> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pulsedive.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Threats

> Understand how Pulsedive models malware families, adversary groups, and campaigns, and how they connect to indicators and feeds.

Threats are named higher-level entities that group and contextualize indicators.
A threat might represent a malware family, an adversary group, or a campaign.
Where an indicator tells you what Pulsedive observed, a threat tells you what that observation is part of.

### Identity

Each threat has a primary name and may carry one or more aliases (`othernames`), reflecting the reality that the security industry often tracks the same threat under different names.
Pulsedive also assigns each threat a category, such as `malware`, `apt`, or `exploit`, which broadly classifies the type of activity the threat represents.

### Narrative Fields

Threats carry several fields that provide narrative context:

* **Description:** A summary of the threat and its activity.
* **Analyst notes** (`notes`): Additional context contributed by Pulsedive analysts.
* **Wikipedia summary** (`wikisummary`) and **reference** (`wikireference`): A summary and link pulled from Wikipedia, where available.
* **Comments:** Community-contributed commentary that any registered user can add to a threat.

### References

The `news` array contains external sources linked to the threat.
It includes two types:

* **Primary references**: Curated sources such as MITRE ATT\&CK entries, vendor research, and government advisories that were deliberately linked to the threat. These have `primary` set to `1`.
* **News articles**: Articles where the threat was mentioned, pulled in automatically. These have `primary` set to `0`.

### Threat Attributes

Threats carry native attributes that describe how a threat operates and what it targets.
Feeds, research, and automated ingestion from [MITRE ATT\&CK](https://attack.mitre.org) all contribute to these attributes.
They include:

* **Tactics and techniques (TTPs)**: How the threat operates, mapped to the MITRE ATT\&CK framework. In the API response, the `ttps` object groups techniques by tactic, with each tactic containing a list of its associated techniques.
* **Technology**: Operating systems and platforms the threat targets.
* **Suspected attribution**: The country suspected of sponsoring or directing the threat.
* **Industry targeting**: Sectors the threat is known to target.

### Indicator Summary

In addition to their own attributes, threats surface aggregated data from their linked indicators.
This summary gives you a high-level view of the threat's associated activity without requiring you to retrieve the full indicator list.
The summary includes:

* Aggregated attributes across linked indicators
* Common properties observed across linked indicators
* Screenshots collected from linked indicators

### Related Threats

Threats can link to other threats, reflecting real-world relationships such as a malware family associated with a known threat actor.
Each related threat includes its name, category, risk level, and the timestamp when Pulsedive first observed the relationship (`stamp_linked`).

### Lifecycle

Threats carry four timestamps:

| Field           | Description                                                            |
| --------------- | ---------------------------------------------------------------------- |
| `stamp_added`   | When Pulsedive first added the threat                                  |
| `stamp_updated` | When Pulsedive last updated the threat record                          |
| `stamp_seen`    | When a linked indicator or feed last reported activity for this threat |
| `stamp_retired` | When Pulsedive retired the threat, if applicable                       |

Threats are manually *retired* by Pulsedive analysts.
If activity resumes, Pulsedive automatically restores the threat to active status.

### Indicators

A threat's linked indicators are retrieved separately from the threat's core data, which keeps responses efficient when you need only the threat's descriptive information.
Linked indicator results are paginated.

### Risk

Threat risk reflects a direct human judgment about the threat's severity.
Pulsedive assigns it manually, rather than calculating it automatically the way it calculates indicator risk.

Threats carry a risk score that you assign manually; they don't have a system-recommended score or risk factors the way that indicators do.
A threat also surfaces a risk summary derived from its linked indicators, showing the distribution of risk levels across its associated activity.
The threat's own risk score and its risk summary are independent of each other: assigning or changing one doesn't affect the other.
