Microsoft and CrowdStrike Threat Actor Naming

Microsoft and CrowdStrike’s Bold Move: Standardizing Threat Actor Naming in 2025

Cybersecurity Industry & Startups, Cyber News / By

Overview

In a groundbreaking collaboration, Microsoft and CrowdStrike have announced a unified threat actor naming convention to eliminate confusion across cybersecurity platforms. This initiative, set to launch in late 2025, aims to bring consistency and clarity to the way cybersecurity professionals track and share intelligence on global threat actors.

Key Facts

  • Microsoft and CrowdStrike are jointly rolling out a standardized naming system for threat actors.
  • The move will align naming conventions between the two major cybersecurity players.
  • Set to be implemented by Q4 2025.
  • It aims to reduce confusion among analysts and improve threat intelligence sharing.
  • Each threat group will now have a unique and consistent identifier.
  • This follows years of fragmented naming styles such as Microsoft’s weather-themed names and CrowdStrike’s animal-based tags.

What’s Verified and What’s Still Unclear

✅ Confirmed:

  • Microsoft and CrowdStrike have both issued formal statements confirming the collaboration.
  • A joint working group has been formed to create and maintain the standardized taxonomy.
  • The naming system will be public and open to contributions from other vendors.

❓ Unclear:

  • Whether other major players like Mandiant or Palo Alto Networks will adopt the same model.
  • How legacy threat names will be mapped or deprecated.
  • Potential timeline adjustments based on vendor or community feedback.

Timeline of Events

  • 2022–2024: Growing frustration within the cybersecurity community over inconsistent naming.
  • Early 2025: Initial meetings held between Microsoft and CrowdStrike intelligence teams.
  • June 2025: Official announcement of the unified threat actor naming framework.
  • Q4 2025: Rollout expected to begin across both vendors’ threat intelligence feeds and platforms.

Who’s Behind It?

This collaborative initiative is spearheaded by:

  • Microsoft Threat Intelligence Center (MSTIC)
  • CrowdStrike Intelligence Team
    Both companies bring decades of cyber threat research experience. Their partnership signifies a strategic pivot in community-driven threat intel standardization, potentially setting the foundation for global norms in cybersecurity nomenclature.

Public & Industry Response

The cybersecurity community has largely welcomed the move.

  • Security analysts and SOC teams have praised the effort for reducing operational friction.
  • On Reddit and X (Twitter), cybersecurity experts expressed hope that this will help unify threat hunting efforts.
  • Vendors like SentinelOne and Recorded Future have issued cautious but supportive statements.
  • Critics argue that true industry-wide adoption will only happen when all major vendors agree on a shared standard.

What Makes This Attack Unique?

While this is not a cyberattack, it addresses a longstanding issue that affects every attack response: inconsistent threat actor names. For instance:

  • Microsoft might call a group “Storm-0558”
  • CrowdStrike calls the same group “Spiral”
  • Mandiant might refer to them as “UNC2452”
    This makes cross-vendor threat correlation unnecessarily difficult. The Microsoft and CrowdStrike Threat Actor Naming initiative eliminates these silos.

Understanding the Basics

What Is a Threat Actor Naming Convention?

A threat actor naming convention is a structured way of naming malicious cyber groups based on their behavior, origin, tools, or objectives. Until now, cybersecurity vendors used their own internal systems, leading to duplicated efforts, confusion, and inefficiencies.

Why Does It Matter?

Imagine multiple agencies investigating the same cybercrime but calling the attackers by different names. This creates data silos and delays response. A standardized system like the one by Microsoft and CrowdStrike will:

  • Improve incident response coordination
  • Help security platforms integrate threat feeds more efficiently
  • Enable governments and private organizations to act on intelligence faster

What Happens Next?

Between July and September 2025, Microsoft and CrowdStrike will release:

  1. A mapping tool to correlate legacy threat actor names with the new standardized format.
  2. APIs to help third-party security vendors transition their systems.
  3. A GitHub-based repository for the public to track, propose, or query names.

Meanwhile, other cybersecurity stakeholders are expected to review the new taxonomy. Vendors such as Mandiant and Cisco Talos may issue position papers or announcements regarding their participation.

Summary

The Microsoft and CrowdStrike Threat Actor Naming initiative is a significant step toward solving one of the cybersecurity industry’s oldest problems—naming inconsistency. By combining forces, these giants aim to usher in a new era of clarity, collaboration, and coordination in threat intelligence. If adopted widely, it could become the de facto global standard, reducing operational errors and enhancing cyber resilience across all sectors.