This project began when I was creating some artwork of some adversary groups and adversary emulation plans for those groups as part of our hands-on activities at Adversary Village and a few of my trainings. We needed quality visuals and structured data for talks, training sessions, and demonstrations. I put together a few actor profiles with custom artwork, mapped their TTPs, wrote emulation plans, and quickly realized there was nothing like this that existed as a single, open, reusable resource.
There are hundreds of places to read about threat actors, and cyber threat intel. It was not our intention to create anothor duplicate project.
MITRE ATT&CK provides a common language, CISA publishes advisories, various security vendors release reports and Researchers share IOCs across dozens of platforms. But nowhere could you get the full picture in one page - who they are, what tools they use, how they attack, how to emulate them, how to detect them, and how to defend against them. All sourced, all linked, all free.
That gap is what Threat Actor Profiles fills. And the project and artwork is open to everyone, in your presentations, emulation exercises or actual engagemnets.
Every profile on this project - the artwork, the data, the interactive diagrams, is free for anyone to use in their projects, conference presentations, training workshops, university courses, or research. Building a talk on APT29 for a conference? The profile page is here. Running a purple team training on ransomware actors? FIN7's full attack chain breakdown is here. No paywalls, no vendor lock-in, no login required.
The threat intelligence community produces incredible research, but it is scattered across hundreds of vendor blogs, government advisories, and academic papers. This project brings it together into structured, consistent, actionable profiles that anyone can use and anyone can improve.
The second goal is equally important. We want this to be the go-to resource for understanding how to emulate these threat actors in your own environment. Every profile includes an Emulation Plans & Guidance section with direct links to step-by-step emulation walkthroughs, open-source adversary simulation repos with full attack chains you can run in a lab, MITRE CTID emulation plans with Caldera abilities and payloads, and blog posts from practitioners who have actually built and executed these emulations.
Whether you are a red teamer building an adversary emulation exercise, a purple team operator validating your detections, a SOC analyst studying how a specific actor operates, or a student learning offensive security, these profiles give you everything you need to go from reading about a threat actor to actually replicating their behavior in a controlled environment.
Every claim on every profile is sourced. Defense recommendations cite who recommends them; CISA, NIST, NSA, Microsoft - with URLs to the actual documents. Emulation plans link to repos you can clone and run. Attribution evidence cites DOJ indictments and government advisories. If something does not have a source, it does not belong here.
This is a community project and we need people who can help. You can contribute by adding new threat actor profiles, creating actor artwork, writing emulation guides, adding detection content like Sigma rules and KQL queries, improving existing profiles with new references and campaigns, or fixing broken URLs.
No contribution is too small. Even fixing a single broken URL or adding one missing CVE helps the entire community.
The entire project is data-driven. Every actor page is generated from a single JSON file. You do not need to know Python or HTML. Edit the JSON, submit a pull request, and the maintainers review and merge. Check the README on GitHub for the full contribution guide.
Contribute on GitHub