Knogin
[Developers]

Threat Actor Domain

An analyst investigating a ransomware attack recognises the encryption routine from a previous incident. She searches the threat actor library, finds a matching profile for a financially motivated group operating since 2

Back to All Modules
Category: Api DomainsLast Updated: Feb 5, 2026
api-domains

Overview#

An analyst investigating a ransomware attack recognises the encryption routine from a previous incident. She searches the threat actor library, finds a matching profile for a financially motivated group operating since 2021, reviews their documented TTPs, and within minutes has context that would otherwise take days to reconstruct from scratch. That accumulated institutional knowledge is what the Threat Actor domain exists to maintain.

The domain manages profiles for known malicious entities used in intelligence operations. Profiles capture aliases, motivations, tactics, techniques, and procedures (TTPs), sophistication levels, and operational capabilities to support threat assessment and intelligence analysis. Records are stored in PostgreSQL and isolated by organisation so that sensitive attribution work stays within authorised boundaries.

Key Features#

  • Threat Actor Profiles: Create and maintain detailed profiles for known threat actors including names, aliases, descriptions, and affiliations to build a comprehensive threat intelligence library.

  • TTP Documentation: Document the tactics, techniques, and procedures used by each threat actor to understand their operational methods and predict future behaviour.

  • Sophistication Assessment: Classify threat actors by sophistication level to understand their technical capabilities and the level of threat they represent.

  • Motivation Tracking: Record the motivations behind threat actor activities (financial, espionage, hacktivism, and others) to support threat prioritisation and behavioural analysis.

  • Alias Management: Track the various names, handles, and identifiers associated with each threat actor to ensure comprehensive identification across intelligence sources.

  • Capability Assessment: Document the known capabilities of threat actors, including tools, infrastructure, and resources, to inform defensive posture and risk assessment.

  • Investigation Linking: Associate threat actor profiles with active investigations to provide intelligence context and track ongoing monitoring of known adversaries.

Mermaid Diagram#

Use Cases#

  • Cybersecurity Operations: Build and maintain a library of threat actor profiles to inform security operations, risk assessments, and investigative planning across incident response teams.

  • Defence Intelligence: Compare observed TTPs and indicators against known threat actor profiles to support attribution analysis, including nation-state actors and advanced persistent threats.

  • Critical Infrastructure Protection: Assess the sophistication, capabilities, and motivations of threat actors targeting industrial control systems and utilities to prioritise defensive measures.

  • Multi-Agency Collaboration: Share threat actor profiles with partner organisations to support collaborative threat intelligence and coordinated response, aligned with MITRE ATT&CK framework standards.

Integration#

The Threat Actor domain connects with intelligence and investigative capabilities:

  • Threat Intelligence: Threat actor profiles enrich IOC analysis and correlation.
  • Investigation Management: Threat actors link to active investigations.
  • Profile Management: Threat actor profiles extend the base profile system.
  • MITRE ATT&CK: TTP documentation maps to standard frameworks.

Open Standards#

  • OASIS STIX 2.1: Threat actor profiles map directly to the threat-actor STIX Domain Object (SDO); the platform ingests and exports STIX 2.1 bundles containing threat-actor, indicator, malware, and relationship SDOs via a bidirectional adapter.
  • OASIS TAXII 2.1: Threat intelligence, including threat-actor objects, is distributed and consumed through TAXII 2.1 feeds; the client implements collection discovery, incremental paginated polling, and bundle push against compliant servers.
  • MITRE ATT&CK: TTP fields on threat actor profiles store MITRE ATT&CK technique identifiers (e.g. T1566); the attribution service performs overlap scoring against a local mirror of ATT&CK techniques and tactics to support actor attribution.
  • FIRST Traffic Light Protocol (TLP): Threat actor records carry TLP classification markings (WHITE, GREEN, AMBER, AMBER+STRICT, RED, CLEAR) resolved from STIX marking-definition IDs, controlling visibility and inter-organisation sharing.
  • GraphQL (June 2018 specification): All CRUD operations on threat actor profiles are exposed through a typed Strawberry GraphQL schema with authenticated queries and mutations, including list, fetch-by-id, create, update, and delete resolvers.
  • OAuth 2.0 / OpenID Connect: Every GraphQL resolver enforces the platform-wide IsAuthenticated permission class, which validates JWT bearer tokens issued through the OAuth 2.0 / OIDC authorisation flow.
  • JSON (ECMA-404 / RFC 8259): Raw actor data, TTP lists, and capability sets are stored and exchanged as JSON; STIX 2.1 bundle serialisation and deserialisation use JSON as the wire format throughout the ingest and export pipeline.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.