ThreatActorTypeVocab-1.0STIX Vocabularies Schema

The ThreatActorTypeVocab is the default STIX vocabulary for expressing the type of a threat actor.

Vocabulary Items

Item Description
Cyber Espionage Operations
Hacker - White hat
Hacker - Gray hat
Hacker - Black hat
State Actor / Agency
eCrime Actor - Credential Theft Botnet Operator
eCrime Actor - Credential Theft Botnet Service
eCrime Actor - Malware Developer
eCrime Actor - Money Laundering Network
eCrime Actor - Organized Crime Actor
eCrime Actor - Spam Service
eCrime Actor - Traffic Service
eCrime Actor - Underground Call Service
Insider Threat
Disgruntled Customer / User


Field Name Type Description
@vocab_nameoptional string

The vocab_name field specifies the name of the controlled vocabulary.

@vocab_referenceoptional anyURI

The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.