A working threat-actor profile is a one-page summary that tells you what an adversary does, how they get in, what tools they use, and how to detect them in your environment. The hard part isn’t writing it, it’s pulling reliable information from the right public sources without drowning in vendor marketing. This is the workflow I use, end to end.
The five-section template
Every profile I produce has the same five sections:
- Identity, names and aliases, first observed, suspected origin, motivation
- TTPs, initial access, execution, lateral movement, persistence, exfiltration, mapped to MITRE ATT&CK technique IDs
- Tooling, named malware families, custom tools, commodity tools they prefer
- Targeting, sectors, regions, victim-size profile
- Detection guidance, IOCs, behavioural rules, hunting queries
Step 1: Start with MITRE ATT&CK Groups
Open attack.mitre.org/groups. Search for your target. MITRE maintains profiles for ~140 named threat groups in 2026, each with curated TTPs, software, and citations to the source reporting.
Copy the technique list to your draft. Each technique has an ID (T1566 for phishing, T1078 for valid accounts), these are your common-language tags. Note which sub-techniques are documented; that level of specificity is where useful detection rules live.
For ransomware affiliates specifically, MITRE often groups them under software entries (e.g., LockBit) rather than threat-group entries, check both.
Step 2: Cross-reference with Mandiant and CrowdStrike
Different vendors use different naming. Mandiant has UNC/APT/FIN designations, CrowdStrike has the animal-codenames (Bear/Panda/Spider/Tiger). Same operator, different name. Cross-referencing handles this.
Mandiant Threat Intelligence publishes detailed threat-actor profiles. Most are gated behind subscription, but their public blog at cloud.google.com/blog/topics/threat-intelligence has substantial free reporting.
CrowdStrike Adversary Universe publishes a free public list with brief profiles. Their annual Global Threat Report (free PDF) is the best single document for cross-vendor naming reconciliation.
For aliases reconciliation, Malpedia maintains the most thorough cross-vendor mapping I’ve found. Search the actor; the page lists every alias with citations.
Step 3: Build the malware family list with Malpedia
Malpedia is Fraunhofer FKIE’s malware encyclopedia, open, free, well-curated. Search the actor’s name to get the list of malware families attributed to them with sample hashes, YARA rules, and reference citations.
Note the rules, Malpedia includes verified YARA rules for many families that you can drop into your detection stack as-is.
Step 4: Get IOCs from CISA and government advisories
For US-targeted operators, CISA’s Cybersecurity Advisories are the authoritative source. Each advisory includes IOCs, ATT&CK mappings, and mitigation guidance. They’re slower than vendor reporting but rigorously verified.
For UK-specific actors, NCSC. For European, ENISA. Government advisories tend to be conservative on attribution but liberal with IOCs, exactly the right balance.
Step 5: Pull recent IR firm blog reporting
For TTP freshness, the IR firms publish faster than MITRE updates. Worth scanning the blogs of:
- Mandiant (now Google Cloud Security)
- CrowdStrike
- Microsoft Threat Intelligence
- Sophos X-Ops
- Recorded Future
- The DFIR Report (excellent for ransomware-affiliate work specifically)
Set up an RSS reader pointed at all of them. Twenty minutes a day reading blog posts gets you ahead of most internal threat-intel teams.
Step 6: Validate against your own environment
Take the technique list and ask: “do my detections cover each of these?” Use MITRE ATT&CK Flow or AttackIQ Open to map your detection stack against the technique list. The gaps are your prioritised work.
Step 7: Maintain it
A profile written once and never updated is wrong within months. Set a quarterly review on the calendar, re-scan the source feeds, update technique IDs, check for rebrand or splinter-group activity.
The best practitioners I know maintain profiles for 5-10 actors relevant to their environment. That’s enough to get genuine fluency without burying yourself in noise. Quality over quantity.