CORE FEATURES
Actor Profiles
11 min
what are actor profiles? actor profiles provide a centralized view of an actor observed within the flare platform these profiles help analysts investigate behavior patterns, assess risk, and pivot across relevant activity they're designed to support a range of security workflows such as threat actor investigations, behavioral trend analysis, false positive validation, and pivoting between events tied to the same actor how do i view actor profiles? profiles are accessible by clicking on any underlined actor name found within event cards intel in threat flow ⚠️ important actors are scoped to the specific source and context in which they appear flare does not guarantee that a username or handle seen across multiple forums or platforms belongs to the same individual by default, all analysis is based on the actor + forum combination from which you accessed the profile proceed with caution when making cross source attributions tabs overview actor profiles are organized into tabs each tab focuses on a different aspect of the actor's presence and behavior activity tab this tab provides a visual breakdown of the actor’s timeline, volume, and behavior across supported sources key sections actor metadata shows the first and last observed timestamps for the actor activity breakdown a bar chart showing volume of posts or events over time includes filters by category, date range, and source most recent events a table view of the actor’s latest associated events, including date category (e g forum topic, forum post) source (e g kiwi farms ) severity (e g info, medium) the direct link to view the full event analysis tab available only for forum based events this tab provides deeper insight into the actor’s behavior, intent, and communication style key sections the profile summary provides insight into the actor's behavior, tone, and intent based on their forum posts overview displays the actor’s handle and associated forum activity is analyzed per actor + forum combination main activities and motives describes the primary themes discussed by the actor—such as politics, internet culture, illicit trade, or cybersecurity focus is on recurring topics that define the actor's interest areas outlines the actor’s likely motivation, whether it's financial, ideological, social, or curiosity driven helps assess whether the actor poses a credible threat potential associations with major criminal groups indicates whether there is any observed association with known threat groups, malware families, or criminal services if no affiliations are detected, that is explicitly stated latest activity highlights the actor’s most recent patterns of engagement—whether consistent or sporadic—and identifies any recent shifts in focus or tone linguistic analysis summarizes linguistic characteristics primary language, tone (formal/informal), slang use, and fluency gives insight into cultural background and communication style likely geographical location estimates the actor's possible geographical region based on posting behavior, language, and time of day patterns this is a soft signal—not a definitive attribution potential victims shortlist states whether the actor mentions or targets specific individuals, companies, or industries useful for identifying risk to customers or sectors the activity summary quantifies and visualizes an actor’s footprint across time, sources, and event types it supports operational tasks like pivoting, prioritizing, and tracing actor behavior overview defines the window of time during which posts or events were observed may highlight bursts of activity, seasonal trends, or one off appearances variation of activity over time details how the actor interacts with others are they reactive or initiatory? do they engage in debates, share personal experiences, or reference shared culture? motivations in the context of their activity, helps assess whether the actor poses a credible threat affiliations in the context of their activity, indicates whether there is any observed association with known threat groups, malware families, or criminal services if no affiliations are detected, that is explicitly stated non criminal activity explicitly states whether any posts show criminal intent or illicit services if no such behavior is detected, the activity is characterized as non criminal and informational or social in nature activity breakdown chart visualizes the volume of activity over time (daily, weekly, or custom range) helps identify spikes, drop offs, or single day bursts of activity filterable by category and date range annotated with first/last observed messages weekly discussion heatmap displays posting behavior by hour and weekday helps assess timezone alignment, shift based activity, or consistency analysts can toggle timezones to normalize patterns across geographies darker blocks = higher message frequency located beneath the heatmap is a separate summary that interprets the actor's behavioral cadence most active days and hours (e g , late night weekdays) timezone inference , based on observed peaks geographical hypothesis , listing countries that align with timing and language use