Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:

ThePyramid of Pain(David Bianco) is a core concept taught inFortiSIEM 7.3andFortiSOAR 7.6curriculum to help SOC analysts prioritize threat intelligence and detection logic. The model ranks indicators based on the "pain" or effort they cause an adversary to change:

IP Addresses (Easy):These are classified as "Easy" to change. An attacker can simply rotate through a proxy service, use a different VPS, or utilize a new compromised host to continue their campaign. While more valuable than a file hash, they provide relatively low-long term value to the defender because they are so ephemeral.

TTPs (Tough/Hard):This is the apex of the pyramid. TTPs (Tactics, Techniques, and Procedures) represent the fundamental way an adversary operates. If a defender successfully detects and blocks a Tactic (e.g., a specific way an attacker performs privilege escalation), the adversary is forced to reinvent their entire operational process, which is time-consuming and difficult.

Why other options are incorrect:

Artifacts (C):According to the pyramid, Network/Host Artifacts are classified as"Annoying", not "Easy". While an attacker can change them, it requires modifying their code or script behavior, which causes more friction than simply switching an IP address.

Tools (D):Tools are classified as"Challenging". While alternatives exist, an adversary usually invests significant time mastering a specific toolset; losing the ability to use that tool effectively disrupts their efficiency significantly.