Actors
Named threat groups with confirmed attribution — nation-state, cybercrime, hacktivist, or PSOA.
List all actors
GET/actors
Returns all actors. Each entry includes aliases as an array.
Get an actor
GET/actors/:id
Returns a single actor with full detail: aliases, edges, and associated reports. Accepts either UUID or slug.
Actor object
| Field | Type | Description |
|---|---|---|
id | uuid | Unique identifier |
name | string | Primary display name (resolved from aliases) |
slug | string | URL-friendly name (e.g. muddywater) |
type | string | nation-state / cybercrime / hacktivist / psoa / unclassified / unknown |
country_code | string | ISO 3166-1 alpha-2 country code of attributed origin |
region | string | Geographic region (e.g. Middle East) |
motivation | string[] | espionage / financial / disruption / hacktivism |
attribution_note | string | Human-readable attribution statement from the source |
first_seen | string | Earliest known activity (ISO date, year-precision, e.g. 2019-01-01) |
bio | string | Full attribution write-up |
aliases | object[] | Array of { name, is_primary } |
edges | object[] | Typed relationships — each carries confidence_label (Confirmed / High confidence / Assessed / Suspected / Possible); the raw confidence score is never exposed |
reports | object[] | Source reports that document this actor |
inherited_activity | object | TTPs, tools, and indicators inherited from associated campaigns and sub-groups |
created_at | string | ISO 8601 timestamp |
updated_at | string | ISO 8601 timestamp |
