Types of Threat Actors: From Cybercriminals to Nation-States
The major categories of cyber threat actors explained — nation-states, cybercriminals, hacktivists, insiders, and script kiddies — with motivations and defense implications.
"Hackers" is a useful word in casual conversation and a misleading one in serious cybersecurity work. The people who attack systems vary enormously in who they are, what they want, how good they are, and which targets they choose. A teenager testing a tool from a forum is not the same adversary as a state intelligence service running a multi-year operation. Treating them as interchangeable produces unfocused defense.
The security industry has developed a working taxonomy of threat actors that lets defenders, researchers, and policymakers speak more precisely about who is doing what. The taxonomy is imperfect — categories overlap, and individual actors sometimes move between them — but it is far better than treating every adversary the same.
This guide is a tour of the major categories, what motivates each, what they are typically capable of, and how their profiles shape defense. Use the links throughout for deeper context on related topics.
What Is a Threat Actor?
A threat actor — sometimes called a malicious actor or adversary — is any individual, group, or organization that conducts or is capable of conducting malicious cyber activity. Threat actors are characterized by three things: their motivation (what they want), their capability (what they can do), and their target preference (who they go after).
Those three dimensions matter because they shape everything else. A financially motivated criminal will choose a different target list, use different tools, and behave differently inside a network than a nation-state intelligence service, even when their initial techniques look similar. Profiling the actor is what lets a defender anticipate what comes next.
The Major Categories
The security community generally divides threat actors into a handful of overlapping categories.

- Nation-state actors — government-backed groups conducting espionage, sabotage, or geopolitical operations.
- Cybercriminals — financially motivated individuals and organized groups.
- Hacktivists — ideologically motivated groups pursuing political or social objectives.
- Insider threats — current or former employees, contractors, or partners with legitimate access.
- Script kiddies — less-skilled actors using prebuilt tools and tutorials.
- Cyberterrorists — actors using cyber operations to intimidate populations or governments.
The lines between these categories blur in practice. Nation-states sometimes use criminal groups as proxies. Criminal organizations sometimes recruit insiders. Hacktivist tools sometimes get adopted by criminals. The categories are useful starting points, not strict boxes.
Nation-State Actors
Nation-state actors are government-backed groups conducting cyber operations in pursuit of national interests. Their objectives include intelligence collection, theft of intellectual property, surveillance of dissidents and diaspora communities, influence operations, and pre-positioning for potential future conflict.
Capability is the defining characteristic. Nation-state operations have resources for custom tooling, multi-year campaigns, and the tradecraft to remain hidden inside a network for months or years. They are the principal source of advanced persistent threats (APTs) — quiet, patient, well-resourced intrusions.
Targets are chosen for strategic value rather than financial return. Government agencies, defense contractors, critical infrastructure, telecommunications, technology companies that handle valuable IP, and supply chains that lead to all of the above. Nation-state actors are also responsible for some of the most consequential cyber incidents on record.
Cybercriminal Groups
Cybercriminals are the largest category by volume and the one most organizations actually face. They are motivated by money, and over the last decade they have professionalized into a sophisticated service economy.
That economy includes initial access brokers who sell footholds, ransomware-as-a-service operators who rent malware to affiliates, money-laundering networks that handle the cash-out, and dark-web marketplaces that distribute stolen data. The result is that a single ransomware attack typically involves several distinct groups, each specializing in one part of the operation.
Capability varies. The top tier of organized cybercrime rivals lesser nation-state actors in technical skill. The bottom tier consists of low-effort operators using off-the-shelf tools. The middle, where most activity sits, is professional, persistent, and increasingly automated. Targets are selected for ability to pay — which in practice means the broad mid-market and enterprise space.
Hacktivists
Hacktivists conduct cyber operations in support of a political, ideological, or social cause. Their preferred outcomes are usually visibility — website defacement, denial-of-service attacks, document leaks — rather than long-term access or financial gain.
Capability ranges from low to moderate. Some hacktivist collectives are loose affiliations of unskilled volunteers running off-the-shelf tools; others are tightly organized, technically capable, and politically focused. Targets are chosen for symbolic value: corporations associated with controversial industries, governments accused of human rights abuses, media outlets, and similar high-visibility targets.
Hacktivism has also become entangled with state-sponsored operations. Some activity attributed to hacktivists is, on closer examination, conducted by or for nation-state sponsors that find the ideological framing useful.
Insider Threats
Insider threats are people with legitimate access — current or former employees, contractors, business partners — who misuse that access to harm the organization. Insider threats are typically divided into three subtypes.

Malicious insiders intentionally cause harm, motivated by grievance, financial pressure, ideology, or recruitment by an outside party. They are the most damaging type because their access is broad and their behavior may look legitimate.
Negligent insiders cause harm unintentionally — through misconfigured systems, leaked credentials, lost laptops, falling for phishing, or mishandling sensitive data. Most insider incidents fall into this category.
Compromised insiders are legitimate users whose accounts have been taken over by an external attacker. From a detection standpoint they look like an insider, even though the active adversary is external.
The defining characteristic of insider threats is the legitimate access that bypasses many controls designed for outsiders. Effective defense relies on monitoring user behavior, principle-of-least-privilege access design, and segregation of sensitive duties.
Script Kiddies and Lone Actors
The term script kiddie describes a low-skill attacker using prebuilt tools, exploit scripts, and step-by-step tutorials they did not develop themselves. The category gets dismissed in serious security discussions, sometimes unfairly. A script kiddie firing a powerful publicly available tool at an unprepared target can still cause meaningful damage; the tool does not care who is holding it.
Lone actors more broadly include unaffiliated individuals — some skilled, some not — who operate independently of any organized group. Their motivations vary from curiosity to grievance to ideology to opportunism.
Cyberterrorists
Cyberterrorism describes the use of cyber operations to intimidate populations or coerce governments in support of political or ideological objectives. The category overlaps with hacktivism and with state-sponsored operations, and the boundary is contested. In practice, the volume of activity classified as cyberterrorism is small relative to other categories, but it is tracked closely because of its potential for high-impact targeting of critical infrastructure.
Motivations and Capabilities Compared
It is useful to compare the categories along two axes — motivation and capability — because that comparison shapes which defenses matter most against which adversaries.
Nation-states bring high capability and strategic motivation. They are patient, well-resourced, and hard to detect. Defending against them requires depth — layered controls, behavioral detection, threat hunting, and the assumption that some access will succeed.
Top-tier cybercriminals bring high-to-moderate capability and financial motivation. They are fast, professionalized, and increasingly automated. Defending against them requires hygiene — patch promptly, enforce MFA, segment networks, back up data, train people.
Hacktivists bring variable capability and ideological motivation. Defending against them requires visibility — monitoring brand mentions, watching for DDoS patterns, hardening public-facing surfaces.
Insiders bring legitimate access and varied motivation. Defending against them requires behavioral monitoring, least-privilege access, and operational controls on sensitive actions.
Script kiddies and lone actors bring low capability but unpredictable targets. Defending against them is largely a matter of not having obvious unpatched exposures — a well-maintained environment is rarely the path of least resistance for an opportunistic actor.
How Defenders Use Threat Actor Profiles
Threat actor profiling is more than an academic exercise. It directly shapes defensive prioritization in several ways.
Prioritizing detections. Build coverage first for the techniques used by the actors most likely to target your organization. Not all Cyber Kill Chain stages or ATT&CK techniques are equally relevant to every organization.
Incident response framing. Knowing whether you are facing an opportunistic criminal or a patient state actor changes the response. Criminals will move quickly to monetize; state actors will move quietly to maintain access. Containment strategy follows.
Risk decisions. Strategic intelligence about which actors target your industry informs board-level conversations about investment, insurance, and acceptable risk.
Threat hunting. Hunting is most effective when it is hypothesis-driven, and hypotheses come from actor profiles — "if this group were in our network, what would they be doing?"
Conclusion
The set of people willing and able to attack a given organization is not a faceless mass. It is a structured population of actors with distinct motivations, capabilities, and target preferences. Understanding which of those actors actually matter to your organization is the foundation of focused defense.
No organization needs to defend equally against every category. A small e-commerce business does not face the same threat as a defense contractor, and pretending otherwise produces budget waste and detection noise. The work of threat actor profiling — figuring out who is realistically targeting you, and adjusting defense accordingly — is among the most leveraged activities in security.
Frequently Asked Questions (FAQ)
What is a threat actor in cybersecurity?
A threat actor is any individual, group, or organization that conducts or is capable of conducting malicious cyber activity. Threat actors are characterized by motivation, capability, and target preference.
What are the main types of threat actors?
The major categories are nation-state actors, cybercriminals, hacktivists, insider threats, script kiddies and lone actors, and cyberterrorists. The categories overlap in practice.
What motivates nation-state threat actors?
Intelligence collection, theft of intellectual property, geopolitical influence, surveillance of dissidents, and pre-positioning for future conflict. Their objectives are strategic rather than financial.
What is the difference between a malicious and a negligent insider?
A malicious insider intentionally causes harm. A negligent insider causes harm unintentionally — through misconfiguration, lost devices, phishing victimization, or other mistakes. Most insider incidents involve negligence rather than malice.
Are script kiddies actually a serious threat?
They are usually not the most sophisticated adversary, but a script kiddie firing a powerful publicly available tool at an unprepared target can still cause real damage. They should not be dismissed.
How do defenders use threat actor profiles?
Profiles inform which detections to prioritize, how to frame an incident response, where to invest at a strategic level, and which hypotheses to pursue in threat hunting. The goal is focused defense against the actors most likely to target the organization.