← Concepts
Threats, Vulnerabilities, and MitigationsSY0-701 · Task 2.1

Threat actor types — SY0-701

Learn the Security+ SY0-701 threat actor types — nation-state, APT, cybercriminal, hacktivist, and insider — and how to classify them on exam scenarios.

WHAT IT IS

A threat actor is "an individual or a group posing a threat" (NIST SP 800-150). In risk frameworks, the same entity is called a threat source — defined by NIST as a source capable of "intentional exploitation of a vulnerability" or of accidentally triggering one (NISTIR 8286). MITRE ATT&CK uses the term Groups for named threat clusters it tracks in its knowledge base.

NIST draws the first boundary between human and non-human sources: human threat sources act with intent; non-human sources (equipment failure, natural disaster) do not (NISTIR 8286). Security+ Objective 2.1 is concerned exclusively with the human, intentional category.

Mental model

Think of threat actors as existing on two axes simultaneously:

  • Capability axis — ranging from low (using tools others wrote) to high (developing novel capabilities).
  • Backing axis — ranging from an individual acting alone to a nation-state providing resources, legal cover, and tasking.

Where an actor falls on both axes determines how they are classified, what they typically target, and what level of persistence they sustain. The NIST definition of Advanced Persistent Threat (APT) captures the high-high corner explicitly: "sophisticated levels of expertise and significant resources" combined with "extended periods" of engagement and the ability to "adapt to defensive efforts" (NIST SP 800-39).

When to use it

The table below maps the actor categories you are expected to distinguish. Every entry derives only from what NIST and MITRE have documented.

Actor typeCore characteristicPrimary driverTypical capability levelKey NIST/MITRE grounding
Nation-state / State-sponsoredAttributed to a specific government or its intelligence servicesGeopolitical objectives: espionage, disruption, or sabotageHigh — meets the NIST APT definition (sophisticated, resourced, persistent, adaptive)MITRE: APT29 attributed to Russia's SVR; Lazarus Group attributed to North Korea's RGB
Advanced Persistent Threat (APT)A behavioral descriptor, not a fixed actor category: long dwell time, multiple attack vectors, adaptation to defensesVaries — often espionage; can be financialHighNIST SP 800-39: "sophisticated levels of expertise and significant resources," adaptive, extended
Cybercriminal / Organized crimeFinancially motivated; may operate as a business (ransomware-as-a-service, etc.)ProfitMedium to highMITRE tracks groups described as "financially motivated" (e.g., elements of APT41 conduct "financially-motivated operations")
HacktivistIdeological or political motivation expressed through cyber meansIdeology, political cause, or social agendaLow to medium (varies widely)MITRE distinguishes "financially motivated" from espionage-driven groups; hacktivist clusters are separately categorized by ideological focus
Insider threatActor with authorized access — wittingly or unwittingly — who harms organizational operations or assetsVaries: malice, coercion, negligence, ideologyAny level (access is the differentiator, not skill)NIST SP 800-53 Rev. 5: "The threat that an insider will use her/his authorized access, wittingly or unwittingly, to do harm to the security of organizational operations and assets, individuals, other organizations, and the Nation"
Script kiddie / Unskilled attackerUses tools or exploits developed by others without deep technical understandingNotoriety, curiosity, low-grade disruptionLow — dependent on pre-built toolingImplied by NIST's intent/method framing: method is borrowed rather than developed

APT vs. nation-state: these terms overlap heavily but are not synonyms. APT is a behavioral description (NIST SP 800-39 defines it by capability and persistence, not by who employs the actor). A state-sponsored group is often an APT, but APT is the technical descriptor and nation-state is the attribution.

COMMON MISCONCEPTION

The trap: treating "APT" as a synonym for "nation-state actor."

NIST SP 800-39 defines APT by observable characteristics — sophistication, resources, multiple attack vectors, extended engagement, and adaptability — not by who funds or tasks the group. A well-resourced organized-crime syndicate could exhibit APT behaviors. Conversely, not every nation-state cyber unit necessarily meets the full APT definition. On exam questions, read for the behavioral descriptors (long dwell time, adaptation, multiple vectors) to identify APT, and read for attribution to a government or intelligence service to identify nation-state.

The second trap: assuming insider threat requires malicious intent. NIST SP 800-53 Rev. 5 explicitly includes unwitting insiders — employees who are compromised or make security errors — within the insider threat definition. An insider who clicks a phishing link and enables data exfiltration is still an insider threat vector even if their intent was not harmful.

How it shows up on the exam

The cognitive target for this objective is classification and attribution: given a scenario description of an attack, candidates must identify which actor type best fits. Signal phrases to watch for:

  • "state-sponsored," "nation of origin," "government agency," "intelligence service" — points toward nation-state actor; look for whether the scenario also describes sustained, adaptive operations that would invoke the APT label.
  • "authorized access," "employee," "contractor," "wittingly or unwittingly" — aligns with the NIST insider threat definition (NIST SP 800-53 Rev. 5).
  • "sophisticated," "long dwell time," "adaptive to defenses," "multiple attack vectors" — the NIST SP 800-39 APT behavioral profile; attribution to a government is a separate determination.
  • "politically motivated," "ideological," "social cause" — points toward hacktivist; MITRE distinguishes such groups from financially motivated ones.
  • "financially motivated," "ransomware," "profit" — points toward cybercriminal; MITRE explicitly labels certain groups as "financially motivated" distinct from espionage actors.
  • "pre-built tools," "known exploits," "low sophistication" — points toward script kiddie / unskilled attacker.

Candidates often conflate motivation (why) with capability (how well). A nation-state's motivation may be espionage but its capability is what makes it an APT. Keep the two dimensions separate when reading scenarios.

Related concepts

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.