Template created as part of Ondra Rojcik’s TI Essentials article: “A guide to Threat Actor Profiling: A deliverable-first approach” | April 9, 2026 | feedly.com/ti-essentials/

(Markdown version below)

Threat Actor Profile: [Actor Name / Internal Alias]

Document Cut-off Date: [YYYY-MM-DD]

1. Executive Summary

[High-level overview of the findings and most critical risk posed by this actor]

2. Identity and Attribution

Group name and aliases: [Primary names (e.g., APT29) and associated sub-groups or rebrands] Internal Tracking ID: [Single primary identifier used to normalize disparate vendor names] Actor Type: [e.g. cybercrime, state-sponsored espionage, hacktivist, ransomware affiliate]

3. Motive

Motive: [Financial gain, political/ideological, or thrill-seeking] Objective: [Specific goal that a threat actor aims to achieve through an attack: steal sensitive data, disrupt a network or service, gain unauthorized access to a system etc.]

4. Victimology

Sector: [Economic sectors targeted, e.g., NACE/NAICS codes] Geography: [Specific regions or nations targeted] Tech Stack: [Targeted software, e.g., unpatched VPNs or SCADA controllers] Intent/Proximity: [Proximity of TA’s targeting to your organisation: direct, competitors, industry, opportunistic]

5. Capability Assessment

Classification and Description: [High, Moderate, or Low capability; general description of the capability and resources] Technical Skills: [Description of skill level and resource availability] Tooling Maturity: [Proprietary zero-days vs. commodity/public tools]

6. Modus Operandi (MO)

Known Campaigns & Operations [High-level description of the modus operandi of the most relevant campaigns and operations.] **Intrusion Kill Chain Sequence:

• Infection Vector:** [Phishing, exploits, supply chain, etc.]
• Lateral Movement: [Specific methods used]
• Post-Exploitation: [Data staging, privilege escalation, extortion style]
• Data theft & extortion procedures: [Describe techniques used for data theft] MITRE ATT&CK Mapping: [List specific techniques, mainly for key phases] Infrastructure: [Hosting providers, VPS patterns, and operational regions] Extortion and Negotiation Tactics: [If applicable]
• **Public leak sites:
• Communication style and cadence:
• Use of intermediaries:
• Typical ransom range and attitude toward negotiation:** [Rigid, flexible, etc.]

7. Strategic Analysis [Incident response only]

Prediction (What’s Next?): [Assessment of the actor's likely next actions] Implications (So What?): [Business and operational impact analysis] Recommendations (Now What?): [Guidance required to mitigate the threat]

8. Technical Appendices