Understanding the Threat Landscape

What Is the Threat Landscape and Why Does It Matter?

According to the Verizon 2024 Data Breach Investigations Report (DBIR), over 10,000 confirmed data breaches were analysed in a single year, making threat landscape awareness one of the most essential foundations for any cybersecurity career.

Every cybersecurity job exists because threats exist. If you want to work in security, you need to understand what you are defending against.

This page gives you a clear picture of who attacks systems, how they do it, and what the current threat environment looks like. You do not need any technical background to follow along. If you are switching from a non-IT career, this is the context that makes the rest of your learning make sense.

Understanding threats also matters in practical ways:

• Job interviews expect you to describe common attack types and threat actors.
• Certification exams like CompTIA Security+ (SY0-701) dedicate an entire domain to threats, vulnerabilities, and mitigations.
• Day-one SOC work involves triaging alerts that map directly to attack categories you will learn here.
• Risk conversations require you to explain threats in plain language to non-technical stakeholders.

You do not need to memorise every detail on this page. Focus on understanding the patterns. The specific tools and techniques will come later as you study and build lab experience.

Quick Answer

What is the threat landscape? The threat landscape is the complete set of cybersecurity threats, threat actors, attack vectors, and vulnerabilities that an organisation faces at any given time, as described by NIST SP 800-30 (Guide for Conducting Risk Assessments).

Why it matters for beginners: Every SOC analyst, incident responder, and security engineer role requires you to understand threat categories, attack patterns, and threat actor motivations — and CompTIA Security+ SY0-701 Domain 2 dedicates 22% of the exam to threats, vulnerabilities, and mitigations.

Key framework: The MITRE ATT&CK framework — the industry-standard knowledge base of adversary tactics and techniques based on real-world observations.

Who Are the Threat Actors?

Threat actor is defined by NIST SP 800-30 as any individual or group with the intent and capability to exploit vulnerabilities in information systems, networks, or people. Understanding their motivations is fundamental to effective threat modelling and risk assessment.

A threat actor is anyone or any group that attempts to exploit vulnerabilities in systems, networks, or people. Understanding their motivations helps you predict what they will target and how they will behave.

Nation-State Actors

These are government-sponsored groups with significant funding, time, and technical expertise. They target critical infrastructure, government agencies, defence contractors, and intellectual property.

Examples include groups attributed to China (APT41), Russia (APT29/Cozy Bear), North Korea (Lazarus Group), and Iran (APT33). Their operations are patient and well-resourced, sometimes remaining undetected inside networks for months or years.

Why it matters for beginners: You will not face nation-state actors in your first job, but understanding their tactics helps you appreciate why organisations invest heavily in detection and response capabilities.

Cybercriminals

These are financially motivated attackers. They range from solo operators to sophisticated criminal organisations that run ransomware-as-a-service platforms, sell stolen data on dark web marketplaces, or operate business email compromise schemes.

According to the FBI Internet Crime Complaint Center (IC3), reported cybercrime losses exceeded $12.5 billion in 2023. The actual total is likely much higher because many incidents go unreported.

Why it matters for beginners: Cybercriminals are responsible for the majority of attacks that SOC analysts, incident responders, and security engineers deal with day to day.

Hacktivists

Hacktivists use cyberattacks to promote political or social causes. Their methods typically include website defacement, distributed denial-of-service attacks, and data leaks intended to embarrass targets. Groups like Anonymous are well-known examples.

Insider Threats

Not every threat comes from outside. Insiders include disgruntled employees, careless staff who fall for phishing, or contractors with excessive access. According to the Ponemon Institute, insider threat incidents cost organisations an average of $15.4 million annually (2022 Cost of Insider Threats Global Report).

If you have worked in any organisation, you already understand how much access employees have. That experience is genuinely useful in security roles.

Script Kiddies

Script kiddies are inexperienced attackers who use pre-built tools and exploit code without fully understanding how they work. They are less sophisticated but can still cause real damage, especially against organisations with weak security baselines.

Ethical and legal warning: Understanding threat actors is essential for defenders, but using any of these techniques against systems you do not own or have explicit written permission to test is illegal in most jurisdictions. Cybersecurity knowledge should only be used defensively and within legal boundaries. Laws such as the Computer Fraud and Abuse Act (US), the Computer Misuse Act (UK), and the Criminal Code Act (Australia) carry serious penalties.

Learning about threat actors was the moment cybersecurity stopped being an abstract career option for me and started feeling like a mission. I read about ransomware shutting down hospitals, phishing campaigns targeting aged care facilities like the ones I’d worked at in Adelaide, and small businesses losing everything to a single compromised email. These weren’t hypothetical scenarios — they were happening to organisations I understood. That urgency hasn’t faded. It’s what keeps me studying on tired evenings after long days, because the people and places that need defending are real.

Threat Actor Hierarchy

Not all threat actors are equally dangerous. The following diagram ranks them by capability, from the most resourced at the top to the least sophisticated at the bottom:

Threat Actor Hierarchy

Understanding who attacks systems and their relative capability

Pause

Nation-State Actors

Government-sponsored, highest capability, geopolitical motives

Organised Cybercriminals

Financially motivated, ransomware, data theft

Hacktivists

Politically or socially motivated, defacement, DDoS

Insider Threats

Employees or contractors, accidental or malicious

Script Kiddies

Low skill, use pre-built tools, opportunistic

Idle

The two most dangerous categories — nation-state actors and cybercriminals — operate very differently despite both posing serious risks:

Nation-State vs Cybercriminal Threat Actors

Nation-State Actors

• Geopolitical motives — Espionage, sabotage, influence
• Unlimited resources — Government-funded, long-term operations
• Advanced techniques — Zero-days, custom malware, supply chain
• Targeted attacks — Specific organisations or infrastructure

VS

Cybercriminals

• Financial motives — Ransomware, fraud, data theft
• Profit-driven — Cost-benefit analysis on targets
• Commodity tools — Ransomware-as-a-Service, phishing kits
• Opportunistic — Target whoever is vulnerable

Verdict: Cybercriminals are the most common threat to most organisations. Nation-state actors target government, critical infrastructure, and high-value enterprises.

Use case

SOC Analysts encounter cybercriminal activity daily. Nation-state attribution is typically handled by senior threat intelligence analysts.

What Are the Key Concepts Behind Threat Analysis?

The MITRE ATT&CK framework catalogues over 600 techniques across 14 tactics that adversaries use in real-world attacks, providing the industry-standard vocabulary for discussing and analysing threats.

Before examining specific attacks, it helps to understand the vocabulary that security teams use when discussing threats. These concepts appear in every security conversation, certification exam, and job interview.

• Attack surface — The total number of points where an attacker could try to enter or extract data from a system. Every internet-facing service, user account, API endpoint, and connected device expands the attack surface. Reducing the attack surface is a fundamental security goal.
• Threat vector — The specific path or method an attacker uses to reach a target. Common vectors include email (phishing), exposed network services, compromised credentials, and supply chain dependencies.
• Vulnerability vs exploit — A vulnerability is a weakness (unpatched software, misconfiguration, weak password). An exploit is the code or technique that takes advantage of that vulnerability. Not every vulnerability has a known exploit, and prioritisation depends on whether one exists. See the vulnerability analysis page for deeper coverage.
• Zero-day — A vulnerability that is unknown to the vendor and has no patch available. Zero-day exploits are particularly dangerous because defenders have zero days of advance warning. Nation-state actors and advanced cybercriminals are the most likely to use zero-days.
• CVE (Common Vulnerabilities and Exposures) — A public catalogue maintained by MITRE that assigns a unique identifier (e.g., CVE-2024-12345) to known vulnerabilities. Security teams use CVE IDs to track, communicate about, and prioritise patching. You can search CVEs at cve.mitre.org.

Key Definition

Attack surface is the total set of points where an unauthorised user can attempt to enter or extract data from a system, including every internet-facing service, user account, API endpoint, and connected device. Reducing the attack surface is a fundamental security goal outlined in NIST SP 800-53 (Security and Privacy Controls).

Understanding these concepts helps you follow the Cyber Kill Chain and make sense of the attack categories below.

What Do Real-World Cyber Attacks Look Like?

According to the Verizon 2024 DBIR, the three most common attack patterns in confirmed breaches are system intrusion, social engineering, and basic web application attacks, together accounting for the majority of incidents across all industries.

Attacks generally fall into a few broad categories. Knowing these helps you recognise alert patterns, understand vulnerability reports, and talk confidently in interviews.

Malware

Malware is malicious software designed to damage, disrupt, or gain unauthorised access to systems.

Type	What it does	Real-world example
Virus	Attaches to legitimate files and spreads when the file is executed	ILOVEYOU (2000) spread via email attachments
Worm	Self-replicates across networks without user action	WannaCry (2017) exploited a Windows SMB vulnerability
Trojan	Disguises itself as legitimate software	Emotet started as a banking trojan before becoming a malware delivery platform
Spyware	Secretly monitors user activity and collects data	Pegasus spyware targeted mobile devices worldwide
Rootkit	Hides deep in the operating system to maintain persistent access	Often used by advanced persistent threat groups

Phishing and Social Engineering

Social engineering exploits human psychology rather than technical vulnerabilities. Phishing is the most common form.

• Phishing sends fraudulent emails that impersonate trusted organisations to steal credentials or deliver malware.
• Spear phishing targets specific individuals with personalised messages.
• Whaling targets senior executives.
• Vishing uses phone calls instead of emails.
• Smishing uses SMS text messages.
• Pretexting involves creating a fabricated scenario to trick someone into revealing information or granting access.

According to the Verizon 2024 Data Breach Investigations Report, the human element was involved in 68% of breaches. Social engineering remains the most common initial access method.

Denial of Service (DoS) and Distributed Denial of Service (DDoS)

These attacks overwhelm a target system or network with traffic so that legitimate users cannot access it. A DoS attack comes from a single source. A DDoS attack uses many compromised systems (a botnet) to generate traffic from thousands of sources simultaneously.

DDoS attacks can generate traffic volumes exceeding 1 Tbps. They target availability, the “A” in the CIA triad you learned about in Security Concepts.

Man-in-the-Middle (MitM) Attacks

In a MitM attack, the attacker secretly intercepts and potentially alters communication between two parties who believe they are communicating directly with each other.

Common scenarios include intercepting traffic on unsecured public Wi-Fi, DNS spoofing that redirects users to fake websites, and SSL stripping that downgrades encrypted connections.

Web Application Attacks

Web applications are a major attack surface. The OWASP Top 10 catalogues the most critical web application security risks.

• SQL injection inserts malicious database queries through input fields to extract, modify, or delete data.
• Cross-site scripting (XSS) injects malicious scripts into web pages viewed by other users.
• Cross-site request forgery (CSRF) tricks authenticated users into performing actions they did not intend.

Ransomware

Ransomware encrypts a victim’s files and demands payment (usually in cryptocurrency) for the decryption key. Modern ransomware groups often use double extortion, threatening to publish stolen data if the ransom is not paid.

Notable incidents include the Colonial Pipeline attack (2021), which disrupted fuel supply across the US East Coast, and the Kaseya VSA attack (2021), which affected over 1,500 organisations through a supply chain compromise.

Certification note: CompTIA Security+ SY0-701 Domain 2 (Threats, Vulnerabilities, and Mitigations) covers all of these attack types. Understanding them now builds the foundation for exam preparation.

The Attack Lifecycle: A Simplified Kill Chain

The industry standard for modelling attack progression is the Lockheed Martin Cyber Kill Chain, originally published in their 2011 paper Intelligence-Driven Computer Network Defense, which defines seven stages that adversaries follow from reconnaissance to action on objectives.

Attacks do not happen in a single step. They follow a predictable sequence. Understanding this sequence helps defenders detect and stop attacks at multiple points.

The Lockheed Martin Cyber Kill Chain and the MITRE ATT&CK framework both describe how attacks progress. Here is a simplified version for beginners:

Stage 1: Reconnaissance

The attacker gathers information about the target. This includes scanning public websites, social media profiles, job postings (which reveal technologies in use), DNS records, and exposed services.

Defender opportunity: Monitor for unusual scanning activity. Limit what information your organisation exposes publicly.

Stage 2: Initial Access

The attacker gets in. Common methods include phishing emails with malicious attachments, exploiting unpatched vulnerabilities in internet-facing systems, compromised credentials from data breaches, or exploiting weak remote access configurations.

Defender opportunity: Email filtering, patch management, multi-factor authentication, and security awareness training all reduce the chance of initial access.

Stage 3: Establish Foothold

Once inside, the attacker installs tools to maintain access. This might include a reverse shell, a web shell on a compromised server, or a scheduled task that reconnects to the attacker’s infrastructure.

Defender opportunity: Endpoint detection and response (EDR) tools, application whitelisting, and monitoring for unusual processes help detect footholds.

Stage 4: Lateral Movement

The attacker moves through the network, escalating privileges and accessing additional systems. They look for credentials stored in memory, misconfigured services, and trust relationships between systems.

Defender opportunity: Network segmentation, least privilege, and monitoring for unusual authentication patterns limit lateral movement.

Stage 5: Action on Objectives

The attacker achieves their goal. This could be exfiltrating sensitive data, deploying ransomware, disrupting operations, or maintaining long-term espionage access.

Defender opportunity: Data loss prevention, encryption, tested backups, and incident response plans reduce the impact when an attacker reaches this stage.

The key insight is that defenders get multiple chances to detect and stop an attack. A strong security programme does not rely on preventing initial access alone. It layers detection and response across every stage.

Cyber Kill Chain Overview

📊 Visual Explanation

Simplified Cyber Kill Chain

How attacks progress through stages — defenders can disrupt at each point

Pause

ReconnaissanceTarget research

OSINT gathering

Network scanning

Initial AccessEntry point

Phishing emails

Exploiting vulnerabilities

Establish FootholdPersistence

Install backdoor

Create accounts

Lateral MovementExpand access

Credential theft

Network traversal

Action on ObjectivesMission complete

Data exfiltration

Ransomware deployment

Idle

Further reading: The MITRE ATT&CK framework (attack.mitre.org) provides a comprehensive, regularly updated catalogue of adversary tactics and techniques observed in real-world attacks. It is free and widely used in the security industry.

How Is the Threat Landscape Evolving?

According to the FBI IC3 2023 Annual Report, reported cybercrime losses exceeded $12.5 billion, a 22% increase over the prior year, driven largely by ransomware-as-a-service, supply chain compromises, and identity-based attacks.

The threat landscape changes constantly. These are the trends shaping cybersecurity work right now.

Ransomware-as-a-Service (RaaS)

Ransomware has become a business model. Criminal groups build ransomware platforms and lease them to affiliates who carry out the actual attacks in exchange for a percentage of ransom payments. This lowers the barrier to entry for cybercrime significantly.

Groups like LockBit, BlackCat/ALPHV, and Cl0p have operated large-scale RaaS platforms. CISA regularly publishes advisories about active ransomware groups and their tactics.

Supply Chain Attacks

Instead of attacking a target directly, adversaries compromise a trusted vendor, software provider, or update mechanism. The SolarWinds attack (2020) compromised a widely used IT management platform, giving attackers access to thousands of organisations including US government agencies. The MOVEit Transfer vulnerability (2023) affected hundreds of organisations through a single file transfer tool.

Supply chain attacks are particularly dangerous because they exploit existing trust relationships and can affect many organisations simultaneously.

AI-Powered Threats

Attackers are using artificial intelligence to generate more convincing phishing emails, create deepfake audio and video for social engineering, automate vulnerability discovery, and develop malware that adapts to evade detection.

At the same time, defenders use AI for anomaly detection, automated threat hunting, and faster incident triage. This is an arms race that is accelerating.

IoT and OT Vulnerabilities

Internet of Things devices (smart cameras, industrial sensors, medical devices, building management systems) dramatically expand the attack surface. Many IoT devices ship with weak default credentials, limited patching capability, and minimal security controls.

Operational technology (OT) systems that manage physical processes in manufacturing, energy, water treatment, and transportation are increasingly connected to IT networks, creating new attack paths to critical infrastructure.

Identity-Based Attacks

Credential theft, session hijacking, and MFA bypass techniques (such as MFA fatigue attacks and adversary-in-the-middle phishing proxies) are increasingly common. Attackers have learned that stealing valid credentials is often easier than exploiting technical vulnerabilities.

What Does Staying Informed Look Like in Practice?

The NIST Cybersecurity Framework (CSF) 2.0 Identify function explicitly calls for organisations to maintain ongoing awareness of cybersecurity threats, making threat intelligence consumption a core professional competency rather than an optional activity.

Security professionals are expected to keep up with the threat landscape throughout their careers. Here are reliable, free sources to start building that habit now.

Government and Industry Sources

• CISA Alerts and Advisories (cisa.gov/news-events/cybersecurity-advisories) — US Cybersecurity and Infrastructure Security Agency publishes actionable alerts about active threats.
• ACSC Alerts (cyber.gov.au/about-us/view-all-content/alerts-and-advisories) — Australian Cyber Security Centre advisories relevant to Australian organisations.
• NIST Cybersecurity Resources (csrc.nist.gov) — Standards, frameworks, and vulnerability data.
• MITRE ATT&CK (attack.mitre.org) — Comprehensive knowledge base of adversary tactics and techniques.

News and Analysis

• Krebs on Security (krebsonsecurity.com) — In-depth investigative reporting on cybercrime.
• The Record by Recorded Future (therecord.media) — Daily cybersecurity news.
• BleepingComputer (bleepingcomputer.com) — Breaking security news and vulnerability coverage.
• SANS Internet Storm Center (isc.sans.edu) — Daily threat summaries and analysis.

Threat Intelligence Feeds

• AlienVault Open Threat Exchange (OTX) — Community-driven threat intelligence sharing.
• Abuse.ch — Tracks malware and botnet activity.
• VirusTotal — Free malware analysis and scanning tool.

Tip for beginners: You do not need to read everything. Start with one source (CISA advisories are a good choice) and spend 10-15 minutes per week scanning headlines. Understanding what is happening in the real world makes your study material more meaningful and gives you talking points for interviews.

Intro to Cybersecurity for Non-ITAvailable Now

Complete beginner guide to cybersecurity for career changers with zero IT background.

Get the Guide → $19

What Interview Questions Should You Expect About the Threat Landscape?

According to CompTIA’s Security+ SY0-701 exam objectives, Domain 2 (Threats, Vulnerabilities, and Mitigations) accounts for 22% of the exam, making threat landscape knowledge one of the most heavily tested areas for entry-level security professionals.

If you are coming from a non-IT background, the threat landscape can feel overwhelming at first. Here is how to make it useful instead of intimidating.

Your Existing Skills Transfer

If you have worked in healthcare, education, finance, retail, or government, you already understand many of the targets and impacts described on this page. You know why patient records need to stay private, why financial systems need to stay accurate, and why operational systems need to stay available. That business context is valuable in security roles where you need to explain risk to non-technical stakeholders.

Focus on Patterns, Not Memorisation

You do not need to memorise every malware family or threat group name. Focus on understanding the patterns: how phishing works as a concept, why the kill chain has multiple stages, and why defence in depth matters. The specific details change constantly, but the patterns stay remarkably consistent.

Build Hands-On Recognition

The best way to make these concepts stick is to see them in action in a safe environment. Set up a home lab and practise:

• Identifying phishing indicators in sample emails
• Recognising suspicious processes and network connections
• Reviewing logs that show attack patterns
• Using tools like Wireshark to see network traffic

These are basic commands defenders use to check for signs of the threats discussed on this page. Try them in your home lab to build familiarity:

# Basic threat detection commands
# Check for suspicious network connections
netstat -ano | findstr ESTABLISHED     # Windows
ss -tulnp | grep ESTABLISHED          # Linux

# Check for suspicious processes
tasklist /FI "STATUS eq running"       # Windows
ps aux --sort=-%mem | head -20         # Linux — top memory consumers

# Check recent login attempts
last -n 20                             # Linux — recent logins
Get-EventLog -LogName Security -Newest 20  # PowerShell — security events

Connect Threats to Defences

For every attack type on this page, there are corresponding defensive techniques. As you study for certifications and build lab skills, practise mapping threats to controls:

Threat	Defensive control
Phishing	Email filtering, security awareness training, MFA
Ransomware	Tested backups, endpoint detection, network segmentation
Credential theft	MFA, password managers, privileged access management
Unpatched vulnerabilities	Patch management, vulnerability scanning
Lateral movement	Network segmentation, least privilege, monitoring

This mapping exercise is exactly what interviewers and hiring managers look for in entry-level candidates.

Career Relevance by Role

Different security roles interact with the threat landscape in different ways:

• SOC Analyst: Triages alerts mapped to attack techniques, uses threat intelligence to prioritise investigations.
• Incident Responder: Traces attacks through kill chain stages, identifies indicators of compromise.
• Security Engineer: Builds and tunes controls to defend against specific threat categories.
• GRC Analyst: Assesses organisational risk based on the threat landscape and recommends controls.
• Penetration Tester: Simulates attacker techniques (with authorisation) to find weaknesses before real attackers do.

Individual results vary. Career timelines, salary outcomes, and job availability depend on your location, experience, market conditions, and effort. The information on this page is educational, not a guarantee of employment outcomes.

Summary and Key Takeaways

The threat landscape is the context that gives every other cybersecurity topic its purpose.

• Threat actors range from nation-states to script kiddies, each with different motivations, resources, and targets.
• Common attacks follow predictable categories: malware, phishing, denial of service, man-in-the-middle, web application attacks, and ransomware.
• The kill chain shows that attacks progress through stages, giving defenders multiple opportunities to detect and respond.
• Current trends include ransomware-as-a-service, supply chain attacks, AI-powered threats, and identity-based attacks.
• Staying informed through sources like CISA, MITRE ATT&CK, and security news is a career-long habit worth starting now.
• Your non-IT background gives you valuable context about the business impacts of threats. Combine that with technical knowledge and you become a stronger candidate.

Understanding threats is not about fear. It is about knowing what you are preparing to defend against so your study, lab work, and career preparation are focused and effective.

Related

• Security Concepts for the defensive principles that counter these threats
• Career Roadmap for the bigger picture of what to learn and when
• Home Lab Setup to practise identifying attack patterns safely
• Certifications Guide to see how threat knowledge maps to exam objectives

The Australian Threat Landscape

According to the ASD Annual Cyber Threat Report, Australia receives a cybercrime report approximately every six minutes, underscoring the scale of threats facing Australian organisations and individuals.

Australia faces a significant and growing cyber threat. According to the ASD Annual Cyber Threat Report, Australia receives a cybercrime report approximately every six minutes, highlighting the scale of malicious activity targeting Australian individuals and organisations. The Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD), is the primary body responsible for monitoring and responding to cyber threats nationally. Australian organisations and individuals can report cyber incidents to the ACSC via cyber.gov.au.

Several high-profile incidents have shaped Australia’s cyber awareness in recent years. The Optus data breach in September 2022 exposed the personal information of up to 9.8 million current and former customers. The Medibank Private breach in October 2022 compromised sensitive health data of approximately 9.7 million people, with stolen records later published on the dark web. The Latitude Financial breach in March 2023 affected approximately 14 million customer records, including driver’s licence and passport numbers. These incidents led to significant regulatory changes, including increased penalties under the Privacy Act 1988 (Cth) for serious or repeated privacy breaches, as of late 2022.

The ASD Essential Eight is the Australian Government’s baseline mitigation framework, recommended for all organisations. It consists of eight strategies — application control, patching applications, configuring Microsoft Office macros, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication, and regular backups — designed to make it significantly harder for adversaries to compromise systems. Australian employers, particularly in government and critical infrastructure, expect security professionals to understand and be able to implement the Essential Eight. For career changers studying the threat landscape, mapping real-world Australian incidents to Essential Eight controls is an excellent interview preparation exercise.

The ACSC publishes regular alerts and advisories at cyber.gov.au, covering threats relevant to Australian organisations. Following ACSC advisories alongside international sources like CISA and MITRE ATT&CK gives you a well-rounded view of both the global and Australian threat environments.

Frequently Asked Questions

What is the most common type of cyber attack?

Phishing is the most common initial attack vector. According to the Verizon Data Breach Investigations Report, the human element is involved in approximately 68% of breaches, with phishing and social engineering leading the way as the primary method attackers use to gain initial access.

What is ransomware?

Ransomware is malware that encrypts a victim's files and demands payment, usually in cryptocurrency, for the decryption key. Modern ransomware groups often use double extortion, threatening to publish stolen data if the ransom is not paid.

What is social engineering?

Social engineering is the practice of manipulating people into revealing confidential information or performing actions that compromise security. It exploits human psychology rather than technical vulnerabilities, and includes techniques like phishing, pretexting, vishing, and smishing.

What is the Cyber Kill Chain?

The Cyber Kill Chain is a model developed by Lockheed Martin that describes the stages of a cyber attack: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. Defenders can use it to identify and disrupt attacks at each stage.

How do I stay updated on new cybersecurity threats?

Start with one reliable free source like CISA advisories and spend 10 to 15 minutes per week scanning headlines. Other good sources include MITRE ATT&CK, Krebs on Security, BleepingComputer, and the SANS Internet Storm Center.

What is a threat actor?

A threat actor is any individual or group that attempts to exploit vulnerabilities in systems, networks, or people. Categories include nation-state actors, cybercriminals, hacktivists, insider threats, and script kiddies, each with different motivations, resources, and levels of sophistication.

What is a supply chain attack?

A supply chain attack compromises a trusted vendor, software provider, or update mechanism to reach the actual target. The SolarWinds attack in 2020 is a well-known example where attackers compromised an IT management platform to gain access to thousands of organisations.

What is the difference between a virus and a worm?

A virus attaches to legitimate files and requires user action to spread, such as opening an infected attachment. A worm self-replicates across networks without user interaction, making it capable of spreading much faster.

What is a DDoS attack?

A Distributed Denial of Service attack uses many compromised systems, called a botnet, to overwhelm a target with traffic so that legitimate users cannot access it. DDoS attacks target availability and can generate traffic volumes exceeding 1 Tbps.

Do I need to know every malware family to work in cybersecurity?

No. Focus on understanding attack patterns and categories rather than memorising specific malware names. The patterns stay consistent even as specific threats change. Knowing how phishing works, why the kill chain has stages, and how to map threats to defences is far more valuable than memorising malware families.

Related sections

Security Concepts

Learn the defensive principles — CIA triad, least privilege, defence in depth — that counter the threats covered on this page.

Explore Home Lab Setup

Build a safe practice environment where you can study attack patterns and defensive techniques hands-on.

Explore Certifications Guide

See how threat landscape knowledge maps to Security+, CySA+, and other certification exam objectives.

Explore

More resources

MITRE ATT&CK Framework

Comprehensive knowledge base of adversary tactics and techniques based on real-world observations.

Visit CISA Cybersecurity Advisories

Actionable alerts and advisories about active threats from the US Cybersecurity and Infrastructure Security Agency.

Visit Verizon DBIR

Annual Data Breach Investigations Report with data-driven analysis of real-world breaches and attack patterns.

Visit OWASP Top 10

The most critical web application security risks, updated regularly by the Open Worldwide Application Security Project.

Visit

---

Technical content verified in March 2026 against the MITRE ATT&CK framework, CISA advisories, the Verizon 2024 DBIR, NIST CSRC resources, and the OWASP Top 10. Threat landscape information is current as of publication but changes rapidly — verify specific details against the linked sources.