Nation-states (sophisticated, patient, espionage), Cybercriminals (financial — ransomware/fraud), Hacktivists (ideological), Insiders (authorized access), Script kiddies (low skill, tools-based).
Match controls to threat actor. Script kiddies stopped by basic patching. Nation-states require comprehensive detection and response. Insider threats require behavioral monitoring and least privilege. Know each actor's motivation, capability, and typical TTPs.