Tailored Access Operations (TAO) is the U.S. National Security Agency’s elite computer network exploitation and offensive cyber operations organization, historically associated with highly tailored intrusions against foreign targets for intelligence collection and related national security missions. It is widely regarded as one of the most capable state cyber operators in existence and has also been referred to organizationally as the NSA’s Office of Computer Network Operations during periods of restructuring. TAO’s mission centers on penetrating foreign computer networks, developing and deploying custom intrusion capabilities, and maintaining specialized implants and access methods to support espionage. Reported intelligence targets have included terrorist financial networks, money-laundering and narcotics operations, foreign military readiness, and internal political dynamics of adversary states. Public reporting has long characterized the unit as heavily resourced, technically sophisticated, and able to combine operators and developers to accelerate bespoke operations against hardened targets. The organization is part of the United States intelligence apparatus and should be understood as a nation-state cyber actor operating on behalf of the U.S. government. Its activities are generally described as foreign-focused cyber espionage rather than financially motivated crime or indiscriminate disruption. Because its targeting is mission-driven and selective, TAO is often cited as an example of a highly capable actor that poses little practical threat to most organizations absent specific intelligence interest. TAO has been publicly linked to advanced exploitation tradecraft, large-scale automated collection from foreign networks, stealthy operational security, and the use of false-flag techniques to obscure attribution. It has also been associated in public reporting with the development of custom software tools and exploits, including reported involvement in the Stuxnet operation against Iran’s nuclear program. The unit became especially prominent after the Shadow Brokers disclosures exposed stolen NSA cyber capabilities, an event that intensified scrutiny of U.S. offensive cyber operations and the downstream risk of leaked state tools being repurposed by other actors. Public reporting has further connected leaked NSA exploitation capabilities to later criminal and state-linked campaigns, including the use of EternalBlue in the 2017 WannaCry outbreak. Known related names and organizational references include TAO and Office of Computer Network Operations. TAO has also been discussed alongside other U.S. intelligence cyber elements, including CIA components that reportedly supported or coordinated with NSA intrusion operations. No distinct sub-groups are reliably established in the available information beyond its role as a specialized NSA operational unit.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Geographies tied to known operations.
Attributed origin per open-source reporting.
4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
NSA offensive cyber operations unit focused on developing and deploying bespoke capabilities to penetrate foreign networks for espionage and sabotage operations.
Used as an illustrative example of a highly capable state cyber actor whose relevance depends on intent, not capability alone.
An elite NSA hacking unit referenced as conducting cyber espionage by breaking into computer networks, with CIA support mentioned via the Technology Management Office.
A secretive NSA unit conducting cyber espionage and computer network exploitation to steal electronic data at rest from foreign targets worldwide for intelligence gathering.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.