# Threat Actors ## **Understanding Threat Actors** Threat actors are individuals, groups, or entities responsible for carrying out malicious activities that can harm systems, networks, or data. They are often motivated by financial gain, espionage, ideology, or disruption. Threat actors can range from lone hackers to organized crime groups, nation-states, or insider threats. ### **Key Metrics to Monitor** **Critical Actors**: Threat actors posing a high risk due to their capability and intent. **Active Actors**: The total number of threat actors currently engaging in malicious activities. **Threat Activity Timeline**: Tracks the frequency and volume of attacks over time (e.g., API hits). **Threat Actor Map**: Geographically maps the origin of threat actors.

### Threat Actor Attributes Akto derives User threat actors directly from inbound API traffic observed during runtime analysis. Following attributes are presented in the actors list:

Attribute	Description	Investigation Value
Actor ID	Unique identifier derived from the source IP address.	Enables correlation of attack activity across APIs and time.
Actor IP	Network address associated with the actor.	Supports blocking, rate limiting, and forensic analysis.
Country	Geolocation inferred from the actor IP.	Helps identify regional attack patterns.
IP Reputation	Reputation metadata associated with the actor IP.	Provides contextual risk signals for prioritization.
Latest Host	Hostname targeted by the actor.	Identifies the API surface under attack.
Latest API	Most recent API endpoint accessed by the actor.	Shows the affected API operation.
Latest Attack	Attack category detected for the request.	Indicates the security issue type observed.
Access Type	Exposure level of the API endpoint.	Differentiates public and restricted APIs.
Sensitive Data	Indicator of sensitive data involvement.	Highlights potential data exposure risk.
Status	Current state of the threat actor.	Shows whether the actor remains active.
Detected At	Timestamp of first detection.	Supports incident timeline reconstruction.

{% hint style="success" %} ### Note IP reputation information is sourced from a third-party threat intelligence provider and includes contextual signals such as ISP, usage type, abuse reports, and whitelist status. Akto consumes this data to enrich threat actor context and does not generate or modify reputation scores. {% endhint %} ## **How to configure Threat Actors** By default Akto's Threat Protection module uses the client's IP address to identify a threat actor. To configure threat actors, navigate to the Settings -> Threat Configuration section in left nav bar. **Example Configuration** * **Type**: `hostname` * **Hostname**: `dev.*com` * **Header Name**: `authorization` This configuration will monitor any requests from hostnames matching dev.\*com (e.g., dev.example.com) that include an authorization header, identifying the threat actors uniquely based on the value of authorization header.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.akto.io/api-protection/concepts/threat-actors.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.