What is POAP ?

The Pyramid of Adversary Profiling is a modern cybersecurity framework designed to provide a comprehensive, behavioral-driven approach to understanding and countering cyber threats. Unlike traditional models like the Pyramid of Pain, which focuses on Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs)—which attackers can easily modify—the Pyramid of Adversary Profiling goes deeper by analyzing who the attacker is, why they act, and how they execute their attacks.

Structure of the Pyramid

The pyramid consists of five hierarchical layers, each representing a crucial aspect of adversary profiling:

1️⃣ Who (Adversary Identity) – Identifies the threat actor or group behind an attack. 2️⃣ Why (Motivation & Intent) – Determines the adversary’s goal, whether financial gain, espionage, disruption, or activism. 3️⃣ What (Targeted Assets) – Pinpoints the systems, data, or organizations that the attacker is focusing on. 4️⃣ How (Execution Methods) – Analyzes the attack techniques, tools, and methodologies used. 5️⃣ When (Attack Timing) – Examines the timing, patterns, and operational cycles of attacks to predict future threats.

Why It’s Better than the Pyramid of Pain

✅ Focuses on Adversary Behavior – Instead of just blocking IOCs (IPs, domains, hashes) that change frequently, it profiles the attacker’s identity and intent, which are harder to modify. ✅ Predicts Future Threats – Traditional cybersecurity models are reactive, while this approach anticipates adversary behavior and adapts defense strategies. ✅ Works Against AI-Powered & Adaptive Threats – Cybercriminals can quickly alter malware signatures and attack vectors, but their underlying motives and operational methods remain consistent. ✅ Effective Against Insider Threats & Ransomware – Goes beyond external threats by assessing insider risks, supply chain vulnerabilities, and long-term adversary goals.