Is the threat actor profile template fixed?

It follows a consistent structure so profiles stay comparable, but the output is plain Markdown. You can adapt headings, drop sections you do not need, or extend it to match your own house style.

Which AI coding agents does it run in?

It is built for Claude Code and also runs in Cursor, Codex and Windsurf. It is free and MIT-licensed, so you can read the prompt, fork it and adjust it to suit your team.

CTI Skill · Threat actor & campaign work

Threat Actor Profiling.

/threat-actor-profiling

Threat actor profiling turns scattered reporting on a named adversary into one structured, decision-ready picture. This free, MIT-licensed skill runs inside your AI coding agent (Claude Code, Cursor, Codex or Windsurf) and assembles aliases, suspected origin, motivation, targeted sectors and regions, mapped ATT&CK TTPs, tooling and notable campaigns. When you have CrowdStrike configured, it can pull adversary data directly into the profile.

Get the free pack on GitHub →Or join the free tier waitlist

What it does.

The skill builds a complete profile of a named threat actor from the reporting you point it at. It captures aliases and naming overlaps across vendors, suspected origin and motivation, the sectors and regions targeted, observed tradecraft mapped to MITRE ATT&CK technique IDs, known tooling and malware families, and a timeline of notable campaigns. Where a CrowdStrike Falcon Intelligence subscription is configured, it can enrich the profile with vendor adversary data rather than relying on open sources alone.

When to use it.

Reach for it when a new actor name lands in your inbox, when you need a baseline profile before an assessment, or when you are reconciling conflicting vendor naming for the same group. It also helps when onboarding to a sector you do not yet cover, giving you a structured starting point you can refine rather than a blank page.

What you get back.

A consistent threat actor profile you can drop straight into a report or knowledge base: an identity block with aliases, an origin and motivation summary, victimology by sector and region, an ATT&CK technique table, a tooling and malware list, and a campaign timeline. Every field follows the same template, so profiles stay comparable across your whole actor library.

How it fits your workflow.

Run it from the AI coding agent you already use, point it at the source material, and review the draft profile against your own judgement before it goes anywhere. The output is plain text and Markdown, so it lives happily alongside your notes, your repo or your intelligence platform, and it feeds naturally into the threat assessment and indicator pivoting skills in the same pack.

Keep going.

Frequently Asked Questions.

Ready to do more with less?

Request a demo or start your free trial today. Get instant access to AI-powered threat intelligence tailored to your organisation.