Domain 2 of 5 · Chapter 1 of 6

Threat Actors and Motivations

The six actor types, profiled in depth

The overview gave you the three-axis model and a one-line profile per actor. This section is the deep dive: for each of the six types CompTIA names under objective 2.1[1], nation-state, unskilled attacker, hacktivist, insider threat, organized crime, and shadow IT, what defines it, what it can actually do, and the forensic signature it tends to leave. Read this so that, given a scenario, you can do more than recite the label: you can predict the behavior the rest of the exam will describe. The cleanest way to hold all six in mind is to split them by where they sit relative to your trust boundary, the figure groups the four external adversaries apart from the two internal conditions, because that single split decides which control fails first.

Nation-state actor (APT)

NIST defines an advanced persistent threat as "an adversary with sophisticated levels of expertise and significant resources, allowing it through the use of multiple different attack vectors ... to ... establish and extend its presence ... continually exfiltrating information and/or to undermine or impede critical aspects of a mission ... repeatedly over an extended period of time, adapting to a defender's efforts to resist it"[2]. Unpack that definition because the exam tests every clause of it: sophisticated expertise (writes custom malware and burns zero-day exploits), significant resources (government funding, full-time operators), multiple vectors (phishing plus physical plus supply-chain), extended period (long dwell time, months of undetected residence, not a smash-and-grab), and adapts to defenders (re-tools when caught rather than giving up). "APT" and "nation-state" are used interchangeably on SY0-701; the distinguishing motives are espionage and war. The exam tell is the combination of patient, well-funded, custom/zero-day tooling, and long undetected presence in one stem.

Organized crime

A well-funded, capable, external group whose purpose is profit, not statecraft. This is the ransomware-as-a-business and large-scale-fraud profile: it may rival a nation-state in resourcing and operational discipline (it can buy zero-days and run affiliate programs) but its motivations are financial gain, blackmail/extortion, and selling exfiltrated data. The discriminator versus a nation-state is the motive in the stem: if the goal is money, it is organized crime; if the goal is intelligence or strategic disruption, it is a nation-state, even when the techniques look identical.

Hacktivist

Defined by cause, not by budget or skill. A hacktivist acts on philosophical or political beliefs and seeks to disrupt, embarrass, or publicize, common techniques are website defacement, data leaks meant to expose, and DDoS to silence a target. Sophistication varies widely (from coordinated skilled collectives to point-and-click participants), so never infer hacktivist from skill level; infer it from a stated ideological or political motive plus a public, attention-seeking outcome.

Insider threat

NIST defines this as "the threat that an insider will use her/his authorized access, wittingly or unwittingly, to do harm to the security of organizational operations and assets, individuals, other organizations, and the Nation"[3]. Two exam-critical clauses: (1) authorized access, the defining attribute is that the actor is already legitimately inside, so it bypasses the perimeter and most network-edge controls; (2) wittingly or unwittingly, an insider threat includes both the malicious employee (revenge, financial gain, espionage) and the careless one who clicks a phish or misconfigures a share with no ill intent. The advantage an insider brings is trust and placement, not technical skill, a single authorized copy to a USB drive can be a major insider incident with zero sophistication.

Unskilled attacker

The term SY0-701 uses in place of the older 'script kiddie': a low-capability actor who runs tools, scripts, and exploits written by others without understanding the internals. Low sophistication does not mean low impact, a borrowed but potent tool (a leaked ransomware builder, a public Metasploit module against an unpatched CVE) can still cause serious damage. Motives skew toward chaos/disruption, notoriety, or opportunistic financial gain. The exam tell is language like "used a downloaded tool," "followed an online tutorial," or "did not appear to understand the exploit."

Shadow IT

The odd one out: shadow IT is not a person who attacks you. It is hardware, software, or cloud services deployed inside the organization without IT/security approval, an employee spinning up an unsanctioned SaaS app, a department's rogue cloud account, an unauthorized wireless access point. The harm is that these assets are unmanaged, unpatched, and invisible to defenders, so they widen the attack surface and escape monitoring. Treat shadow IT as a self-inflicted risk condition, and remember the actual adversary is whoever later exploits the unmanaged asset.

Threat actor types objective 2.1, grouped by trust boundary External (must breach the perimeter) Nation-state (APT) espionage, war; patient, custom tooling Organized crime profit: ransomware, fraud, data resale Hacktivist defined by cause, not budget Unskilled attacker runs others' tools; low skill, real impact Internal (already inside or self-introduced) Insider threat already authorized inside; witting or unwitting Shadow IT unsanctioned, unmanaged assets; a risk condition, not a person Shadow IT is the odd one out: it widens the attack surface rather than attacking you.
The six objective-2.1 actor types grouped by trust boundary: four external adversaries vs. two internal conditions (insider threat, shadow IT).

Attributes and motivations: the disambiguators

Type alone rarely settles a scenario; SY0-701 objective 2.1 makes you reason from attributes and motivations too. This section drills the two axes the overview only sketched, because the exam's hardest items are the ones where two actor types share a technique and you must pick using attributes and motive.

The attribute axis, precisely

Three attributes appear on the objectives[1], and the figure ranks the actors along the two graded ones:

  • Internal vs. external. Internal means the actor already holds authorized access from inside the trust boundary (the defining trait of an insider threat, and the condition shadow IT creates). External means the actor must first breach the perimeter (nation-states, organized crime, hacktivists, most unskilled attackers). This attribute changes the first control that fails: an external actor is stopped by edge controls; an insider sails past them and is caught only by least privilege, separation of duties, and behavior analytics (UEBA).
  • Resources / funding. This is the budget and manpower behind the actor and it tracks with sustained, complex operations. Very high (nation-state) and high (organized crime) at the top; low (unskilled attacker) at the bottom; hacktivists range low-to-moderate. Funding is what buys zero-days, full-time operators, and the patience for long dwell times.
  • Sophistication / capability. The technical skill and tooling maturity. Highest for nation-states (custom zero-days), high for organized crime, lowest for the unskilled attacker (borrows others' tools). Critically, resources and sophistication usually track together at the top but do not for the unskilled attacker (low skill yet potentially high impact via borrowed tools), and a sophisticated actor may deliberately use crude tools for deniability, so high impact never proves high skill.

The motivation catalog, mapped to actors

Objective 2.1 enumerates the motivations explicitly, and each biases toward a likely actor, the motive is frequently the single strongest disambiguator:

Motivation Most-implied actor(s) Why
Data exfiltration Nation-state (intel) or organized crime (resale) Whose benefit (strategic vs. profit) picks between them
Espionage Nation-state Stealing secrets for strategic advantage
Service disruption Hacktivist, nation-state DDoS/defacement to silence, or strategic sabotage
Blackmail Organized crime Extortion / ransomware leak-threats for money
Financial gain Organized crime (also opportunistic unskilled / insider) Profit motive
Philosophical / political beliefs Hacktivist Ideology-driven, attention-seeking
Ethical Penetration tester / bug-bounty researcher Authorized, lawful, NOT an adversary
Revenge Insider threat Disgruntled employee abusing access
Disruption / chaos Unskilled attacker, hacktivist Notoriety or ideological noise
War Nation-state State-on-state cyber operations

Two motivations are recurring traps. 'Ethical' is the lawful intent of an authorized tester operating under rules of engagement, it is a motive in the list but it maps to a sanctioned researcher, never to a malicious actor or an incident to contain. 'Financial gain' is over-attributed to organized crime when the stem actually points elsewhere (a disgruntled insider selling data acts for financial gain too), always combine motive with the internal/external attribute before committing.

Resources / funding Sophistication / capability Nation-state, very high Organized crime, high Hacktivist, low-to-moderate Unskilled attacker, low Nation-state, highest Organized crime, high Hacktivist, varies Unskilled attacker, lowest The two axes track together at the top, but split at the bottom: the unskilled attacker is low on both yet can still be high-impact via borrowed tools, so high impact never proves high skill.
Resources and sophistication track together at the top but split at the bottom: the unskilled attacker is low-skill yet potentially high-impact.

Exam-pattern recognition for objective 2.1

Domain 2 (Threats, Vulnerabilities, and Mitigations) is 22% of the scored SY0-701 exam[1], the second-heaviest domain, and threat-actor items follow a small set of repeatable shapes. Naming the shape lets you answer on recognition. Scope note: this objective is about who and why; the how (phishing, malware, specific vulnerabilities, log indicators) belongs to the sibling subtopics, so do not let a vivid attack technique pull you into answering a different objective.

Pattern 1: "Which threat actor is this?"

The stem narrates an incident and the options are actor types. Do not classify from the technique; classify from access + resources + sophistication + motive together. Run the three-axis check: is the actor internal or external? How well-resourced and skilled does the stem say it is? What is the stated motive? Then pick the type all clues converge on. The classic trap is a low-skill action attributed to a high-tier actor (a nation-state running a simple command for deniability) or a sophisticated outcome attributed to an unskilled attacker, weigh every clue, not the flashiest one.

Pattern 2: "Nation-state vs. organized crime" (same techniques, different motive)

Both are external, well-funded, and capable, so, as the actor profiles above established, the technique cannot separate them and only the motive does. The pattern-specific tell is what the stem stresses: patience and stealth over months with no monetization leans nation-state even if no payment is mentioned, whereas ransom, fraud, or resale leans organized crime.

Pattern 3: "Insider vs. external attacker"

The single decisive word is access: if the actor already holds legitimate, authorized access (employee, contractor, partner), it is an insider threat, including the careless employee, since the NIST clause from the actor profiles above covers wittingly or unwittingly[3] misuse, regardless of how unsophisticated the act is. A simple authorized copy to removable media counts. The right mitigations for this pattern are least privilege, separation of duties, mandatory vacations / job rotation, and user-behavior analytics, not perimeter firewalls, which the insider bypasses.

Pattern 4: "Is this even an attacker?" (shadow IT and 'ethical')

Two entries on the objective look like answers but are not adversaries, as the profiles above explained: shadow IT is unsanctioned, unmanaged assets the organization itself introduced, and the 'ethical' motive describes an authorized tester under rules of engagement. The pattern-specific move is reading what the stem actually asks: shadow IT is the wrong pick for "which threat actor" unless the question targets the internally created risk that widened the attack surface, and its response is discovery, asset inventory, and policy, not incident containment; a scoped, sanctioned test points to a legitimate researcher with no incident to contain.

Pattern 5: "Pick the BEST mitigation for THIS actor"

The stem fixes an actor and asks for the control. Chain actor → its defining attribute → the control that addresses that attribute (the figure traces all four chains against the objective 2.1 actor list): insider threat → already inside → least privilege, separation of duties, UEBA; nation-state/APT → long dwell + custom tooling → defense in depth, threat hunting, and detective/behavioral controls (you cannot prevent a zero-day, so you must detect the residence); unskilled attacker → uses known public exploits → patch management and basic hardening close the borrowed tools' targets; shadow IT → unmanaged assets → asset discovery, inventory, and acceptable-use policy. The wrong answer is usually a perimeter-only control offered against an insider, or 'add another preventive control' offered against an APT where detection is the actual gap.

Actor Defining attribute Best control family Insider threat Already inside Least privilege, separation of duties, UEBA Nation-state (APT) Long dwell + custom tooling Defense in depth, threat hunting, detective controls Unskilled attacker Uses known public exploits Patch management, basic hardening Shadow IT Unmanaged assets Asset discovery, inventory, acceptable-use policy The control follows from the attribute, not the actor's name: match the failing layer, never default to a perimeter or preventive control.
Best-mitigation chain: each actor maps through its defining attribute to the control family, insider to least privilege/UEBA, APT to detection, shadow IT to asset discovery.

Threat actor types: typical resources, sophistication, location, and motivation

Threat actorResources / fundingSophisticationInternal / externalTypical motivation
Nation-state (APT)Very high (government)Highest: custom zero-daysExternalEspionage, war, service disruption
Organized crimeHighHighExternalFinancial gain, blackmail, data exfiltration
HacktivistLow to moderateVariesExternalPhilosophical / political beliefs, disruption / chaos
Insider threatOrg's own resources (via access)VariesInternalRevenge, financial gain, espionage; or unintentional
Unskilled attackerLowLowest: uses others' toolsUsually externalDisruption / chaos, notoriety, financial gain
Shadow ITOrg's own (unsanctioned)N/A: not an adversaryInternalConvenience / productivity (introduces risk)

Decision tree

Authorized access from inside the trust boundary? Yes (internal) Insider threat witting or unwitting No (external) Driven by ideology / political cause? Yes Hacktivist disrupt / expose / DDoS No Motive = money (ransom / fraud / resale)? Yes Organized crime well funded, high skill No Espionage / war, highest resources? Yes Nation-state (APT) custom zero-days, long dwell No Unskilled uses others' tools Note: shadow IT is unsanctioned, unmanaged assets the org introduced — a self-inflicted risk condition, not an attacker to classify here.

Sharp facts the exam loves — give these one last read before exam day.

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Classify a threat actor on three axes, not one label

SY0-701 Objective 2.1 profiles every actor on three axes, not a single tag: the TYPE (nation-state, unskilled attacker, hacktivist, insider threat, organized crime, shadow IT), the ATTRIBUTES (internal vs. external, resources/funding, level of sophistication/capability), and the MOTIVATION. No one clue names the actor: weigh access, resources, and the stated motive together before choosing a type, because techniques alone overlap across categories.

Trap Naming the actor from a single signal such as a sophisticated tool, when objective 2.1 deliberately separates type, attributes, and motivation.

4 questions test this
The nation-state profile is the APT: top resources, longest persistence

Nation-state is the actor type SY0-701 maps to the advanced persistent threat (APT) concept: not a synonym CompTIA lists, but the profile the term describes. NIST defines an APT as an adversary with sophisticated expertise and significant resources that uses multiple attack vectors to pursue its objectives repeatedly over an extended period, adapting to defenders. That means custom tooling, the highest funding and capability, and prolonged stealthy residence; the motivations are espionage and war.

Trap Treating APT as a kind of malware or a single named group, when the term describes the nation-state actor profile of sustained, well-resourced intrusion.

7 questions test this
Resources and sophistication rise together at the top tier

For top-tier actors, funding and technical capability move together: nation-states carry the highest resources and sophistication, and organized crime is high on both. The standout exception is the unskilled attacker: low capability that can still inflict high impact by running a borrowed, potent tool, so capability and impact are not the same axis.

Trap Reading high impact as proof of high sophistication, when a low-skill actor wielding a powerful off-the-shelf tool produces the same damage.

2 questions test this
Low sophistication never proves a low-tier actor

Sophistication is a weak identifier on its own: a capable actor may deliberately use crude, commodity tooling for deniability, and an insider may need only a single simple command. High impact does not prove high skill and a low-skill action does not prove an unskilled attacker: the access and the motive carry as much weight as the technique.

Trap Labeling any crude or low-skill action an unskilled attacker, when a capable actor may choose commodity tooling for deniability.

Organized crime is profit-driven, not statecraft

Organized crime is external, well-funded, and capable, but its defining motivation is money: financial gain, blackmail/extortion, and selling exfiltrated data, the ransomware-as-a-business profile. When its techniques resemble a nation-state's, the discriminator is money versus intelligence: a profit motive points to organized crime, a strategic/espionage motive to a state actor.

Trap Calling a polished, well-resourced intrusion a nation-state attack, when a financial-gain or extortion motive marks it as organized crime.

5 questions test this
Hacktivist is defined by cause, not budget or skill

A hacktivist is driven by philosophical or political belief and aims to disrupt, embarrass, or publicize: defacement, data leaks, DDoS. Sophistication and funding vary widely across hacktivists, so infer the type from an ideological/political motive plus a public, attention-seeking outcome, never from skill or resource level.

Trap Ruling out a hacktivist because the operation looked unsophisticated or low-budget, when the cause-driven motive is the defining attribute.

3 questions test this
Insider threat is defined by authorized access

An insider threat is anyone with legitimate, authorized access (employee, contractor, or partner) who uses it to harm the organization. NIST's definition turns on that access being used wittingly or unwittingly, so the defining trait is internal placement that bypasses the perimeter, not technical skill or malicious intent.

Trap Limiting the insider category to direct employees, when contractors and partners holding authorized access also qualify.

6 questions test this
Insider threats include the careless, not just the malicious

NIST's insider-threat definition covers both witting and unwitting misuse of authorized access, so an employee who clicks a phish or misconfigures a share is an insider-threat exposure even with no ill intent. Malicious insiders add deliberate motives (revenge, financial gain, and espionage) but intent is not required for the category to apply.

Trap Restricting insider threat to disgruntled, deliberate sabotage, when NIST explicitly includes the unwitting, negligent employee.

1 question tests this
Unskilled attacker is SY0-701's term for 'script kiddie'

SY0-701 retires 'script kiddie' and uses 'unskilled attacker' for the low-capability actor who runs tools, scripts, and exploits written by others without understanding the internals. Borrowed tooling can still cause serious damage, so the low skill level does not bound the impact.

Trap Looking for the term 'script kiddie' on the exam, when SY0-701's objective list names this actor 'unskilled attacker.'

5 questions test this
Shadow IT is a risk condition, not an adversary

Shadow IT is hardware, software, or cloud services deployed inside the organization without IT/security approval: unmanaged, unpatched, and invisible to defenders. SY0-701 lists it among threat actors, but it is a self-inflicted exposure the org creates rather than a hostile person; the actual attacker is whoever later exploits the unmanaged asset.

Trap Picturing shadow IT as an external attacker, when it is an internal, unapproved deployment that merely creates the opening.

7 questions test this
Internal vs. external decides which control fails first

The internal/external attribute determines which control breaks first: an external actor is meant to be stopped at the edge, while an internal (insider) actor sails past the perimeter and is caught only by least privilege, separation of duties, and user-behavior analytics (UEBA). Mapping the attribute to the failing layer is what 'best control' questions test.

Trap Reaching for a firewall or perimeter control to stop an insider, when an internal actor is already past the edge and is checked by least privilege and UEBA.

Motivation is the strongest disambiguator between actors

When two actor types share a technique, the stated motivation usually decides between them: espionage or war points to a nation-state; financial gain, blackmail, or data resale to organized crime; philosophical/political belief to a hacktivist; revenge to a disgruntled insider. SY0-701 lists these as distinct objective-2.1 motivations precisely so they can separate look-alike actors.

Trap Picking the actor from the shared technique, when the stated motivation is the field that separates look-alike actors.

2 questions test this
Data exfiltration splits by who benefits from the stolen data

Data exfiltration is an objective-2.1 motivation that maps to more than one actor, so it disambiguates by beneficiary: stealing for strategic intelligence implies a nation-state, while stealing to sell or extort implies organized crime. Use statecraft versus profit, not the act of exfiltration itself, to pick between them.

Trap Treating data exfiltration as a single-actor signal, when the beneficiary (strategic intelligence versus profit) decides between nation-state and organized crime.

'Ethical' is the authorized tester's motivation, not an attack

The 'ethical' motivation in objective 2.1 describes a penetration tester or bug-bounty researcher operating under rules of engagement: lawful and sanctioned activity. Never map it to a malicious actor or treat the activity as an incident to contain; it is listed to be contrasted with hostile motives, not grouped with them.

Trap Treating authorized, ethical testing as a breach to escalate, when it is sanctioned work performed under rules of engagement.

Match the mitigation to the actor's defining attribute

Best-control questions chain actor to attribute to control: insider (already inside) maps to least privilege, separation of duties, and UEBA; nation-state/APT (long dwell, custom exploits) to defense in depth and detective/behavioral controls; unskilled attacker (known public exploits) to patch management and hardening; shadow IT (unmanaged assets) to asset discovery, inventory, and acceptable-use policy. The control follows from the attribute, not the actor's name.

Trap Choosing the control by the actor's name, when the defining attribute (already-inside, long dwell, public exploit, unmanaged asset) dictates the best control.

Nation-states may run financial crime to fund their missions

Although nation-state actors are defined by strategic and espionage objectives, some (notably DPRK-linked groups) also run financially motivated operations such as cryptocurrency theft and even ransomware-as-a-service to fund those missions or mask intelligence-gathering. A financial-gain signal therefore does not by itself rule out a state-sponsored actor; weigh it against targeting and strategic intent.

Trap Ruling out a nation-state the moment a financial motive appears, when state-sponsored groups also run profit operations to fund or mask their missions.

4 questions test this
RaaS splits the operator who builds from the affiliate who deploys

Ransomware-as-a-Service is a division-of-labor model: an operator develops and maintains the payload, payment portal, and data-leak site, while affiliates rent those tools (often buying initial network access from access brokers) and carry out the actual intrusions. The affiliate keeps the majority of each ransom and the operator takes a cut (commonly ~30-40%), so the group that deploys ransomware against a target is the affiliate, not the developer.

Trap Attributing the intrusion to the ransomware developer, when under RaaS the affiliate is the party that selects the target and deploys the payload.

5 questions test this

References

  1. CompTIA Security+ (SY0-701) certification
  2. NIST glossary: advanced persistent threat (APT) Whitepaper
  3. NIST glossary: insider threat Whitepaper