Threat actor attributes — SY0-701
Learn threat actor attributes for Security+ SY0-701: how intent, capability, and resources define adversary risk — and avoid the APT misconception trap.
WHAT IT IS
A threat actor is an individual or a group posing a threat (NIST SP 800-150). Threat actor attributes are the observable properties used to characterize how dangerous a given actor is — primarily their intent, capability, and resources. Together, these attributes help analysts determine whether a threat is credible and how much effort an actor can sustain.
The NIST definition of adversary reinforces this framing: an adversary is a "person, group, organization, or government that conducts or has the intent to conduct detrimental activities" (CNSSI 4009-2015/NIST SP 800-30 Rev. 1). The phrase "conducts or has the intent" signals that intent alone is sufficient to classify someone as an adversary — capability is separate.
Mental model
Think of threat actor attributes as three dimensions that together determine threat severity:
| Attribute | The question it answers | Why it matters |
|---|---|---|
| Intent | Does the actor want to cause harm? | An actor without intent is not a threat actor, regardless of technical skill |
| Capability | Can the actor carry out an attack? | High intent + low capability = limited risk |
| Resources | What can the actor sustain over time? | Resources amplify capability and enable prolonged campaigns |
These three attributes combine — a well-resourced actor with clear intent but low capability is a different risk profile than a highly capable actor with limited funding.
When to use it
Candidates often confuse attributes (properties of an actor) with types (categories of actors such as nation-state, insider, or hacktivist). This table shows where each concept applies:
| Question | Concept to apply | Example |
|---|---|---|
| "What kind of actor is this?" | Threat actor type | Nation-state, insider, cybercriminal |
| "How dangerous is this actor?" | Threat actor attributes | High capability, persistent intent, significant resources |
| "What does this actor want?" | Threat actor motivation | Espionage, financial gain, disruption |
| "How did the actor get in?" | Threat vector | Phishing, supply chain compromise |
The attributes (intent, capability, resources) apply across all actor types — a nation-state and an insider threat both have intent, capability, and resources, but typically in very different amounts.
COMMON MISCONCEPTION
The exam frequently tests whether candidates treat "advanced persistent threat" (APT) as a type of actor rather than a set of attributes.
The NIST definition of APT describes it as an adversary that "pursues its objectives repeatedly over an extended period of time, adapts to a defender's efforts to resist it, and is determined to maintain the level of interaction needed to execute its objectives" (NIST SP 800-39). The defining features — persistence, adaptability, determination, and access to significant resources and expertise — are attributes, not a fixed actor category.
Candidates who treat "APT" as synonymous with "nation-state actor" miss the core point: APT describes a behavioral and resource profile that could — in principle — apply to any actor that sustains persistent, adaptive operations. The NIST definition does not restrict APT status to government-sponsored groups.
A related trap: assuming that authorized access eliminates threat actor status. NIST's insider threat definition is explicit — "the threat that an insider will use their authorized access, wittingly or unwittingly, to do harm" (NIST SP 800-53 Rev. 5). Authorized access and malicious intent can coexist.
How it shows up on the exam
The cognitive target for this concept is analysis: given a description of an actor's behavior, resources, or access, candidates must identify which attribute (intent, capability, resources) the scenario illustrates — or identify that a scenario describes an APT profile rather than a specific actor type.
Signal phrases to watch for:
- "Motivated by financial gain but lacking technical expertise" — tests whether candidates can hold intent and capability as separate variables
- "Conducted repeated intrusions over 18 months, adapting each time defenses improved" — characteristic of the persistence and adaptability attributes associated with an APT profile
- "Used authorized credentials to exfiltrate data" — probes the insider threat dimension, where intent to harm coexists with legitimate access
- "Limited resources, off-the-shelf tools" — tests recognition that low resource levels constrain the scale of an attack even when intent is present
A common misconception is that "sophisticated" always means nation-state. Sophistication is a point on the capability attribute, and MITRE ATT&CK documents groups with varying capability profiles regardless of state sponsorship.
Related concepts
- Threat actor types — the categories of actors (nation-state, insider, hacktivist, etc.) that attributes are applied to
- Threat actor motivations — the goals that drive intent; motivation is distinct from the capability and resource attributes
- Threat vectors — the pathways actors use to gain access; attributes explain who the actor is, vectors explain how they get in
Sources
Every claim on this page traces to the public exam blueprint and official documentation: