Actor Profile Template
Purpose
Define the required sections for a professional actor profile.
Practitioner-Level Explanation
An actor profile is a decision-support artifact. It should not be a static encyclopedia page. It must explain what is known, who reported it, what is assessed, why it matters, what is detectable, and what remains unknown.
A good profile includes aliases, sponsor assessments, targeting, TTPs, tooling, infrastructure notes, evidence quality, relevance, hunting ideas, detection candidates, and freshness status.
CTI Relevance
Consistent actor profiles help CTI teams compare actors, prioritize research, and hand off useful content to detection and SOC teams.
Common Mistakes
- Writing actor pages as biographies instead of decision support.
- Merging vendor aliases without source confirmation.
- Using tool overlap as attribution proof.
- Omitting relevance to the defended environment.
- Failing to separate actor, persona, sponsor, and public claim.
Practical Workflow
- Create alias and source table.
- Add sponsor/attribution section with confidence.
- Write targeting and relevance.
- Add TTPs with evidence labels.
- Add tools with source and behavior.
- Add detections and hunts.
- Add gaps and review date.
Example / Mini Case
A profile for a destructive persona should include a persona-claims section rather than mixing all public claims into confirmed incidents.
Analyst Checklist
- Are aliases source-confirmed?
- Are sponsor and attribution claims evidence-labeled?
- Are behaviors mapped to TTPs only when supported?
- Are detection and hunting implications included?
- Are gaps explicit?
Output Artifact
Primary Name:
Aliases and Sources:
Sponsor / Attribution:
Confidence:
Targeting:
Relevance:
TTPs:
Tools:
Infrastructure Notes:
Detection Ideas:
Hunt Hypotheses:
Evidence IDs:
Gaps:
Last Reviewed: