Hierarchy of Hurt

adversary pain detection framework
adversary pain detection framework

Hierarchy of Hurt

weslambert · inspired by David Bianco's Pyramid of Pain (2013)
How this relates to the Pyramid of Pain
Pyramid of Pain
Asks: how difficult is this for the adversary to change? A proven proxy for detection investment priority — harder to change generally means more valuable to detect.
Hierarchy of Hurt
Asks: what does it operationally cost the adversary when that activity is detected and acted on? Time to recover, infrastructure to replace, tooling to rebuild, tradecraft to retrain, exposure incurred.
The two questions are correlated — harder-to-change indicators tend to impose higher disruption cost — but they diverge in ways that matter. Change can be easy but operationally expensive when forced mid-operation. Change can be hard but cheap if the adversary has a ready alternative. And the AI plane layers don't map cleanly to change difficulty at all. PoP tells you what's worth detecting. HoH tells you what detection actually accomplishes. Both axes are needed to make investment decisions.

The Hierarchy of Hurt builds on David Bianco's Pyramid of Pain (2013) by adding a second axis to the same underlying question — what makes a detection valuable? Where PoP answers from the adversary's moment of adaptation (how hard is it to change?), HoH answers from operational consequence: what does being caught actually cost them? Most of the time these point in the same direction, which is why PoP has held up for over a decade. HoH extends the logic into cases where they diverge, and into AI-plane territory where the change-difficulty framing has no clean answer.

Hurt is concrete and operational, not emotional. Detecting an IP address may delay an adversary for minutes — new VPS, new IP, back in operation. Detecting a tool forces them to rebuild or replace it — days to weeks of disruption. Detecting a TTP requires retraining operators and rebuilding muscle memory across the team. Detecting a TA operational signature forces them to retool their entire approach to how they run operations. At the AI plane, the adversary faces constraints they cannot simply spend their way out of: a model fingerprint is baked in by training and cannot be removed by prompting.

Lower-level detections — IPs, hashes, domains — remain essential for rapid response and volume triage. They are not dismissed here. But they impose limited long-term operational cost on a capable adversary. The framework is designed to help defenders understand that distinction and invest accordingly.

The framework is organized into three sections. The Foundation layers draw on Bianco's original structure, enriched with concrete event examples, data sources, and ATT&CK mappings. The HoH Extended layers add the TA operational signature as a bridge between traditional tradecraft and AI-assisted operations. The AI plane layers extend the same disruption-cost principle into territory that simply didn't exist in 2013 — model fingerprinting, linguistic laundering, synthetic identity operations, and the prompt/interaction plane.

Each layer documents observable artifacts, detection approaches with concrete examples, data sources, cloud and email attack surfaces, and adversary recovery cost. The goal is a framework that is both conceptually rigorous and operationally actionable.

Why this exists

Most detection frameworks stop at TTPs. The cost-of-disruption framing has not been applied to AI-assisted adversary operations — influence campaigns, BEC, synthetic persona networks, AI-augmented impersonation — which are already operational threats. Defenders need a structured way to think about where to invest, what to detect, and what operational cost each detection layer imposes on the adversary.

Modern adversaries can rotate infrastructure in minutes, regenerate malware automatically, and rebuild artifacts on demand. Change itself is cheap. But operational recovery — rebuilding tradecraft, retraining operators, redesigning workflows, absorbing the exposure cost of being detected — is not always cheap. That asymmetry is what the Hierarchy of Hurt is built to exploit. The question defenders should be asking is not just "can we detect this?" but "does detecting this actually cost the adversary something meaningful?"

The linguistic laundering concept — treating multi-model AI content generation as a money-laundering analog with placement, layering, and integration phases — provides a novel detection primitive grounded in disruption cost. The adversary's evasion effort creates the signal. Every additional laundering pass costs compute time and operational overhead while generating new artifacts. The harder they work to reduce their fingerprint, the more laundering signature they produce. Evasion and detection become mutually reinforcing.

The framework is also a maturity roadmap. Foundation and HoH Extended layers are operational today. TA operational signature and model fingerprint are emerging. The AI plane upper layers are research-stage — the theory is sound, proof-of-concept work exists, but production-grade tooling does not yet exist for most orgs. Knowing where you are on that curve, and what it would cost an adversary if you could detect at higher layers, is what drives investment decisions.

Layers at a glance — click to explore
// with credit to David Bianco
Bianco's Pyramid of Pain (2013) established a foundational insight for detection prioritization: indicators that are harder for adversaries to change are more valuable to detect. The Hierarchy of Hurt takes that prioritization logic as a starting point and reframes the organizing question around operational disruption cost rather than change difficulty. The Foundation layers draw closest to Bianco's original structure. The HoH Extended layers add the TA operational signature and reframe descriptions around adversary recovery cost. The AI plane layers apply the same disruption-cost principle to a detection surface that didn't exist in 2013. The insight about detection prioritization is Bianco's. The disruption-cost framing and AI plane extensions are original contributions.
Contribute & connect
weslambert/hoh
Submit a PR to add or refine a layer, fix content, or extend the framework. Issues welcome for discussion and proposals.
github.com/weslambert/hoh
@therealwlambert
Questions, feedback, or discussion about the framework. Reach out directly or tag when sharing.
twitter.com/therealwlambert
Each layer represents a detection target ordered by the operational cost it imposes on the adversary when detected and acted on — not how difficult it is to change, but what it actually costs them in time, infrastructure, tooling, tradecraft, and exposure. Higher layers impose greater disruption. An ode to David Bianco's Pyramid of Pain (2013), which the Foundation layers draw closest to, enriched with concrete data sources and detection examples. The HoH Extended layers add the TA operational signature and reframe around adversary recovery cost. The AI plane layers extend the disruption-cost principle into new territory that didn't exist in 2013 — the same organizing logic applied to a new detection surface.

Click any layer to expand.
Foundation — after Bianco
HoH extended
AI — detection
AI — emerging
adversary hurt score →
Click a node to highlight connections and see layer detail. Drag nodes to rearrange. Node size reflects adversary hurt score. Maturity rings pulse on emerging/research layers.