Threat Actor
What is Threat Actor?
Threat ActorAn individual or group that intentionally causes or attempts to cause harm to information systems, organisations, or people through cyber operations.
Threat actor is the umbrella term used by threat-intelligence and incident-response teams to describe any adversary observed in cyber operations. Categories include nation-state actors, organised cybercrime groups, hacktivists, insiders, terrorist organisations, lone-wolf attackers, and script kiddies. Each is profiled by motivation (espionage, financial gain, disruption, ideology), capability, sophistication, infrastructure, and TTPs mapped to MITRE ATT&CK. Vendors track them under their own naming schemes, such as APT, FIN, UNC, GROUP-IB, Mandiant temp names, CrowdStrike spider/panda/bear themes, Microsoft weather names, and Recorded Future TAGs. Understanding actor profiles informs detection priorities, intelligence requirements, and defensive controls.
● Examples
- 01
A nation-state actor running long-term espionage against defence contractors.
- 02
A ransomware affiliate buying initial access from a broker to deploy LockBit on a manufacturer.
● Frequently asked questions
What is Threat Actor?
An individual or group that intentionally causes or attempts to cause harm to information systems, organisations, or people through cyber operations. It belongs to the Defense & Operations category of cybersecurity.
What does Threat Actor mean?
An individual or group that intentionally causes or attempts to cause harm to information systems, organisations, or people through cyber operations.
How does Threat Actor work?
Threat actor is the umbrella term used by threat-intelligence and incident-response teams to describe any adversary observed in cyber operations. Categories include nation-state actors, organised cybercrime groups, hacktivists, insiders, terrorist organisations, lone-wolf attackers, and script kiddies. Each is profiled by motivation (espionage, financial gain, disruption, ideology), capability, sophistication, infrastructure, and TTPs mapped to MITRE ATT&CK. Vendors track them under their own naming schemes, such as APT, FIN, UNC, GROUP-IB, Mandiant temp names, CrowdStrike spider/panda/bear themes, Microsoft weather names, and Recorded Future TAGs. Understanding actor profiles informs detection priorities, intelligence requirements, and defensive controls.
How do you defend against Threat Actor?
Defences for Threat Actor typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Threat Actor?
Common alternative names include: Adversary, Cyber threat actor.
● Related terms
- defense-ops№ 714
Nation-State Actor
A government-sponsored or government-aligned threat actor that conducts cyber operations to pursue strategic, intelligence, military, or economic objectives.
- defense-ops№ 901
Ransomware Gang
A financially motivated cybercriminal group that develops, operates, or distributes ransomware to extort organisations through file encryption and data leak threats.
- defense-ops№ 057
APT Group
A named, tracked threat actor (usually state-sponsored) that conducts targeted, long-term, well-resourced intrusion campaigns against specific organisations or sectors.
- defense-ops№ 542
Insider Threat
The risk that a current or former employee, contractor, or partner with authorised access misuses it to cause harm, intentionally or by negligence.
- defense-ops№ 1148
Threat Intelligence
Evidence-based knowledge about threats and threat actors — including indicators, TTPs and context — used to guide security decisions and detection.
- defense-ops№ 1131
Tactics, Techniques and Procedures (TTPs)
A layered description of how a threat actor operates: tactics (the why), techniques (the how), and procedures (the specific implementation).
● See also
- № 458Hacktivist
- № 977Script Kiddie
- № 268Cybercrime-as-a-Service (CaaS)
- № 418FIN Threat Group
- № 1191UNC Cluster (Uncategorized)
- № 457Hacker
- № 098Black Hat Hacker