Researcher Says “APT” Label No Longer Reflects the Threat Landscape

March 23, 2026

David Shipley, co-host of Cybersecurity today is covering RSAC for Tech Newsday and Cybersecurity Today. 

SAN FRANCISCO — The term “Advanced Persistent Threat” has been a fixture of cybersecurity vocabulary for years, but a threat intelligence researcher told the RSAC Conference it may be time to retire it.

Robert Lipovsky, principal threat intelligence researcher at ESET, said the label has become so broad and so frequently misapplied that it no longer provides meaningful information about the actors it describes.

“Nowadays, anything…can be labelled APT,” Lipovsky said. “It can be an advanced cyber criminal operator, for example, even though traditionally, when you hear APT, you typically think of the nation state, espionage actors.”

His session analyzed recent campaigns linked to Russia, China, Iran, and North Korea and examined how the tactics, techniques, and procedures of those groups have changed over time.

One significant shift, Lipovsky noted, is that many nation-state actors have moved away from custom-built tools and toward commodity malware software widely available to and used by cybercriminal groups. While some markers of sophistication remain, such as the use of zero-day exploits, they are no longer universal characteristics of the group traditionally called APTs.

At the same time, the capabilities of financially motivated cybercriminal groups have grown considerably.

“We see very highly capable, financially motivated cybercriminal groups that are either on par or even surpassing some of the less sophisticated nation-state threat actors,” Lipovsky said.

Adding to the complexity are hybrid threat actors, groups that conduct both espionage and financially motivated cybercrime as part of the same operations, further blurring the lines between the two categories.

Lipovsky proposed replacing the APT label with terminology based on motivation and activity rather than implied sophistication. Terms like “espionage actor,” “nation-state threat actor,” and “e-crime” would, in his view, more accurately describe what these groups are actually doing.

Some organizations may be reluctant to retire the APT label as it has been used in the paste to convey the difficultly targeted organizations face in defending against sophisticated threats. This can make sharing bad news about a breach more seem more understandable to leadership and the public.

Lipovsky acknowledged the dynamic but said the focus should be on response rather than framing.

“It’s not something to be ashamed about when someone was compromised,” he said. “Just learn from that experience and…implement better defenses.”

Top Stories

Related Articles

June 26, 2026 Meta's chief technology officer says employee morale has fallen to one of the lowest levels in the more...

June 23, 2026 Ontario residents will soon be able to place a free lock on their credit files to help more...

June 22, 2026 Most projects flounder when sponsors are absent, hiding, or unsure of their role. Project managers and teams more...

June 22, 2026 Artificial intelligence pioneer Yann LeCun says Elon Musk's xAI is unlikely to compete at the leading edge more...

Jim Love

Jim is an author and podcast host with over 40 years in technology.

Share:
Facebook
Twitter
LinkedIn