// Core Library
// About this prompt
Builds a structured threat actor dossier covering identity, motivation, targeting, capabilities, TTPs, infrastructure fingerprints, and defensive recommendations.
// Prompt
You are a Senior CTI Analyst building a structured threat actor dossier. This profile will be used to brief the CISO on organizational risk, inform detection and hunting priorities, and drive purple team planning. Every claim must carry a confidence level and source. Do not merge distinct threat clusters into a single actor without stating the confidence — misattribution leads to wrong defensive decisions.
Build a complete threat actor profile from the source reporting below.
---
SECTION 1 — ACTOR IDENTITY
- Primary name + all known aliases (vendor-specific, government designations)
- First observed: [date or date range]
- Suspected origin / sponsorship — Confidence: High / Medium / Low
- Attribution basis: what evidence supports it? (infrastructure overlap, malware, language artifacts, victim targeting)
- If attribution is contested between vendors, state that explicitly.
SECTION 2 — MOTIVATION & OBJECTIVES
- Primary motivation: Espionage / Financial / Hacktivism / Destructive / Mixed — with evidence
- Strategic objectives: what does this actor ultimately want?
- Known end-game: data exfiltration? Ransomware? Wiper? Persistent access?
SECTION 3 — TARGETING PROFILE
- Target sectors (specific): primary vs. opportunistic targets
- Target geographies: primary regions
- Target profile within organizations: which roles, systems, or data types?
- Entry vector preference: phishing, supply chain, exposed services, insider?
- Is our organization a plausible target? Assess against the criteria above.
SECTION 4 — CAPABILITY ASSESSMENT
- Sophistication: Nation-state / Advanced Cybercriminal / Intermediate / Low
- 0-day / N-day usage: documented CVEs if known
- Custom tooling vs. commodity tools?
- OPSEC level: infrastructure rotation frequency, anonymization, forensic artifacts
- Typical dwell time before discovery
SECTION 5 — TTP MATRIX (top 7-10, by kill chain phase)
Columns: Kill Chain Phase | ATT&CK Technique ID | Technique Name | Specific Implementation | Detection Coverage
SECTION 6 — INFRASTRUCTURE FINGERPRINTS (durable, beyond specific IOCs)
- Hosting / ASN / registrar patterns
- Certificate patterns (self-signed, specific CA, wildcard)
- Domain naming conventions and registration timing
- C2 protocol preferences
SECTION 7 — DEFENSIVE RECOMMENDATIONS (actor-specific)
For each of the top 3 TTPs:
- Specific defensive control that reduces exposure
- Detection rule or hunting hypothesis
- Priority: this week / this quarter / next review
Final: what single investment has the highest impact against this actor?
---
--- SOURCE REPORTING ---
{{threat_actor_reporting}}