In a rare and potentially industry-shaping move, CrowdStrike and Microsoft have announced a formal collaboration to deconflict cyber threat attribution. The two cybersecurity giants are aligning their threat intelligence efforts to reduce confusion and enhance consistency in naming and describing threat actors across the ecosystem.
Their joint blog post frames this as a win for the broader community, aiming to eliminate the friction caused by different vendors assigning different names and motivations to the same malicious actors.
Cyber threat attribution is notoriously murky. Different vendors have historically used unique naming conventions (e.g., CrowdStrike's "Fancy Bear" versus Microsoft's "STRONTIUM") for the same threat actors, leading to confusion among security teams, media, and even policymakers.
According to the joint statement, "This collaboration is designed to improve the clarity and usefulness of threat intelligence for defenders around the world."
The agreement includes efforts to cross-reference and align nomenclature, timelines, and indicators of compromise (IOCs), with both firms committing to deeper coordination between their respective intelligence units.
The reaction from industry experts, namely other vendors, is overall positive.
"Finally! This has been a problem for years," said Kip Boyle, vCISO, Cyber Risk Opportunities LLC. "As ransomware gangs blur into state-backed actors, and AI muddies attribution even further, knowing who you're up against matters more than ever. This isn't just about having cleaner reports. It's about faster response times, better cross-team communication and, ultimately, stronger defenses."
"The cybersecurity community thrives when we work together. Two giants in the industry pooling their collective resources is a boon to all those striving to combat cyberattacks on a daily basis," said Benjamin Corman, vCISO, Corman Media & Technology. "The disparate nature of cataloging and tracking threat actors has long been a source of confusion between different outfits. Let's hope this type of collaboration is a sign of things to come."
"One of the key foundational pillars of the cybersecurity industry is collaboration and knowledge sharing within the community. With the recent announcement from Microsoft and CrowdStrike, I'm thrilled to see one of the most significant industry-wide partnerships in cyber history taking shape," said Reanna Schultz, Founder, CyberSpeak Labs LLC. "This move toward a more standardized, yet flexible, approach to cyber threat intelligence will be a major win for the entire community. It will empower cyber response teams with consistent, streamlined intelligence that enables faster threat hunting, stronger defenses, and more proactive prevention strategies."
Schultz continued, "As the threat landscape continues to evolve, this collaboration marks a promising step forward. I'm genuinely excited to see how it shapes the future of cyber defense!"
John Hultquist, Chief Analyst at Mandiant Intelligence (now part of Google Cloud), said, "This is a step forward. While attribution isn't always necessary for every defender, consistent actor tracking helps organizations assess risk faster."
Katie Nickels, Director of Intelligence at Red Canary, added via LinkedIn, "Having naming alignment may seem cosmetic, but in the fog of a major incident, it could mean the difference between rapid containment and costly delay."
Allan Liska, Threat Intelligence Analyst at Recorded Future, offered cautious optimism: "It's a good start, but true benefit depends on how transparent and timely the collaboration remains. The community needs to be part of this, too."
Mike Wilkes, Former CISO, MLS, and Adjunct Professor, NYU, had a more cautious reaction to the news:
"I like the spirit of what they are discussing, but I'm not sure that referencing both Microsoft and CrowdStrike threat actors' names in alerts and CTI briefings and reports will do much beyond making each of those reports higher word counts," Wilkes said. "While I can applaud the goal of standardization and harmonization (especially endorsing the use of STIX/TAXII 2.1, for example), it will take a while before this measurably changes the way threat intelligence is collected, consumed, and acted upon. Everyone is synthesizing and collapsing the multiple naming conventions and attribution labels for threat actors already. So pessimistically viewed, this just removes some noise that really never should have been there to begin with. Digging yourselves (as cybersecurity vendors) out of a hole is not the same as climbing a mountain, if you get my meaning."
Wilkes added, "Open question to both teams: what should we call the U.S. nation-state threat actors like the CIA, NSA, and others? In the CrowdStrike pantheon on animals, one might suspect that APT0 (the U.S.) would be an Eagle. But I kind of like Benjamin Franklin's tongue-in-cheek suggestion that the national bird for the United States of America be the indigenous and flightless bird, 'the turkey.' Because then we could have specific groups doing cyber offensive missions named 'Gregarious Turkey' for the FBI or something like that."
If anything, practitioners should have a better handle on following along with all the malicious activity and threat actors. CISOs and their teams should find comfort in:
-
Improved communication: Security analysts can expect better cross-vendor clarity in alerts, threat reports, and threat intelligence platforms.
-
Faster response: Unified threat naming helps reduce dwell time during incident response, especially in cross-functional teams using tools from multiple vendors.
-
Standardization momentum: The move pressures other vendors—such as Cisco Talos, SentinelOne, and Check Point—to consider similar collaborations or adopt shared frameworks.
-
Challenges remain: Attribution still includes judgment calls, geopolitical nuances, and varying visibility across telemetry sources. Complete consistency is unlikely—but this move lowers the friction significantly.
While attribution has long been considered more valuable for governments and researchers than frontline defenders, the operational side of cybersecurity is evolving. With ransomware gangs evolving into state-affiliated threat actors, and AI-generated disinformation blurring motives, attribution is no longer just academic.
By teaming up, CrowdStrike and Microsoft have acknowledged this shift—and signaled that it's time for the community to align more tightly, too.
Practitioner-facing checklist: updating your defenses
Cross-reference threat actor names
Review playbooks and alerts
Update threat brief templates
-
Standardize how threat actor aliases are presented in internal threat briefings.
-
Include both Microsoft and CrowdStrike names when referencing actors (e.g., STRONTIUM / Fancy Bear).
Train analysts
Request alignment from other vendors
-
Engage other vendors in your tech stack, asking how they plan to align or support similar attribution normalization.
-
Encourage adoption of open standards or mappings like MITRE ATT&CK or MISP.
Communicate to executives
