Threat Actors and Motivations

Every network architecture implicitly assumes an adversary. You do not configure access control lists, implement zero-trust protocols, or deploy endpoint detection systems in a vacuum. You build them to resist human beings acting with specific intent, budgets, and operational constraints. In cybersecurity, we cannot defend systems mathematically if we ignore the physics of the attacker. To protect a network, you must understand exactly who is knocking at the perimeter, what they want, and what resources they possess.

A threat actor is any entity responsible for an event that impacts the security of a system or network.

As a security professional or network administrator, this is the foundational reality of your daily work. A generic firewall rule might automatically drop a careless automated probe, but it is fundamentally inadequate against a highly funded, patient human adversary who adapts to your defenses in real-time. To build effective defenses, threat actors are systematically classified by their level of technical sophistication and available financial resources.

Regardless of their classification, all adversaries share a common starting line. Before a single packet is sent maliciously, Open-Source Intelligence (OSINT) is frequently used by all classifications of threat actors to gather target information before launching an attack. From reviewing LinkedIn profiles to discover who has administrative access, to scanning public code repositories for accidental API key leaks, reconnaissance is universal.

From that baseline, the threat landscape diverges drastically based on the origin of the attacker: External threat actors originate from outside the organization's network boundary, while internal threat actors originate from inside the organization's logical or physical network boundary.