Compare Threat Actors and Motivations for Security+ (SY0-701)
Understand how Security+ distinguishes insider, criminal, hacktivist, nation-state, shadow IT, and other actor motives in scenario questions.
Security+ uses threat-actor questions to test judgment, not just label recall. The exam wants you to identify who is most likely behind an action, what they probably want, and how that changes the defensive response. If you confuse motive with technique, you will often choose the wrong next step.
What the exam is really testing
CompTIA is usually checking whether you can:
- separate motive from method
- distinguish malicious actor categories from non-malicious but risky behavior such as shadow IT
- infer what response priorities change when the likely actor changes
Threat-actor comparison table
| Actor | Typical motive | Usual signal in a scenario |
|---|---|---|
| Nation-state or APT | espionage, disruption, long-term access | stealth, persistence, high-value targets, patience |
| Organized crime | money, extortion, fraud | ransomware, business email compromise, theft |
| Hacktivist | ideology, publicity, disruption | defacement, public campaigns, high-visibility targets |
| Insider threat | revenge, negligence, profit, coercion | legitimate access misused or mishandled |
| Script kiddie or unskilled attacker | curiosity, bragging rights, easy disruption | commodity tools, noisy activity |
| Shadow IT | convenience rather than attack intent | unmanaged tools or services outside policy |
Actor-response bias
| Likely actor | Strongest immediate concern |
|---|---|
| Nation-state or APT | persistence, stealth, data exfiltration, broad investigation scope |
| Organized crime | monetization path, ransomware resilience, fraud controls |
| Hacktivist | public-facing disruption, defacement, reputational visibility |
| Insider | least privilege, auditing, separation of duties, behavioral context |
| Shadow IT | governance gap, unmanaged data movement, unsanctioned exposure |
Why motive matters
Different motives change defensive priorities:
- a ransomware crew suggests resilience, segmentation, offline recovery, and quick containment
- a nation-state style intrusion suggests longer dwell time, data-exfiltration risk, and stronger investigation discipline
- insider misuse raises questions about least privilege, monitoring, separation of duties, and accountability
Small scenario lens
If an employee with valid access exports unusually large volumes of sensitive data right before resignation, Security+ is usually testing whether you see insider risk and accountability controls, not whether you can name a malware family.
Shadow IT belongs here too
CompTIA includes shadow IT because unmanaged technology creates real risk even when there is no malicious intent. A department using an unsanctioned SaaS app to move sensitive data may create the same exposure path that an attacker later exploits.
Common traps
- treating shadow IT as the same thing as an external attacker
- assuming insider means malicious rather than negligent
- focusing on actor identity when the real question is how motive changes your response priority
- assuming high sophistication whenever the impact is large
Harder scenario question
A company discovers slow, careful data theft from a research environment. The attacker used valid credentials, avoided noisy scanning, and stayed active for months. Which response focus is strongest first?
A. Treat it like an ordinary prank and reset one user password B. Assume a potentially persistent, high-capability intrusion and expand investigation scope around access, dwell time, and data exposure C. Focus only on replacing end-user keyboards D. Disable all logging so the attacker cannot study system output
Best answer: B. The scenario points toward a stealthy, high-capability actor and requires broader investigation discipline than a one-off noisy intrusion.
Quiz
Continue with 2.2 Threat Vectors & Attack Surfaces to separate actor intent from the path used to reach the target.