This post details the "What" in threat modeling: mapping actor groups to the 10 TLCTC clusters to create formal, machine-readable Attacker Profiles and Cyber Threat Radars.
Now that we have defined the "Who," "Whom," and "Where," we can move to the next critical step: mapping the "What." We will connect our Actor Groups (the "Who") to the 10 TLCTC clusters (the "What") to build formal Attacker Profiles.
This matrix, often visualized as a Cyber Threat Radar, quantifies the typical capability or maturity level of each actor group against each threat cluster. This is the foundational tool for risk assessment, threat intelligence, and prioritizing defensive investments.
Capability Maturity Levels
We use a simple numerical scale for maturity, which is ideal for both visualization and machine-readable formats.
| Level | Maturity | Description |
|---|---|---|
| 0 | None | No known or practical capability. This cluster is not used by the actor. |
| 1 | Low | Opportunistic use of basic, publicly available tools (e.g., running a pre-made script). |
| 2 | Medium | Consistent use of established tools and TTPs. Can follow a known playbook. |
| 3 | High | Can modify, chain, or customize advanced tools. Conducts complex, multi-stage attacks. |
| 4 | Expert | Develops novel (0-day) exploits, custom malware, and sophisticated, stealthy TTPs. |
Cyber Threat Actor Capability Matrix
The following table maps our defined actor groups to the 10 TLCTC clusters using the maturity scale. Note the stark differences: an Insider has "Expert" level capability in #1 Abuse of Functions and #8 Physical Attack by default, while a Nation-State group shows broad, high-level expertise across the board.
| Actor Group | #1 | #2 | #3 | #4 | #5 | #6 | #7 | #8 | #9 | #10 |
|---|---|---|---|---|---|---|---|---|---|---|
| Nation-State | 3 | 4 | 4 | 3 | 3 | 3 | 4 | 2 | 4 | 4 |
| Cybercriminal (Ransomware) | 3 | 2 | 3 | 3 | 2 | 1 | 3 | 1 | 3 | 2 |
| Cybercriminal (General) | 1 | 2 | 2 | 3 | 1 | 2 | 2 | 1 | 2 | 1 |
| Hacktivist | 2 | 2 | 2 | 1 | 1 | 3 | 2 | 1 | 2 | 1 |
| Insider | 4 | 0 | 0 | 3 | 0 | 0 | 1 | 3 | 1 | 0 |
| Amateur (Script-Kiddie) | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 0 | 1 | 0 |
Formal JSON Definition for Threat Intelligence
To make these profiles actionable for threat intelligence platforms, SIEMs, and automated risk-tracking, we use a formal JSON structure. This allows for consistent, machine-readable sharing of actor profiles.
The following JSON snippet shows our "Cybercriminal (Ransomware)" group defined in this formal structure. You can download the complete JSON file for all 6 actors here.
{
"actorId": "actor-cybercriminal-ransomware",
"actorGroup": "Cybercriminal (Ransomware)",
"motivation": "Purely financial gain through extortion.",
"typicalTargets": [
"Targeted Individuals / Orgs",
"Critical Sectors",
"Random / Opportunistic"
],
"capabilityMapping": {
"1": 3,
"2": 2,
"3": 3,
"4": 3,
"5": 2,
"6": 1,
"7": 3,
"8": 1,
"9": 3,
"10": 2
}
}
Licensed under Creative Commons Attribution 4.0 International (CC BY 4.0).