← Concepts
Threats, Vulnerabilities, and MitigationsSY0-701 · Task 2.1

Threat actor motivations — SY0-701

Learn what drives threat actors on the CompTIA Security+ SY0-701 exam: how motivation shapes attack behavior and how to distinguish intent from capability.

WHAT IT IS

Motivation is the underlying reason — the why — that drives a threat actor to pursue an attack. NIST describes threat actors as "the instigators of risks with the capability to do harm" (NISTIR 8286) and "the source of risk that can result in harmful impact" (NIST SP 800-221). Understanding motivation is what distinguishes a random opportunist from a disciplined, long-term adversary: the same technique applied for different reasons produces a different threat profile, a different target set, and a different persistence pattern.

NIST separates threat sources into two fundamental categories (NISTIR 8286): those with deliberate harmful intent who target vulnerabilities on purpose, and those that trigger harm unintentionally — through accident, error, or circumstance. Motivation, as an exam topic, belongs entirely to the first category: the intentional actor who has a reason to attack.

Mental model

Think of motivation as the answer to "what does the attacker want to walk away with?" That answer shapes everything downstream: which targets they choose, how long they stay, how much noise they are willing to make, and how much resource they are willing to expend.

A useful frame is to ask three questions for any scenario:

  1. What is the desired outcome? (money, data, disruption, political statement, proof of skill)
  2. Who is the actor relative to the target? (outsider vs. someone with authorized access)
  3. How long and how quietly does the actor need to operate to reach that outcome?

Motivation answers question one and directly informs questions two and three. An actor motivated by financial gain behaves very differently from one motivated by prolonged intelligence collection, even if both use the same initial access technique.

When to use it

Exam scenarios often require you to identify the most likely actor type or the most appropriate control, and motivation is one of the key discriminators. The table below compares the two distinctions that appear most frequently in scenario questions.

FactorMotivation-driven framingWhat to look for in the stem
Intent vs. capabilityMotivation explains why; capability explains whetherStem describes what the actor wants, not just what they can do
Intentional vs. unintentionalOnly intentional actors have motivationsStem mentions deliberate targeting or a conscious goal
Insider vs. outsiderInsiders use authorized access "wittingly or unwittingly" (NIST SP 800-53 Rev. 5)Stem mentions an employee, contractor, or trusted partner
Persistent vs. opportunisticAPTs pursue objectives "over extended periods" and adapt to defenses (NIST SP 800-39 lineage)Stem mentions long dwell time, repeated attempts, or adaptive behavior

COMMON MISCONCEPTION

The trap: confusing motivation with capability, or motivation with technique.

Candidates often read "sophisticated attacker" and assume a state-level motivation (espionage), or read "financial" and assume a low-sophistication actor. These are not the same dimension. NIST's APT definition notes an adversary with "sophisticated levels of expertise and significant resources" — but sophisticated capability can serve financial, espionage, destructive, or political ends. MITRE ATT&CK's Groups section describes actors that "conduct both cyberespionage and financially motivated operations," meaning a single actor can hold multiple motivations simultaneously.

The second trap is treating motivation as a clean, mutually exclusive taxonomy. Official sources do not publish a fixed list of motivation buckets. MITRE ATT&CK's Groups database describes motivations through narrative (financial cybercriminals, state-sponsored espionage actors, politically motivated actors, destructive actors) without offering a formal enumeration. The exam tests whether you can identify the motivation evident in the scenario, not whether you can recite a numbered list.

A third trap applies to insider threats specifically: the NIST definition explicitly states insider harm can occur "wittingly or unwittingly." Motivation implies intent — an unwitting insider who accidentally exposes data is a threat source but does not have a motivation to cause harm. Distinguish the actor's authorization (insider) from their intent (motivated vs. accidental).

How it shows up on the exam

The cognitive target for motivation questions is analysis: you are given a scenario and asked to identify the most likely actor or the most plausible explanation for observed behavior. The question is not "define motivation" — it is "given these observable signals, what motivation best explains this attack pattern?"

Signal phrases to watch for:

  • Financial gain language — references to ransomware deployment, data theft for resale, or targeting of payment systems suggest a financially motivated actor. MITRE ATT&CK's Groups section consistently frames cybercriminal groups around monetary theft and fraud.
  • Intelligence collection language — references to prolonged dwell time, exfiltration of sensitive organizational data, or adaptation to defensive measures align with the APT profile in NIST: an adversary that "exfiltrates information continuously" and "positions itself to carry out objectives in the future."
  • Disruption or destruction language — references to wiping systems, degrading critical infrastructure, or causing operational outages signal a motivation focused on impact rather than data theft.
  • Political or ideological language — references to public statements, symbolic targeting, or protest-linked activity suggest an actor whose goal is visibility and message, not durable access.
  • Authorized access + harmful outcome — NIST's insider threat definition ("authorized access, wittingly or unwittingly") flags these scenarios: when the actor already has access, the question of motivation centers on whether harm is deliberate.

Candidates who confuse motivation with sophistication, or who impose a rigid taxonomy that the sources do not support, tend to misidentify the actor type and therefore misidentify the appropriate control.

Related concepts

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
AboutContact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.