A threat actor is the entity in your threat model that wants to do the harm. Cybersecurity vocabulary breaks them into tiers by capability and resourcing: opportunistic (script kiddies, automated attacks), criminal (organized cybercrime, ransomware operators), commercial (private investigators, corporate intelligence), state-sponsored (intelligence services, advanced persistent threats), and the residual category of insider threats (employees, family members, ex-partners with prior access).
What it means in practice
Naming the threat actor with precision changes everything. “Hackers” is not a threat actor; it is a category that conflates adversaries with three orders of magnitude difference in resources. The opportunistic crew running a credential-stuffing botnet against a leaked password dump is a different problem from the commercial spyware operator running Pegasus, which is a different problem again from the spouse who installed mSpy on your phone last weekend. Each tier maps to a different defensive stack, a different cost ceiling, and a different set of false-positive risks (worry too much about Pegasus and you will skip the basic Mullvad subscription that addresses 80% of your actual exposure).
Who is targeted, and by whom
Most readers face a stable mix: opportunistic crews via password reuse and phishing, criminal actors via credential stuffing and SIM swap, ex-partners or family via consumer stalkerware and cloud-account residue. A subset face commercial actors: divorce clients with hostile counsel, executives in litigation, public figures attracting attention. A smaller subset face state-sponsored threats: high-profile journalists, prominent activists, lawyers representing political prisoners, NGO staff in authoritarian states. The Predaxia editorial framework matches recommendations to threat-actor tier so the cost-benefit math is honest, not maximalist.
What you can change today
In your threat model document, replace “hackers” with the named threat actors most likely to engage. If you cannot name them, you do not know enough yet, and the right action is reading rather than buying tools. Citizen Lab’s annual report names actor groups by region and target type. Recorded Future, Mandiant, and Microsoft Threat Intelligence publish public attribution work. For non-state threats, the Coalition Against Stalkerware and EFF’s Surveillance Self-Defense site cover the consumer end. Reading 90 minutes per quarter shifts your threat actor list from generic to specific, and that shift alone reorders your countermeasure budget.