Today, CrowdStrike and Microsoft announced a strategic alliance to bring clarity and coordination to the way organizations label threat actor groups. This strategic collaboration represents the efforts of two organizations to put the customer first, because good versus evil is the true fight. Together, we chose to prioritize the good fight to help make the world more secure.
As cybersecurity becomes increasingly central to business resilience and national security, the challenge of adversary attribution has grown more urgent. Over the past several decades, multiple naming systems have emerged — each shaped by the unique vantage points of vendors and researchers. While these systems offer valuable insights, they’ve also created fragmentation, confusion, and complexity.
The goal: deconflicting adversary names to build a cohesive and enduring mapping of existing naming systems to one another. In addition, where telemetry complements one another, there’s an opportunity to extend attribution across more planes and vectors — building a richer, more accurate view of adversary campaigns that benefits the entire community.
Cybersecurity leaders, executive teams, and boards increasingly seek clear answers: Who is targeting us? How are they doing it? And why? To deliver those answers, attribution must be clearer, faster, and more consistent.
In cybersecurity, understanding an adversary’s identity, capabilities, and intent is critical to intelligent cyber defense. Attribution matters. Despite cyber threat intelligence tracking a multitude of threat actors for many decades, accurately attributing malicious activity continues to be difficult. Vendors and researchers often see different parts of the same puzzle — or entirely different puzzles — due to differences in telemetry. Organizations also have different standards and analytic maturity, which results in varying levels of visibility into threat activity and divergent perspectives on what’s being tracked.
Bringing Clarity to Cyber Threat Attribution Across Vendors
While a single universal naming standard is not practical and may not be possible, defenders shouldn’t have to spend countless cycles trying to delineate if COZY BEAR is the same as APT29, or UNC2452, or Midnight Blizzard.
The Vision
CrowdStrike and Microsoft are proud to take the first step, but we know this must be a community-led initiative to succeed. Together, the companies have already deconflicted more than 80 threat actors through direct, analyst-led collaboration. These represent some of the most active and sophisticated adversaries in the world.
The alliance will help the industry better correlate threat actor aliases without imposing a single naming standard. It will grow in the future to include other organizations that also practice the art of attribution.
How We’ll Get There
- Enabling action: This collaboration isn’t just about aligning names — it’s about enabling action. By clarifying who is being referenced in threat reports, SOC analysts, incident responders, and CISOs can more quickly assess risk, prioritize response, and communicate with clarity across internal teams and external partners. Better alignment leads to faster decisions, and in cybersecurity, speed is a defensive advantage.
- Aligning taxonomy: While each company maintains proprietary telemetry, we’ve demonstrated the value of analyst-driven collaboration to clarify overlaps and align naming across known threat actors. For example, through this effort we have successfully deconflicted more than 80 adversaries.
- Working from the same sheet of music: As CrowdStrike and Microsoft align the adversaries tracked between the two companies, we’re building what many might call a “Rosetta Stone.” This concept has been tried before, but largely has resulted in a single researcher or group of researchers tracking open source information and trying to make analytic judgments that what one company tracks is the same as what another company blogged about. This collaboration is different. Through mutual effort and analyst-led deconfliction, we will combine resources to maintain a mapping for the community and make it available to all those who engage these adversaries on the cyber battlefield.
- Providing organizational governance: As we build on this collaboration, we’re exploring a coordinated approach to maintain the mapping and engage trusted partners, starting with a small, focused contributor group. The working group will be led by Microsoft and CrowdStrike to ensure we bring the right partners together, define an analytic process for updating and maintaining attribution mappings as the threat landscape evolves, and ensure this intelligence is available to the broader community.
We believe the industry must do better and we’re taking the lead with our partners to make that happen.
Below is a sample of the adversaries we’ve deconflicted to date, but this is just the beginning. We look forward to expanding this work and inviting trusted contributors to join us, maintaining the mapping as adversaries evolve, and delivering clarity that empowers defenders at every level.
Downloadable Excel
