Threat Actors and Motivations
The six actor types, profiled in depth
The overview gave you the three-axis model and a one-line profile per actor. This section is the deep dive: for each of the six types CompTIA names under objective 2.1[1], nation-state, unskilled attacker, hacktivist, insider threat, organized crime, and shadow IT, what defines it, what it can actually do, and the forensic signature it tends to leave. Read this so that, given a scenario, you can do more than recite the label: you can predict the behavior the rest of the exam will describe. The cleanest way to hold all six in mind is to split them by where they sit relative to your trust boundary, the figure groups the four external adversaries apart from the two internal conditions, because that single split decides which control fails first.
Nation-state actor (APT)
NIST defines an advanced persistent threat as "an adversary with sophisticated levels of expertise and significant resources, allowing it through the use of multiple different attack vectors ... to ... establish and extend its presence ... continually exfiltrating information and/or to undermine or impede critical aspects of a mission ... repeatedly over an extended period of time, adapting to a defender's efforts to resist it"[2]. Unpack that definition because the exam tests every clause of it: sophisticated expertise (writes custom malware and burns zero-day exploits), significant resources (government funding, full-time operators), multiple vectors (phishing plus physical plus supply-chain), extended period (long dwell time, months of undetected residence, not a smash-and-grab), and adapts to defenders (re-tools when caught rather than giving up). "APT" and "nation-state" are used interchangeably on SY0-701; the distinguishing motives are espionage and war. The exam tell is the combination of patient, well-funded, custom/zero-day tooling, and long undetected presence in one stem.
Organized crime
A well-funded, capable, external group whose purpose is profit, not statecraft. This is the ransomware-as-a-business and large-scale-fraud profile: it may rival a nation-state in resourcing and operational discipline (it can buy zero-days and run affiliate programs) but its motivations are financial gain, blackmail/extortion, and selling exfiltrated data. The discriminator versus a nation-state is the motive in the stem: if the goal is money, it is organized crime; if the goal is intelligence or strategic disruption, it is a nation-state, even when the techniques look identical.
Hacktivist
Defined by cause, not by budget or skill. A hacktivist acts on philosophical or political beliefs and seeks to disrupt, embarrass, or publicize, common techniques are website defacement, data leaks meant to expose, and DDoS to silence a target. Sophistication varies widely (from coordinated skilled collectives to point-and-click participants), so never infer hacktivist from skill level; infer it from a stated ideological or political motive plus a public, attention-seeking outcome.
Insider threat
NIST defines this as "the threat that an insider will use her/his authorized access, wittingly or unwittingly, to do harm to the security of organizational operations and assets, individuals, other organizations, and the Nation"[3]. Two exam-critical clauses: (1) authorized access, the defining attribute is that the actor is already legitimately inside, so it bypasses the perimeter and most network-edge controls; (2) wittingly or unwittingly, an insider threat includes both the malicious employee (revenge, financial gain, espionage) and the careless one who clicks a phish or misconfigures a share with no ill intent. The advantage an insider brings is trust and placement, not technical skill, a single authorized copy to a USB drive can be a major insider incident with zero sophistication.
Unskilled attacker
The term SY0-701 uses in place of the older 'script kiddie': a low-capability actor who runs tools, scripts, and exploits written by others without understanding the internals. Low sophistication does not mean low impact, a borrowed but potent tool (a leaked ransomware builder, a public Metasploit module against an unpatched CVE) can still cause serious damage. Motives skew toward chaos/disruption, notoriety, or opportunistic financial gain. The exam tell is language like "used a downloaded tool," "followed an online tutorial," or "did not appear to understand the exploit."
Shadow IT
The odd one out: shadow IT is not a person who attacks you. It is hardware, software, or cloud services deployed inside the organization without IT/security approval, an employee spinning up an unsanctioned SaaS app, a department's rogue cloud account, an unauthorized wireless access point. The harm is that these assets are unmanaged, unpatched, and invisible to defenders, so they widen the attack surface and escape monitoring. Treat shadow IT as a self-inflicted risk condition, and remember the actual adversary is whoever later exploits the unmanaged asset.
Attributes and motivations: the disambiguators
Type alone rarely settles a scenario; SY0-701 objective 2.1 makes you reason from attributes and motivations too. This section drills the two axes the overview only sketched, because the exam's hardest items are the ones where two actor types share a technique and you must pick using attributes and motive.
The attribute axis, precisely
Three attributes appear on the objectives[1], and the figure ranks the actors along the two graded ones:
- Internal vs. external. Internal means the actor already holds authorized access from inside the trust boundary (the defining trait of an insider threat, and the condition shadow IT creates). External means the actor must first breach the perimeter (nation-states, organized crime, hacktivists, most unskilled attackers). This attribute changes the first control that fails: an external actor is stopped by edge controls; an insider sails past them and is caught only by least privilege, separation of duties, and behavior analytics (UEBA).
- Resources / funding. This is the budget and manpower behind the actor and it tracks with sustained, complex operations. Very high (nation-state) and high (organized crime) at the top; low (unskilled attacker) at the bottom; hacktivists range low-to-moderate. Funding is what buys zero-days, full-time operators, and the patience for long dwell times.
- Sophistication / capability. The technical skill and tooling maturity. Highest for nation-states (custom zero-days), high for organized crime, lowest for the unskilled attacker (borrows others' tools). Critically, resources and sophistication usually track together at the top but do not for the unskilled attacker (low skill yet potentially high impact via borrowed tools), and a sophisticated actor may deliberately use crude tools for deniability, so high impact never proves high skill.
The motivation catalog, mapped to actors
Objective 2.1 enumerates the motivations explicitly, and each biases toward a likely actor, the motive is frequently the single strongest disambiguator:
| Motivation | Most-implied actor(s) | Why |
|---|---|---|
| Data exfiltration | Nation-state (intel) or organized crime (resale) | Whose benefit (strategic vs. profit) picks between them |
| Espionage | Nation-state | Stealing secrets for strategic advantage |
| Service disruption | Hacktivist, nation-state | DDoS/defacement to silence, or strategic sabotage |
| Blackmail | Organized crime | Extortion / ransomware leak-threats for money |
| Financial gain | Organized crime (also opportunistic unskilled / insider) | Profit motive |
| Philosophical / political beliefs | Hacktivist | Ideology-driven, attention-seeking |
| Ethical | Penetration tester / bug-bounty researcher | Authorized, lawful, NOT an adversary |
| Revenge | Insider threat | Disgruntled employee abusing access |
| Disruption / chaos | Unskilled attacker, hacktivist | Notoriety or ideological noise |
| War | Nation-state | State-on-state cyber operations |
Two motivations are recurring traps. 'Ethical' is the lawful intent of an authorized tester operating under rules of engagement, it is a motive in the list but it maps to a sanctioned researcher, never to a malicious actor or an incident to contain. 'Financial gain' is over-attributed to organized crime when the stem actually points elsewhere (a disgruntled insider selling data acts for financial gain too), always combine motive with the internal/external attribute before committing.
Exam-pattern recognition for objective 2.1
Domain 2 (Threats, Vulnerabilities, and Mitigations) is 22% of the scored SY0-701 exam[1], the second-heaviest domain, and threat-actor items follow a small set of repeatable shapes. Naming the shape lets you answer on recognition. Scope note: this objective is about who and why; the how (phishing, malware, specific vulnerabilities, log indicators) belongs to the sibling subtopics, so do not let a vivid attack technique pull you into answering a different objective.
Pattern 1: "Which threat actor is this?"
The stem narrates an incident and the options are actor types. Do not classify from the technique; classify from access + resources + sophistication + motive together. Run the three-axis check: is the actor internal or external? How well-resourced and skilled does the stem say it is? What is the stated motive? Then pick the type all clues converge on. The classic trap is a low-skill action attributed to a high-tier actor (a nation-state running a simple command for deniability) or a sophisticated outcome attributed to an unskilled attacker, weigh every clue, not the flashiest one.
Pattern 2: "Nation-state vs. organized crime" (same techniques, different motive)
Both are external, well-funded, and capable, so, as the actor profiles above established, the technique cannot separate them and only the motive does. The pattern-specific tell is what the stem stresses: patience and stealth over months with no monetization leans nation-state even if no payment is mentioned, whereas ransom, fraud, or resale leans organized crime.
Pattern 3: "Insider vs. external attacker"
The single decisive word is access: if the actor already holds legitimate, authorized access (employee, contractor, partner), it is an insider threat, including the careless employee, since the NIST clause from the actor profiles above covers wittingly or unwittingly[3] misuse, regardless of how unsophisticated the act is. A simple authorized copy to removable media counts. The right mitigations for this pattern are least privilege, separation of duties, mandatory vacations / job rotation, and user-behavior analytics, not perimeter firewalls, which the insider bypasses.
Pattern 4: "Is this even an attacker?" (shadow IT and 'ethical')
Two entries on the objective look like answers but are not adversaries, as the profiles above explained: shadow IT is unsanctioned, unmanaged assets the organization itself introduced, and the 'ethical' motive describes an authorized tester under rules of engagement. The pattern-specific move is reading what the stem actually asks: shadow IT is the wrong pick for "which threat actor" unless the question targets the internally created risk that widened the attack surface, and its response is discovery, asset inventory, and policy, not incident containment; a scoped, sanctioned test points to a legitimate researcher with no incident to contain.
Pattern 5: "Pick the BEST mitigation for THIS actor"
The stem fixes an actor and asks for the control. Chain actor → its defining attribute → the control that addresses that attribute (the figure traces all four chains against the objective 2.1 actor list): insider threat → already inside → least privilege, separation of duties, UEBA; nation-state/APT → long dwell + custom tooling → defense in depth, threat hunting, and detective/behavioral controls (you cannot prevent a zero-day, so you must detect the residence); unskilled attacker → uses known public exploits → patch management and basic hardening close the borrowed tools' targets; shadow IT → unmanaged assets → asset discovery, inventory, and acceptable-use policy. The wrong answer is usually a perimeter-only control offered against an insider, or 'add another preventive control' offered against an APT where detection is the actual gap.
Threat actor types: typical resources, sophistication, location, and motivation
| Threat actor | Resources / funding | Sophistication | Internal / external | Typical motivation |
|---|---|---|---|---|
| Nation-state (APT) | Very high (government) | Highest: custom zero-days | External | Espionage, war, service disruption |
| Organized crime | High | High | External | Financial gain, blackmail, data exfiltration |
| Hacktivist | Low to moderate | Varies | External | Philosophical / political beliefs, disruption / chaos |
| Insider threat | Org's own resources (via access) | Varies | Internal | Revenge, financial gain, espionage; or unintentional |
| Unskilled attacker | Low | Lowest: uses others' tools | Usually external | Disruption / chaos, notoriety, financial gain |
| Shadow IT | Org's own (unsanctioned) | N/A: not an adversary | Internal | Convenience / productivity (introduces risk) |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- Classify a threat actor on three axes, not one label
SY0-701 Objective 2.1 profiles every actor on three axes, not a single tag: the TYPE (nation-state, unskilled attacker, hacktivist, insider threat, organized crime, shadow IT), the ATTRIBUTES (internal vs. external, resources/funding, level of sophistication/capability), and the MOTIVATION. No one clue names the actor: weigh access, resources, and the stated motive together before choosing a type, because techniques alone overlap across categories.
Trap Naming the actor from a single signal such as a sophisticated tool, when objective 2.1 deliberately separates type, attributes, and motivation.
4 questions test this
- A security team is briefing executive leadership on two organizational risk categories. Which statement BEST distinguishes shadow IT from…
- A security analyst reviews two findings: (1) the marketing team has been uploading customer records to an unauthorized cloud design…
- A security team is evaluating organizational threats. Which statement BEST contrasts shadow IT and unskilled attackers as threat sources?
- A security analyst reviews two incidents: an employee installed an unauthorized wireless access point in a conference room, and an external…
- The nation-state profile is the APT: top resources, longest persistence
Nation-state is the actor type SY0-701 maps to the advanced persistent threat (APT) concept: not a synonym CompTIA lists, but the profile the term describes. NIST defines an APT as an adversary with sophisticated expertise and significant resources that uses multiple attack vectors to pursue its objectives repeatedly over an extended period, adapting to defenders. That means custom tooling, the highest funding and capability, and prolonged stealthy residence; the motivations are espionage and war.
Trap Treating APT as a kind of malware or a single named group, when the term describes the nation-state actor profile of sustained, well-resourced intrusion.
7 questions test this
- During an incident investigation, analysts discover custom zero-day exploits, purpose-built command-and-control infrastructure, and…
- An incident response team discovers a sophisticated implant on a government agency network that uses previously unknown vulnerabilities,…
- A security team is assessing two threat groups. Group A receives government funding, operates dedicated research teams, and targets foreign…
- A threat intelligence analyst is profiling a newly identified threat group. The group's campaigns consistently target government agencies…
- A threat intelligence report describes a group with dedicated research teams that independently discover zero-day vulnerabilities and…
- During an incident investigation, a security team discovers that attackers compromised a pharmaceutical company, maintained covert access…
- A security analyst reviews indicators of compromise from an intrusion at a government defense contractor. The attackers used custom…
- Resources and sophistication rise together at the top tier
For top-tier actors, funding and technical capability move together: nation-states carry the highest resources and sophistication, and organized crime is high on both. The standout exception is the unskilled attacker: low capability that can still inflict high impact by running a borrowed, potent tool, so capability and impact are not the same axis.
Trap Reading high impact as proof of high sophistication, when a low-skill actor wielding a powerful off-the-shelf tool produces the same damage.
- Low sophistication never proves a low-tier actor
Sophistication is a weak identifier on its own: a capable actor may deliberately use crude, commodity tooling for deniability, and an insider may need only a single simple command. High impact does not prove high skill and a low-skill action does not prove an unskilled attacker: the access and the motive carry as much weight as the technique.
Trap Labeling any crude or low-skill action an unskilled attacker, when a capable actor may choose commodity tooling for deniability.
- Organized crime is profit-driven, not statecraft
Organized crime is external, well-funded, and capable, but its defining motivation is money: financial gain, blackmail/extortion, and selling exfiltrated data, the ransomware-as-a-business profile. When its techniques resemble a nation-state's, the discriminator is money versus intelligence: a profit motive points to organized crime, a strategic/espionage motive to a state actor.
Trap Calling a polished, well-resourced intrusion a nation-state attack, when a financial-gain or extortion motive marks it as organized crime.
5 questions test this
- A hospital's incident response team determines that external attackers gained access through a known unpatched VPN vulnerability, deployed…
- A security team is assessing two threat groups. Group A receives government funding, operates dedicated research teams, and targets foreign…
- A cybercriminal group deploys ransomware against hospitals, universities, and retail chains across multiple countries within a single…
- An incident response team investigates an attack where threat actors compromised a hospital network using a publicly available exploit kit,…
- A retail company processes millions of credit card transactions annually but holds no government contracts or classified data. Which threat…
- Hacktivist is defined by cause, not budget or skill
A hacktivist is driven by philosophical or political belief and aims to disrupt, embarrass, or publicize: defacement, data leaks, DDoS. Sophistication and funding vary widely across hacktivists, so infer the type from an ideological/political motive plus a public, attention-seeking outcome, never from skill or resource level.
Trap Ruling out a hacktivist because the operation looked unsophisticated or low-budget, when the cause-driven motive is the defining attribute.
3 questions test this
- An external group launches a distributed denial-of-service attack against a corporation's public website to protest its environmental…
- An external group with no organizational affiliation launches a DDoS attack against a corporation's public website and publishes a…
- A group of activists who oppose a government surveillance program deface several government agency websites, posting messages condemning…
- Insider threat is defined by authorized access
An insider threat is anyone with legitimate, authorized access (employee, contractor, or partner) who uses it to harm the organization. NIST's definition turns on that access being used wittingly or unwittingly, so the defining trait is internal placement that bypasses the perimeter, not technical skill or malicious intent.
Trap Limiting the insider category to direct employees, when contractors and partners holding authorized access also qualify.
6 questions test this
- A security investigation reveals that proprietary engineering designs were leaked to a public forum alongside a political statement…
- A software developer at a defense contractor, personally opposed to the company's weapons programs, copies sensitive project documents and…
- An employee at a defense contractor copies classified documents and leaks them to journalists because the employee believes the government…
- A risk assessment team is comparing the characteristics of insider threats versus hacktivists for an enterprise risk profile. Which…
- An organization suspects a disgruntled employee is exfiltrating proprietary data, but no anomalies appear in firewall logs or IDS alerts.…
- A recently terminated database administrator uses credentials that were not deprovisioned to log in remotely and delete critical customer…
- Insider threats include the careless, not just the malicious
NIST's insider-threat definition covers both witting and unwitting misuse of authorized access, so an employee who clicks a phish or misconfigures a share is an insider-threat exposure even with no ill intent. Malicious insiders add deliberate motives (revenge, financial gain, and espionage) but intent is not required for the category to apply.
Trap Restricting insider threat to disgruntled, deliberate sabotage, when NIST explicitly includes the unwitting, negligent employee.
- Unskilled attacker is SY0-701's term for 'script kiddie'
SY0-701 retires 'script kiddie' and uses 'unskilled attacker' for the low-capability actor who runs tools, scripts, and exploits written by others without understanding the internals. Borrowed tooling can still cause serious damage, so the low skill level does not bound the impact.
Trap Looking for the term 'script kiddie' on the exam, when SY0-701's objective list names this actor 'unskilled attacker.'
5 questions test this
- Firewall logs reveal repeated automated scans from a single external IP address using a widely available open-source vulnerability scanner…
- A security analyst reviews IDS logs and discovers an external IP address running automated SQL injection attacks against multiple…
- A teenager downloads a freely available exploit script from a hacking forum and runs it against a random small business website to impress…
- A security analyst is comparing the risks introduced by shadow IT and unskilled attackers. Which statement BEST differentiates these two…
- A security analyst observes an external IP address running a well-known vulnerability scanning script with default settings against the…
- Shadow IT is a risk condition, not an adversary
Shadow IT is hardware, software, or cloud services deployed inside the organization without IT/security approval: unmanaged, unpatched, and invisible to defenders. SY0-701 lists it among threat actors, but it is a self-inflicted exposure the org creates rather than a hostile person; the actual attacker is whoever later exploits the unmanaged asset.
Trap Picturing shadow IT as an external attacker, when it is an internal, unapproved deployment that merely creates the opening.
7 questions test this
- An IT audit reveals that several departments independently deployed unapproved SaaS applications storing company data outside the…
- A marketing department subscribes to an unapproved cloud file-sharing service to meet a project deadline without notifying the IT…
- A security analyst is comparing the risks introduced by shadow IT and unskilled attackers. Which statement BEST differentiates these two…
- Several departments store sensitive customer records in personal cloud accounts that the IT department has not approved or assessed. Which…
- An organization discovers that employees in several departments have been uploading proprietary product designs to personal cloud storage…
- An organization discovers that multiple employees have been using personal cloud storage accounts to share work documents containing…
- A risk assessment identifies both shadow IT usage and external unskilled attacker probing as active threats. Which characteristic MOST…
- Internal vs. external decides which control fails first
The internal/external attribute determines which control breaks first: an external actor is meant to be stopped at the edge, while an internal (insider) actor sails past the perimeter and is caught only by least privilege, separation of duties, and user-behavior analytics (UEBA). Mapping the attribute to the failing layer is what 'best control' questions test.
Trap Reaching for a firewall or perimeter control to stop an insider, when an internal actor is already past the edge and is checked by least privilege and UEBA.
- Motivation is the strongest disambiguator between actors
When two actor types share a technique, the stated motivation usually decides between them: espionage or war points to a nation-state; financial gain, blackmail, or data resale to organized crime; philosophical/political belief to a hacktivist; revenge to a disgruntled insider. SY0-701 lists these as distinct objective-2.1 motivations precisely so they can separate look-alike actors.
Trap Picking the actor from the shared technique, when the stated motivation is the field that separates look-alike actors.
- Data exfiltration splits by who benefits from the stolen data
Data exfiltration is an objective-2.1 motivation that maps to more than one actor, so it disambiguates by beneficiary: stealing for strategic intelligence implies a nation-state, while stealing to sell or extort implies organized crime. Use statecraft versus profit, not the act of exfiltration itself, to pick between them.
Trap Treating data exfiltration as a single-actor signal, when the beneficiary (strategic intelligence versus profit) decides between nation-state and organized crime.
- 'Ethical' is the authorized tester's motivation, not an attack
The 'ethical' motivation in objective 2.1 describes a penetration tester or bug-bounty researcher operating under rules of engagement: lawful and sanctioned activity. Never map it to a malicious actor or treat the activity as an incident to contain; it is listed to be contrasted with hostile motives, not grouped with them.
Trap Treating authorized, ethical testing as a breach to escalate, when it is sanctioned work performed under rules of engagement.
- Match the mitigation to the actor's defining attribute
Best-control questions chain actor to attribute to control: insider (already inside) maps to least privilege, separation of duties, and UEBA; nation-state/APT (long dwell, custom exploits) to defense in depth and detective/behavioral controls; unskilled attacker (known public exploits) to patch management and hardening; shadow IT (unmanaged assets) to asset discovery, inventory, and acceptable-use policy. The control follows from the attribute, not the actor's name.
Trap Choosing the control by the actor's name, when the defining attribute (already-inside, long dwell, public exploit, unmanaged asset) dictates the best control.
- Nation-states may run financial crime to fund their missions
Although nation-state actors are defined by strategic and espionage objectives, some (notably DPRK-linked groups) also run financially motivated operations such as cryptocurrency theft and even ransomware-as-a-service to fund those missions or mask intelligence-gathering. A financial-gain signal therefore does not by itself rule out a state-sponsored actor; weigh it against targeting and strategic intent.
Trap Ruling out a nation-state the moment a financial motive appears, when state-sponsored groups also run profit operations to fund or mask their missions.
4 questions test this
- Threat intelligence analysts determine that a state-sponsored group has been stealing cryptocurrency to fund its primary mission of…
- A threat intelligence briefing reveals that a government-backed cyber group steals cryptocurrency to fund its primary espionage mission…
- A threat intelligence report describes a group that primarily conducts espionage against foreign governments while also stealing…
- Analysts investigating a breach discover that attackers first quietly exfiltrated defense-related documents from a government contractor,…
- RaaS splits the operator who builds from the affiliate who deploys
Ransomware-as-a-Service is a division-of-labor model: an operator develops and maintains the payload, payment portal, and data-leak site, while affiliates rent those tools (often buying initial network access from access brokers) and carry out the actual intrusions. The affiliate keeps the majority of each ransom and the operator takes a cut (commonly ~30-40%), so the group that deploys ransomware against a target is the affiliate, not the developer.
Trap Attributing the intrusion to the ransomware developer, when under RaaS the affiliate is the party that selects the target and deploys the payload.
5 questions test this
- A criminal group develops ransomware payloads, maintains leak sites, and provides ransom negotiation portals. External cybercriminals…
- A threat intelligence report describes a criminal ecosystem where one group develops ransomware payloads and infrastructure, a second group…
- A threat intelligence report describes a cybercriminal operation where one group develops ransomware payloads and maintains victim payment…
- A cybersecurity investigation reveals that one criminal group developed the ransomware payload, a separate group sold stolen VPN…
- A security analyst investigating a ransomware incident discovers that the attackers obtained the encryption payload, payment portal, and…