Pyramid of Pain — David Bianco’s framework

   ▲ TOUGH!       TTPs (Tactics, Techniques, Procedures)
   │
   │  Tools
   │
   │  Network / Host Artifacts
   │
   │  Domain Names
   │
   │  IP Addresses
   │
   │  Hash Values
   ▼ TRIVIAL

  ↑ attacker cost to change ↑      ↑ defender value ↑

Indicators at the bottom are cheap for attackers to change. Indicators at the top are expensive. Defenders who focus energy on blocking hashes and IPs are making the attacker’s life marginally inconvenient. Defenders who detect TTPs force the attacker to redesign their operation.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants

Module 3 · Pyramid of Pain & IOC Lifecycle

The Pyramid of Pain — David Bianco’s framework

Custom team training + practitioner advisory

Other modules in this track