Threat Management, MSSP, Managed Security Services

CrowdStrike and Microsoft Align on Threat Actor Mapping to Support Faster, Unified Defense

Hacking the security. The threat of information leakage and the security of the system. Red open padlock among closed black ones. Close the gap, fix the problem.

(Adobe Stock)

The way threat actors are named across the cybersecurity industry has been a long-standing pain point, slowing down response times and making it harder for defenders to connect the dots. CrowdStrike and Microsoft are teaming up to fix that. Their new collaboration maps threat actor aliases across both platforms, giving security teams a clearer, more unified view of adversary activity so they can act faster and with more confidence.

The cybersecurity world has never had a single way to name threat actors as each vendor brings its own lens, data, and naming conventions. While that diversity can be useful, it also creates noise when the same threat actor goes by different names depending on the platform. The new CrowdStrike-Microsoft collaboration aims to cut through that noise.

Instead of pushing for a single naming standard, they have built a shared mapping framework that links aliases across ecosystems. That means defenders can more easily connect the dots, like recognizing that COZY BEAR and Midnight Blizzard are the same group—and move faster when it matters most.

The initial phase of the collaboration is analyst-driven, focusing on harmonizing known adversary profiles. Already, the effort has led to alignment on more than 80 threat actors, confirming that certain entities identified separately by CrowdStrike and Microsoft are in fact the same. These connections improve defenders’ ability to track activity, understand motivations, and plan effective countermeasures across diverse toolsets and data sources.

For example, the alignment confirmed that CrowdStrike’s VANGUARD PANDA and Microsoft’s Volt Typhoon both represent the same China-nexus threat group. Similarly, Secret Blizzard and VENOMOUS BEAR have been identified as aliases for a known Russian state-affiliated actor. By validating these relationships, the mapping initiative enhances threat awareness without introducing new complexity.

This collaboration is just the beginning. Both companies plan to extend the mapping framework to include other cybersecurity vendors and threat intelligence contributors. The goal is to maintain a living resource that supports a more unified understanding of the global threat landscape.









Suparna Chawla Bhasin

Suparna serves as Senior Managing Editor for CyberRisk Alliance’s Channel Brands, including MSSP Alert and ChannelE2E.  She plays a key role in content development, optimizing editorial workflows, aligning storytelling with audience needs, and collaborating across teams to deliver timely, high-impact content. Her background spans technology, media, and education, and she brings a unique blend of strategic thinking, creativity, and executional excellence to every project.

Related

Related Events

Related Terms

BackdoorBlack HatCovert ChannelsDNS SpoofingDeauthentication AttackDeepfakeDefacementDisruptionDistributed ScansDomain Hijacking

You can skip this ad in 5 seconds