CrowdStrike and Microsoft Join Forces to Harmonize Cyber Threat Actor Attribution

Key Takeaways:

CrowdStrike and Microsoft are collaborating to unify cyber threat actor naming systems, enhancing clarity and coordination across cybersecurity platforms.
The effort already deconflicted over 80 adversaries and aims to reduce confusion, accelerate threat response, and improve intelligence sharing.
This joint initiative invites wider industry participation, supporting a shared mission to improve collective cyber defense in an AI-driven threat landscape.

In an important development for the cybersecurity community, CrowdStrike and Microsoft have announced a collaboration aimed at bringing greater clarity to how threat actors are identified and tracked. By aligning threat actor attribution across platforms, the two companies aim to simplify how security professionals interpret threat intelligence—an increasingly complex landscape filled with disparate naming conventions.

The issue stems from the fragmented way security vendors have historically named and cataloged adversaries. Each organization has relied on its own naming taxonomy, built from proprietary intelligence sources and threat analysis methodologies. While useful in isolation, these differences often create confusion when trying to correlate threats across systems or vendors. For example, one vendor might call a threat group COZY BEAR, while another refers to the same entity as Midnight Blizzard.

To address this, CrowdStrike and Microsoft have built what they call a “Rosetta Stone” for cyber threat intelligence—a mapping system that links adversary identifiers across platforms without requiring vendors to give up their own naming systems. This shared reference model allows defenders to more easily recognize that names like Volt Typhoon and VANGUARD PANDA refer to the same Chinese state-sponsored actors, or that Secret Blizzard and VENOMOUS BEAR describe the same Russian group.

“This is a watershed moment for cybersecurity,” said Adam Meyers, Head of Counter Adversary Operations at CrowdStrike. “Adversaries hide behind both technology and the confusion created by inconsistent naming. As defenders, it’s our job to stay ahead and to give security teams clarity on who is targeting them and how to respond.”

Meyers emphasized that while CrowdStrike has long prioritized adversary intelligence, Microsoft’s vast data sources add unique depth. “Together, we’re combining strengths to deliver clarity, speed, and confidence to defenders everywhere.”

The collaboration has already yielded tangible results. More than 80 threat actors have been mapped and deconflicted, offering organizations a clearer picture of who is behind certain attacks. This mapping not only improves awareness but also enables faster, more decisive action in response to threats. It’s the kind of alignment that security leaders say has been needed for years—particularly as adversaries grow more sophisticated and global operations require tighter collaboration.

Vasu Jakkal, Corporate Vice President of Microsoft Security

Microsoft echoed these sentiments. “Cybersecurity is a defining challenge of our time, especially in today’s AI-driven era,” said Vasu Jakkal, Corporate Vice President of Microsoft Security. “Microsoft and CrowdStrike are in ideal positions to help our customers, and the wider defender community accelerate the benefits of actionable threat intelligence.”

Jakkal pointed out that security must be treated as a team sport. By sharing intelligence more effectively, defenders can react more quickly and mitigate threats more thoroughly. This collaborative approach becomes especially critical when facing adversaries backed by nation-states or those employing advanced AI capabilities.

Importantly, the joint effort between the two companies is not intended to create a monopoly on attribution or override existing naming systems. Instead, it’s designed to act as connective tissue across different security taxonomies. Organizations using different platforms can still rely on their vendor of choice while benefiting from a standardized crosswalk of adversary names.

The companies also made clear that this collaboration is only the beginning. They plan to expand the initiative and invite other vendors and stakeholders in the cybersecurity ecosystem to contribute. Over time, this could result in a more broadly adopted industry standard for threat actor attribution, maintained by a coalition of participants rather than dictated by any single entity.

From a practical perspective, this kind of harmonization helps frontline defenders. When analysts and security operations teams receive threat intelligence feeds from multiple sources, aligning identifiers ensures they are not duplicating effort or overlooking important connections. For example, if one alert identifies a group as “Fancy Bear” and another refers to “APT28,” a mapped reference helps confirm they’re dealing with the same actor—allowing for faster, coordinated response.

This collaboration builds on both companies’ track records in threat intelligence. CrowdStrike is widely recognized for its adversary-focused research, while Microsoft brings global telemetry from billions of endpoints, email accounts, and cloud services. Together, they represent a significant share of the cybersecurity market—and now, a more unified approach to threat tracking.

The announcement arrives amid growing calls for better coordination in cybersecurity, especially as geopolitical tensions drive a rise in nation-state and organized crime activity online. Shared attribution frameworks could become a critical tool for organizing global defenses in a more coherent and responsive way.

The CrowdStrike-Microsoft partnership sends a clear signal to the broader industry: clarity, not competition, must be the priority when facing common threats. And if others follow their lead, the cybersecurity community may be better positioned to keep pace with adversaries evolving in real time.

Learn how AI Agents can supercharge your company’s profits and productivity at TMC’s AI Agent Event in Sept 29-30, 2025 in DC.

Rich Tehrani serves as CEO of TMC and chairman of ITEXPO #TECHSUPERSHOW Feb 10-12, 2026 and is CEO of RT Advisors and is a Registered Representative (investment banker) with and offering securities through Four Points Capital Partners LLC (Four Points) (Member FINRA/SIPC). He handles capital/debt raises as well as M&A. RT Advisors is not owned by Four Points.

The above is not an endorsement or recommendation to buy/sell any security or sector mentioned. No companies mentioned above are current or past clients of RT Advisors.

The views and opinions expressed above are those of the participants. While believed to be reliable, the information has not been independently verified for accuracy. Any broad, general statements made herein are provided for context only and should not be construed as exhaustive or universally applicable.

Portions of this article may have been developed with the assistance of artificial intelligence, which may have contributed to ideation, content generation, factual review, or editing.