---
type: "term"
title: "Attacker Profile"
description: "An informative overlay on the Cyber Threat Radar that describes a threat actor's (or Actor Group's) observed preferences across the 10 clusters: per cluster capability scores, preferred cluster sequences, and typical boundary crossings."
resource: "tlctc:term:attacker-profile"
tags:
  - "glossary"
---
# Attacker Profile

An **informative overlay** on the Cyber Threat Radar that describes a threat actor's (or Actor Group's) observed preferences across the 10 clusters: per-cluster capability scores, preferred cluster sequences, and typical boundary crossings. Profiles may be wrapped in Diamond-Model framing (adversary / capability / infrastructure / victim). Used for hypothesis generation ("likely next steps"), comparative radar views, and targeting analysis against the organizational radar. **Normative guardrails (R-RADAR-6…9):** actors are not clusters, they *use* clusters (Axiom IV); profiles MUST NOT redefine cluster meanings or introduce actor-based taxonomy; profiles SHOULD be published as probability distributions or pattern frequencies, not deterministic rules; profile scores SHOULD be derived from classified Layer 3 attack path instances so provenance traces back to evidence.

**Reference:** §17.3




**Related reading:** [CrowdStrike 2024 Threat Hunting Report — TLCTC](https://www.tlctc.net/tlctc-CrowdStrike2024.html), [CrowdStrike 2025 Threat Report — Strategy & Velocity](https://www.tlctc.net/tlctc-crowdstrike-2025-threat-report.html), [Diamond Model × TLCTC — structuring the empty spaces](https://www.tlctc.net/tlctc-diamond-model.html), [tlctc-Attacker-Profiling.html](https://www.tlctc.net/tlctc-Attacker-Profiling.html)

See also: Actor Group, Actor Archetype, Cyber Threat Radar, Axiom IV