Continuing with Nisos’ series on providing context to enable actionable outcomes for Security Operations Centers (SOCs), we examine the differences between signature and personality-based attributions and how each plays a role for enterprises in prioritization efforts to define and defend threats. By focusing on the technical signatures and open source intelligence (OSINT) footprint of a group of actors, signature-based attribution efforts allow enterprises to contextualize their findings and better address the coverage gaps in security controls. Threat intelligence or actual incident events are often used by SOCs to test hypotheses or identify previous actions of an adversary. These signatures also form the basis for metrics that enable security resources to increase their own programs that illustrate how they reduced risk exposure to the business.