This dashboard provides an interactive analysis of modern cyber operations, summarizing key threat actors, their motivations, and common tactics. Use the navigation to explore detailed adversary profiles, cross-reference techniques, and understand strategic trends.
Adversaries by Suspected Origin
This chart shows the distribution of major documented threat actor groups based on their suspected national or ideological attribution. It highlights the significant presence of state-sponsored and organized eCrime syndicates in the current landscape.
Key Strategic Trends
The cyber threat landscape is constantly evolving. The following trends represent the most significant shifts in adversary behavior, impacting how organizations must approach defense. Click to learn more in the Strategic Insights section.
Nation-State & eCrime Convergence
The line between espionage and for-profit crime is blurring, with states adopting criminal tactics and criminal groups achieving state-level sophistication.
The Supply Chain as a Battlefield
Adversaries increasingly target software vendors and managed service providers to compromise many victims at once.
Abuse of Legitimate Infrastructure
Threat actors use trusted services like cloud storage for command and control to blend in with normal traffic and evade detection.
Adversary Parasitism & Symbiosis
Advanced groups are now hijacking the infrastructure and access of other threat actors to mask their own operations.
Adversary Explorer
Filter and search through the compendium of global threat actors. Select an adversary from the list to view their detailed operational playbook, including common tactics, techniques, and procedures (TTPs), preferred tooling, and known exploited vulnerabilities.
Adversary Operational Playbooks
This section provides an in-depth analysis of the TTPs, tooling, and exploits for each threat actor in the compendium. Use this as a reference to understand the specific methodologies employed by key global adversaries.
TTP Cross-Reference
Analyze the most common Tactics, Techniques, and Procedures (TTPs) used by adversaries across the globe. This visualization helps defenders prioritize controls by highlighting the most frequently observed attack methods. The size of each bubble corresponds to the technique's frequency.
Most Common MITRE ATT&CK® Techniques
This chart plots techniques based on their typical operational impact (Y-axis) and technical sophistication (X-axis). Bubble size indicates frequency of use across tracked groups. This helps prioritize defensive focus on common, high-impact, and advanced threats.
Disclaimer on TTP Scoring: The Impact and Sophistication scores are derived from a qualitative analysis model developed by Blackwall Industries. This model synthesizes data from public threat intelligence reporting, security vendor research, and official MITRE ATT&CK® documentation.
Impact is assessed based on the potential for business disruption, data destruction, or significant follow-on access. Sophistication is assessed based on the complexity, stealth, and resources required to execute the technique. These scores are intended for directional analysis and prioritization. For the most detailed and up-to-date information, please refer directly to the MITRE ATT&CK® website.
TTP Scoring Methodology
Our TTP Cross-Reference chart is designed to provide a rapid, visual method for prioritizing defensive actions. This is achieved through a qualitative scoring model that assesses each MITRE ATT&CK® technique along two axes: Impact and Sophistication. This page explains the logic behind our model.
The 'Impact' Score
The Impact score quantifies the potential damage a technique can inflict on a target organization. It answers the question: "If this technique succeeds, how bad will it be?" A high score indicates a technique that can lead to severe business disruption, financial loss, or data destruction, as defined in the Impact Tactic.
Key Factors
Data Destruction/Encryption: Can the technique render data or systems permanently unusable? (e.g., T1486: Data Encrypted for Impact)
Operational Disruption: Can it halt core business functions or critical infrastructure? (e.g., T1489: Service Stop)
The Sophistication score measures the level of technical skill, resources, and stealth required to successfully execute a technique. It answers: "How hard is this for an adversary to pull off?" A high score indicates a technique that is difficult to develop, requires specialized knowledge, and is often used by advanced, well-resourced threat actors.
The chart's quadrants provide a strategic framework for threat analysis and defensive prioritization:
Top-Left: Simple & High-Impact
These are "loud and damaging" techniques, like ransomware. They are less sophisticated but cause major disruption. Focus: Foundational cyber hygiene, robust backup and recovery, and rapid response.
Top-Right: Advanced & High-Impact
Techniques here are the domain of top-tier APTs. They are difficult to execute and detect, but catastrophic if successful. Focus: Advanced threat hunting, architecture resilience, and intelligence-driven detection.
Bottom-Left: Simple & Low-Impact
This is the "background noise" of the internet—common, low-level techniques often used for initial access. Focus: Automated alerting, endpoint detection, and blocking common attack vectors.
Bottom-Right: Advanced & Low-Impact
These are stealthy techniques used by patient adversaries for reconnaissance or persistence. They indicate a sophisticated threat, even if the immediate damage is low. Focus: Anomaly detection, network traffic analysis, and long-term log monitoring.
Actor Threat Level Score
Each adversary in the compendium is assigned a Threat Level score from 0-100 to provide a rapid, at-a-glance assessment of their potential danger. This score is not a definitive judgment but a weighted metric derived from their documented TTPs. It is calculated using the following formula:
This section details the overarching trends shaping the threat landscape and provides actionable recommendations for building a resilient, threat-informed defense posture. Understanding these strategic currents is crucial for anticipating future adversary behavior.
Historical Context: The Shoulders of Giants
The practice of modern threat intelligence stands on the foundation laid by pioneers of the security community. Understanding the history of vulnerability disclosure, particularly the role of the Bugtraq mailing list, is essential for appreciating the evolution of both cyber defense and the adversaries we track today.
Blackwall Industries: Threat Watch
This dashboard provides an interactive analysis of modern cyber operations, summarizing key threat actors, their motivations, and common tactics. Use the navigation to explore detailed adversary profiles, cross-reference techniques, and understand strategic trends.
Adversaries by Suspected Origin
This chart shows the distribution of major documented threat actor groups based on their suspected national or ideological attribution. It highlights the significant presence of state-sponsored and organized eCrime syndicates in the current landscape.
Key Strategic Trends
The cyber threat landscape is constantly evolving. The following trends represent the most significant shifts in adversary behavior, impacting how organizations must approach defense. Click to learn more in the Strategic Insights section.
Nation-State & eCrime Convergence
The line between espionage and for-profit crime is blurring, with states adopting criminal tactics and criminal groups achieving state-level sophistication.
The Supply Chain as a Battlefield
Adversaries increasingly target software vendors and managed service providers to compromise many victims at once.
Abuse of Legitimate Infrastructure
Threat actors use trusted services like cloud storage for command and control to blend in with normal traffic and evade detection.
Adversary Parasitism & Symbiosis
Advanced groups are now hijacking the infrastructure and access of other threat actors to mask their own operations.
Adversary Explorer
Filter and search through the compendium of global threat actors. Select an adversary from the list to view their detailed operational playbook, including common tactics, techniques, and procedures (TTPs), preferred tooling, and known exploited vulnerabilities.
Adversary Operational Playbooks
This section provides an in-depth analysis of the TTPs, tooling, and exploits for each threat actor in the compendium. Use this as a reference to understand the specific methodologies employed by key global adversaries.
TTP Cross-Reference
Analyze the most common Tactics, Techniques, and Procedures (TTPs) used by adversaries across the globe. This visualization helps defenders prioritize controls by highlighting the most frequently observed attack methods. The size of each bubble corresponds to the technique's frequency.
Most Common MITRE ATT&CK® Techniques
This chart plots techniques based on their typical operational impact (Y-axis) and technical sophistication (X-axis). Bubble size indicates frequency of use across tracked groups. This helps prioritize defensive focus on common, high-impact, and advanced threats.
Disclaimer on TTP Scoring: The Impact and Sophistication scores are derived from a qualitative analysis model developed by Blackwall Industries. This model synthesizes data from public threat intelligence reporting, security vendor research, and official MITRE ATT&CK® documentation.
Impact is assessed based on the potential for business disruption, data destruction, or significant follow-on access. Sophistication is assessed based on the complexity, stealth, and resources required to execute the technique. These scores are intended for directional analysis and prioritization. For the most detailed and up-to-date information, please refer directly to the MITRE ATT&CK® website.
TTP Scoring Methodology
Our TTP Cross-Reference chart is designed to provide a rapid, visual method for prioritizing defensive actions. This is achieved through a qualitative scoring model that assesses each MITRE ATT&CK® technique along two axes: Impact and Sophistication. This page explains the logic behind our model.
The 'Impact' Score
The Impact score quantifies the potential damage a technique can inflict on a target organization. It answers the question: "If this technique succeeds, how bad will it be?" A high score indicates a technique that can lead to severe business disruption, financial loss, or data destruction, as defined in the Impact Tactic.
Key Factors
Data Destruction/Encryption: Can the technique render data or systems permanently unusable? (e.g., T1486: Data Encrypted for Impact)
Operational Disruption: Can it halt core business functions or critical infrastructure? (e.g., T1489: Service Stop)
The Sophistication score measures the level of technical skill, resources, and stealth required to successfully execute a technique. It answers: "How hard is this for an adversary to pull off?" A high score indicates a technique that is difficult to develop, requires specialized knowledge, and is often used by advanced, well-resourced threat actors.
The chart's quadrants provide a strategic framework for threat analysis and defensive prioritization:
Top-Left: Simple & High-Impact
These are "loud and damaging" techniques, like ransomware. They are less sophisticated but cause major disruption. Focus: Foundational cyber hygiene, robust backup and recovery, and rapid response.
Top-Right: Advanced & High-Impact
Techniques here are the domain of top-tier APTs. They are difficult to execute and detect, but catastrophic if successful. Focus: Advanced threat hunting, architecture resilience, and intelligence-driven detection.
Bottom-Left: Simple & Low-Impact
This is the "background noise" of the internet—common, low-level techniques often used for initial access. Focus: Automated alerting, endpoint detection, and blocking common attack vectors.
Bottom-Right: Advanced & Low-Impact
These are stealthy techniques used by patient adversaries for reconnaissance or persistence. They indicate a sophisticated threat, even if the immediate damage is low. Focus: Anomaly detection, network traffic analysis, and long-term log monitoring.
Actor Threat Level Score
Each adversary in the compendium is assigned a Threat Level score from 0-100 to provide a rapid, at-a-glance assessment of their potential danger. This score is not a definitive judgment but a weighted metric derived from their documented TTPs. It is calculated using the following formula:
This section details the overarching trends shaping the threat landscape and provides actionable recommendations for building a resilient, threat-informed defense posture. Understanding these strategic currents is crucial for anticipating future adversary behavior.
Historical Context: The Shoulders of Giants
The practice of modern threat intelligence stands on the foundation laid by pioneers of the security community. Understanding the history of vulnerability disclosure, particularly the role of the Bugtraq mailing list, is essential for appreciating the evolution of both cyber defense and the adversaries we track today.
We use cookies to provide you a better user experience on this website.Cookie Policy