An attack campaign is a coordinated set of related malicious actions carried out over time against one or more targets.
An attack campaign is a coordinated set of related malicious actions carried out over time against one or more targets. In plain language, it is the broader pattern behind repeated or connected malicious activity, not just one isolated event.
Attack campaigns matter because defenders often see only fragments at first. A suspicious email, a set of unusual sign-ins, and a handful of malicious domains may seem unrelated until analysts recognize that they are part of the same campaign.
It also matters because campaign thinking helps teams prioritize and coordinate better. If activity is part of a larger pattern, the response may need to extend beyond one user, one host, or one alert.
Attack campaigns appear in Threat Intelligence, Security Operations Center correlation, incident scoping, industry threat reporting, and Detection Engineering. Teams connect them to Threat Actor, Kill Chain, Indicators of Compromise, Indicators of Attack, and Watering Hole Attack.
Security teams use campaign framing when they need to move from isolated alert handling toward broader scoping, communication, and coordinated defense.
A team sees phishing emails targeting finance staff, suspicious identity activity from related infrastructure, and malicious domains that match current industry reporting. Analysts conclude these are not separate small problems but parts of one attack campaign aimed at the organization’s payment workflows.
An attack campaign is not the same as a single Incident Triage case. One triage event may be just one observable piece of a larger campaign.
It is also different from a Threat Actor. The actor is the person or group behind the activity. The campaign is the coordinated pattern of activity itself.