Compound APT (cAPT) and X-ISAC - Public Request for Comments
Why the Concept of Compound APT (cAPT)
Compound APTs: Toward a Systems-Level Understanding of Modern Intrusions
Traditional cyber threat intelligence models are built around the assumption that attacks originate from a single, well-defined Advanced Persistent Threat (APT) group, whose motives, tools, and targets can be profiled with relative stability. However, this assumption no longer holds true in today’s threat landscape. Modern large-scale intrusions increasingly exhibit compound characteristics, in which multiple APT groups either intentionally collaborating, opportunistically overlapping, or unknowingly interfering converge within the same target ecosystem. These Compound APTs form dynamic, multi-faceted threat constellations that evolve over time, leveraging shared infrastructure, reused exploits, and intersecting attack vectors. The result is a non-linear amplification of impact, where the combined activity of several adversaries generates systemic disruption that exceeds the sum of their individual operations. Such compound activity often undermines traditional detection logic, attribution models, and incident response playbooks designed for single-actor campaigns. For organizations operating in complex digital ecosystems, the emergence of Compound APTs represents a new frontier of cyber-resilience risk one where threat identification, prioritization, and mitigation require a systems-level perspective capable of recognizing and responding to adversarial convergence rather than isolated actor behavior.
The Request For Comments (RFC) is open.
Definition
A Compound APT (cAPT) is an intrusion where multiple APT groups—collaborating, overlapping, or interfering—operate within the same environment, creating amplified, non-linear impact that defeats single-actor detection and requires a systems-level resilience approach.
Cyber Resilience Relevance of cAPTs
The practical consequences for defenders are profound. Attribution becomes ambiguous, because indicators and behaviours cannot be cleanly associated with a single threat group. Detection logic traditionally built around characteristic TTP signatures suffers when those same techniques appear across multiple actors operating concurrently. Most importantly, the presence of multiple actors interacting within the same environment creates systemic uncertainty. Their combined activity often extends dwell time, increases noise, and complicates containment. In some cases, one adversary inadvertently shields another; in others, their interference produces gaps in logging or misleads analysts.
Use-Case: Clustering APTs by TTP for Prioritized Cyber Resilience Controls
To address this complexity, our work shifted away from traditional, identity-centric intelligence models and toward the behaviours that shape intrusions. By clustering APT groups according to their MITRE ATT&CK TTPs, we examined not who the actors are but how they operate. This behavioural lens reveals points of convergence techniques, access paths, and operational patterns that repeatedly co-occur across otherwise unrelated groups. Instead of treating each actor as an isolated entity, we treated them as components of a broader behavioural network. This approach aligns threat intelligence with the realities of modern intrusions, where attribution may be incomplete, contested, or temporarily irrelevant. Building on this clustering work, we extended the analysis into the domain of cyber-resilience engineering by mapping the behavioural intersections of APT groups to the constructs defined in MITRE CREF. Instead of treating resilience controls as a flat catalogue, we used the clusters to highlight which constructs are activated most frequently across real-world adversary behaviours.
Request for Comments: Leveraging a Cross-Industry ISAC (X-ISAC)
Understanding Compound APTs conceptually is only a starting point. Addressing them in practice requires intelligence sharing that mirrors the interconnected nature of the threats. A dedicated cross-industry, cross-entity ISAC would create the collective visibility needed to detect patterns of adversarial overlap early and reliably. By correlating partial observations across multiple sectors and jurisdictions, such a community could identify when several actors are exploiting the same vulnerabilities, operating on the same infrastructure, or targeting the same supply-chain pathways. This kind of shared situational awareness would allow organizations to move beyond isolated incident views and toward a systemic understanding of adversary behaviour.
Key Contributors
Francesco Chiarini - author, CEO at High Value Target
Lorenzo Vacca - co-author, ISSA Cyber Resilience SIG Director (Industry Outreach)
