March 23, 2026
David Shipley, co-host of Cybersecurity today is covering RSAC for Tech Newsday and Cybersecurity Today.
SAN FRANCISCO — The term “Advanced Persistent Threat” has been a fixture of cybersecurity vocabulary for years, but a threat intelligence researcher told the RSAC Conference it may be time to retire it.
Robert Lipovsky, principal threat intelligence researcher at ESET, said the label has become so broad and so frequently misapplied that it no longer provides meaningful information about the actors it describes.
“Nowadays, anything…can be labelled APT,” Lipovsky said. “It can be an advanced cyber criminal operator, for example, even though traditionally, when you hear APT, you typically think of the nation state, espionage actors.”
His session analyzed recent campaigns linked to Russia, China, Iran, and North Korea and examined how the tactics, techniques, and procedures of those groups have changed over time.
One significant shift, Lipovsky noted, is that many nation-state actors have moved away from custom-built tools and toward commodity malware software widely available to and used by cybercriminal groups. While some markers of sophistication remain, such as the use of zero-day exploits, they are no longer universal characteristics of the group traditionally called APTs.
At the same time, the capabilities of financially motivated cybercriminal groups have grown considerably.
“We see very highly capable, financially motivated cybercriminal groups that are either on par or even surpassing some of the less sophisticated nation-state threat actors,” Lipovsky said.
Adding to the complexity are hybrid threat actors, groups that conduct both espionage and financially motivated cybercrime as part of the same operations, further blurring the lines between the two categories.
Lipovsky proposed replacing the APT label with terminology based on motivation and activity rather than implied sophistication. Terms like “espionage actor,” “nation-state threat actor,” and “e-crime” would, in his view, more accurately describe what these groups are actually doing.
Some organizations may be reluctant to retire the APT label as it has been used in the paste to convey the difficultly targeted organizations face in defending against sophisticated threats. This can make sharing bad news about a breach more seem more understandable to leadership and the public.
Lipovsky acknowledged the dynamic but said the focus should be on response rather than framing.
“It’s not something to be ashamed about when someone was compromised,” he said. “Just learn from that experience and…implement better defenses.”
