Those familiar with ThreatConnect (now a part of Dataminr) know we appreciate a good Star Wars reference. We also enjoy breaking down security incidents through the lens of operational intelligence and threat analysis.
Back in 2015, during planning for Black Hat, the ThreatConnect team (now a part of Dataminr) created Star Wars-themed t-shirts for an event. Somewhere along the way, the idea evolved into mapping the Diamond Model for Intrusion Analysis onto the Battle of Yavin. What followed was an office-wide exercise in applying cyber threat intelligence concepts to one of the most iconic moments in science fiction history.
The Diamond Model is an approach to analyzing intrusion events through four interconnected elements:
- Adversary
- Infrastructure
- Capability
- Victim
Threat analysis becomes the process of connecting those four points to understand the broader operational context behind an attack.
The Battle of Yavin as an Intelligence Failure
At its core, A New Hope revolves around a massive data breach: the theft of the Death Star plans. The climax of the story—the destruction of the Death Star itself—raises several questions when viewed through a cybersecurity lens:
- Why wasn’t the theft of the plans treated as a critical operational risk?
- Why were vulnerable exhaust ports left exposed?
- Why did the Empire fail to connect intelligence signals that, in hindsight, appear obvious?
That final question is where the Diamond Model becomes interesting. If the Empire had fully connected the available intelligence, it might have realized that Luke Skywalker—a pilot known for precision targeting back home on Tatooine—could likely exploit a small exhaust port using an X-Wing and the Force.
But that connection was never fully made. And that intelligence gap changed the course of the war.
Understanding the Diamond
The Battle of Yavin provides a surprisingly complete example of the Diamond Model in practice.
Victim
The Empire clearly understood the importance of the Death Star as a critical strategic asset. Their aggressive response to the stolen plans also suggests they understood the risk posed by the exhaust port vulnerability. What they underestimated was the adversary’s ability to exploit it.
Adversary
The Empire possessed meaningful intelligence on Luke Skywalker and the Rebel Alliance.
They had:
- Geolocation data tied to Skywalker’s home planet
- Awareness of Rebel operational activity
- Knowledge of the Alliance’s broader objectives
But attribution remained inconsistent. Some Imperial units treated the Rebel Alliance as a generalized threat actor while others focused on Force-related elements of the organization.
Those inconsistencies likely created analytical blind spots that helped the Alliance continue offensive operations undetected.
Infrastructure
The Empire also had visibility into much of the Rebel infrastructure involved in the attack. They intentionally allowed the Millennium Falcon to escape the Death Star and tracked it back to the Rebel base on Yavin 4. During the battle itself, they quickly neutralized many Rebel ships.
What they failed to contextualize, however, was the presence of R2-D2—an astromech droid previously associated with senior Imperial leadership and now carrying highly sensitive intelligence. That seemingly small intelligence gap became operationally significant.
Capability
The Empire understood the Rebel Alliance’s technical capabilities:
- Proton torpedoes
- Fighter-class ships
- Force-sensitive operatives
- Conventional weapons systems
There were no major visibility gaps here. The real failure was not understanding the relationship between capabilities, infrastructure, adversary intent, and operational opportunity. That is where the Diamond Model matters most.
The Real Intelligence Failure
The Empire had pieces of the puzzle:
- Luke’s targeting skill
- His connection to the Force
- The Rebel Alliance’s operational intent
- The vulnerability within the Death Star itself
But they failed to connect those signals into actionable intelligence. The relationship between the vertices of the Diamond is what creates operational understanding:
- What does the adversary want?
- What capabilities do they possess?
- Which infrastructure supports the attack?
- Which assets are vulnerable?
Had the Empire connected those factors effectively, the outcome of the Battle of Yavin may have looked very different.
Why This Still Matters
While fictional, the Battle of Yavin illustrates a very real challenge in modern cyber defense:
Organizations often possess the signals they need to prevent incidents. The challenge is operationalizing intelligence quickly enough to connect those signals before impact.
Threat intelligence is most valuable when it:
- Connects fragmented indicators into operational context
- Maps adversary behavior to real-world risk
- Helps analysts prioritize meaningful threats
- Enables faster, more informed decisions
The organizations best positioned to respond to evolving threats are not necessarily the ones with the most data. They are the ones best equipped to contextualize it.
The Empire’s downfall wasn’t caused by a lack of visibility alone. It was a failure to connect intelligence, context, and operational action. Modern cyber defense faces the same challenge.
