Here’s what I mean by the question. On any typical day, say Tuesday, in the universe of all cyber bad guys, how many attack campaigns do these groups run against victims?
This is one of my favorite questions to ask audiences when I'm giving a keynote. Most people estimate the number to be in the thousands. Some estimate as high as millions. The truth is the number is remarkably small.
I want to be clear. There is a difference between a group of hackers, say the GRU’s hacking unit 26165, and the attack campaigns (Adversary Playbooks) they run, like APT28. Unit 26165 is a group of Russians. APT28 is a sequence of steps along the intrusion kill chain that Unit 26165 allegedly executes to accomplish its goal.
This is where it gets messy though. The Infosec Profession is not precise when it talks about these things. Leaders in the intelligence game use fluffy words when referring to people or attack campaigns. The general purpose reader can be excused for conflating the meanings. For example:
MITRE ATT&CK: Uses the word “Groups” which they define as activity clusters.
CrowdStrike: Uses the phrase “Nexus adversaries.”
Microsoft & Tidal: Both use the phrase “Threat Groups.”
Pro Tip: When you’re reading these reports, ask yourself if the author is referring to a group of people or a sequence of activities across the kill chain. That will help you understand what they are talking about.
To determine the exact number of all attack campaigns that hackers are running on Tuesdays is hard, but we can do some Bayes’ reasoning coupled with Superforecasting Techniques and Fermi Estimates to get in the right ballpark. For the uninitiated, I talk about these techniques in my book, Cybersecurity First Principles: A Reboot of Strategy and Tactics. Dr. Tetlock goes into greater superforecasting detail in his book of the same name, and Dr. McGrayne covers the history of Bayes’ Algorithm in her book, “The Theory That Would Not Die.”
The simplified explanation is that forecasters make an initial estimate based on what they know. Then they continuously seek evidence that will inform the forecast. They make assumptions when they lack hard data and seek evidence that will validate or invalidate the assumption. With this new evidence, they adjust the forecast up or down accordingly. Rinse and Repeat. The more iterations of that process, the better the forecast.
Let’s start with an initial estimate. Based on the MITRE ATT&CK framework, MITRE's intel team tracks some 150 known adversary campaigns (mostly nation-state). They don’t really cover the other types of motivations like Criminals, Activists, and Mischief Makers (CAMM Campaigns for short).
Let’s make our first assumption. At least one group of hackers is running one of these campaigns every day. That’s probably not true. Hackers may have a holiday. They have weekends when they are spending time with their families. Let’s cut them some slack. But, when they are at work, they might run the same attack campaign against multiple victims on the same day. Still, until we know for sure, let’s just assume that there is at least one of these known attack campaigns running every day.
Our initial estimate then is 150 but we need to seek more evidence.
CrowdStrike, a commercial cyber intelligence vendor, just released its 2025 Global Threat Report. In it, their analysts say that they are tracking 257 named adversaries across all motivations: nation-state and CAMM. If we take the MITRE ATT&CK framework number (150 nation-states) and subtract it from the Crowd Strike number (257 all motivations), that leaves us with roughly 100 CAMM campaigns. The CrowdStrike nation-state number roughly aligns with MITRE’s so that gives me confidence that their CAMM number is correct too. So, my new estimate is that the total number of campaigns running on Tuesdays is 250 (nation-state + CAMM).
But hold the phone. Back in November, Microsoft released its annual Digital Defense Report. In it, their analysts say that they are tracking 1500 threat groups (600 nation-states and 900 CAMM campaigns). Yikes! That’s quite a bit larger than the MITRE and CrowdStrike estimates. On one hand, that makes sense though. Microsoft, with its Windows Operating System, likely has a lot more sensors deployed around the world than either MITRE or CrowdStrike. They are collecting a lot more data. On the other hand, the estimate does seem to be way higher than other experts make.
My gut tells me that Microsoft, in some cases, is counting fragments of campaigns as unique when they are likely part of a larger campaign. I don’t know that for sure so let’s make that another assumption.
So what’s the right estimate then? Should we just go with Microsoft’s number and be done with it? Dr. Tetlock says that Superforecasters try to be 95% confident with each adjustment of their forecasts. The obvious question then is how do you become 95% confident of anything? Superforecasters have a trick that they use to approximate 95% confidence. They say that if they are willing to bet $100 of their own money that the new estimate is correct, that’s close enough. For me then, would I be willing to bet $100 of my own money that Microsoft’s number is correct? Nope, not for me. Microsoft’s number seems too high for me. But I do know that the likely number is somewhere between the Microsoft number (1500) and the CrowdStrike number (250).
For lack of any other method, let’s use a Fermi Estimate and split the difference. Would I be willing to bet $100 of my own money that the number of attack campaigns running on Tuesdays is roughly 625? Hmmm, for me, that seems high too. I wouldn’t make that bet. You might, and that’s OK, but that crisp $100 bill is staying in my wallet on this one. I think though, that if you drop the number to 500, I would make that bet. I’m 95% confident that 500 is the correct number.
The point of all of this is that your estimate doesn’t have to be five-nines precise. It just has to be precise enough to make resource decisions with. The forecast has to be in the same ballpark in terms of orders of magnitude.
So what do you do with this order of magnitude forecast then? Well, if you’re in a camp that believes that the number of attack campaigns running on Tuesdays is over a million, then any thought of pursuing an intrusion kill chain prevention strategy seems overwhelming. Frankly, it seems outright impossible. But, if you’re with me sitting over here in the 500 attack campaign camp, then intrusion kill chain prevention is an attractive idea. The number is so small that you could probably track everything in the ubiquitous spreadsheet security tool.
And besides, it’s just fun to blow everybody’s minds at conferences when you tell them that the number of attack campaigns running on Tuesdays is four orders of magnitude smaller than what they believed coming into the session.
References
Cybersecurity Canon Hall of Fame Book
Philip Tetlock, Dan Gardner, 2015. Superforecasting: The Art and Science of Prediction [Book]. Goodreads. URL https://www.goodreads.com/book/show/23995360-superforecasting
Cybersecurity Canon Candidate Books
Rick Howard. 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [Book]. Wiley. ISBN10: 1394173083. URL: https://www.amazon.com/Cybersecurity-First-Principles-Strategy-Tactics/dp/1394173083.
Helen Patton, 2024. Cybersecurity First Principles: A Reboot of Strategy and Tactics [Review]. Cybersecurity Canon Project. URL https://icdt.osu.edu/cybersecurity-first-principles-reboot-strategy-and-tactics
Sharon Bertsch McGrayne, 2011. The Theory That Would Not Die: How Bayes’ Rule Cracked the Enigma Code, Hunted Down Russian Submarines, and Emerged Triumphant from Two Centuries of Controversy [Book]. Goodreads. URL https://www.goodreads.com/book/show/10672848-the-theory-that-would-not-die
Rick Howard, n.d. The Theory That Would Not Die: How Bayes’ Rule Cracked the Enigma Code, Hunted Down Russian Submarines, and Emerged Triumphant from Two Centuries of Controversy [Review]. Cybersecurity Canon Project. URL https://icdt.osu.edu/theory-would-not-die-how-bayes-rule-cracked-enigma-code-hunted-down-russian-submarines-and-emerged-triumphant-two-centuries-controversy
Other References
Staff, n.d. APT28 [Campaign Page]. MITRE ATT&CK®. URL https://attack.mitre.org/groups/G0007/
Staff, n.d. APT28 [Campaign Page]. Tidal Cyber. URL https://app.tidalcyber.com/groups/5b1a5b9e-4722-41fc-a15d-196a549e3ac5
Staff, n.d. MITRE ATT&CK Framework [Home]. Mitre. URL https://attack.mitre.org/
Staff, 2021. Fermi Problem Explained [Explainer]. Inch by Inch Stories. URL
Staff, 2024. Microsoft Digital Defense Report: 600 million cyberattacks per day around the globe [Summary]. CEE Multi-Country News Center. URL https://news.microsoft.com/en-cee/2024/11/29/microsoft-digital-defense-report-600-million-cyberattacks-per-day-around-the-globe/
Staff, 2025. Global Threat Report [Analysis]. Crowdstrike. URL: https://www.crowdstrike.com/en-us/global-threat-report/