Actor → shared TTPs → other actors
From a named threat actor, list its MITRE ATT&CK techniques, then pivot through those techniques to every OTHER actor that shares the same tradecraft — ranked by how much they share. The suspect-widening move no fixed-verb tool ships.
| technique |
|---|
| Junk Data |
| OS Credential Dumping |
| LSASS Memory |
| NTDS |
| Data from Local System |
| Rootkit |
| actor | shared techniques |
|---|---|
| Kimsuky | 22 |
| Kimsuky | 22 |
| OilRig | 21 |
| OilRig | 21 |
| Lazarus Group | 20 |
| Lazarus Group | 20 |
The one query behind this▾
MATCH (a:ACTOR {name: $actor})-[:USES_TECHNIQUE]->(t:ATTACK_PATTERN)
RETURN t.name AS technique LIMIT 50Snapshot from a max-depth run on Jun 26, 2026. Run it again for live data. actor-ttp
Free tier — no credit card. Runs up to 3 hops deep; Pro goes to 5.
What it solves
When you have one actor, the next question is who else works the same way. This answers it from the graph instead of a manual literature review.
The run reads an actor’s techniques, then widens to other actors using the same ones, ranked by how much they overlap. It is the suspect-widening move fixed-verb tools do not ship.
Read one actor profile, then hand-compare it against the others.
- a TI platform
- the ATT&CK navigator
- analyst notes
Dig deeper
Read the how-to
The documentation for this flow — the queries explained, with variants you can adapt.
Open the documentation →Related flows
All use cases →Indicator Investigation
Drop in any domain, IP, ASN, or prefix and get back a verdict you can defend, with the evidence and sources attached.
Map adversary infrastructure
Start from one C2 domain and let a single query walk shared registrant, nameserver, and announcing network to surface campaign siblings.