CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection

Taxonomy - Schemes of Classification in Incident Response and Detection

A key success factor, while performing incident response, is to share a common understanding of the security incident. A common definition can be achieved by a shared vocabulary as described below.

Incident Classification

Incident classification is the classification of the method(s) used by an attacker through unauthorized access, destruction, disclosure, modification of data, and/or denial of service (ref:ENISA). An incident can cover one or more types of incident classification as described below.

Incident involving the reception or the sending of unsolicited emails or any other notification.
System Compromise
Incident involving the compromise of a computer-based element.
Incident including any act of network or system reconnaissance that could lead to a security incident. Legitimate security assessment will not be categorized as an incident.
Denial of Service
Incident involving a temporarily disruption of a computer-based element or network service.
Copyright Issue
Reported incident including disclosure of information covered by a restrictive copyright. The classification is used for reports which are not classified and handled as a security incident.
Incident including attacks posing as legitimate company, organization or people.
Incident including malicious software or software deliberately designed or abused by an attacker to pursue his goal(s).
Incident including Cross-Site Scripting vulnerabilities being or potentially being abused.
A vulnerability reported or discovered that could lead to a security incident.
Incident involving techniques of hiding malicious activities by an ever-changing set of compromised systems.
SQL Injection
Incident involving techniques to directly abuse the backend database (not limited to SQL databases).
Information Leak
Incident including disclosure of information where distribution should have been restricted.
Incident forcing a potential victim to act for the benefit of an attacker.
Incident involving techniques to use computers or computer devices to mine cryptocurrency without the user consent.
Incident involving techniques to lock (or claiming to lock) the victim system or access to a system.
Incident involving techniques to lock the victim access to their screen or login interface.
Incident involving techniques to destroy/wiper/sanitise data of a target.


Topic is the identified area of activity from the structure (owning the IP address if final owner is not known) having the potential incident. An incident can cover one or more topic(s) as described below.

Financial sector including banks, card and payment processing companies or third-party providers handling financial information.
Overall information and communication technology sector including Internet Service Provider (ISP), hosting provider, and telecom provider.
Physical person having a direct relationship with the incident as a victim or as a reporter.
Sector dealing with the processing of materials and/or manufacturing of goods in factories including any supporting activities to industries.
Sector handling health of people including companies doing hospital management or dealing with medical information.
Overall sector of activities not dealing with the previously mentioned topic providing a service (Finance, ICT, Individual, Industry or Medical).
Sector of activities not falling in the previously mentioned categories (Finance, ICT, Individual, Industry, Medical or Services) or cannot be defined during the incident handling classification. This topic of classification might be temporary upon an adequate topic is found.

Machine readable format

The above circl taxonomy is available in MISP PDF in the default taxonomy and can be freely reused by other organisations.

Indicators Taxonomy

CIRCL also relies on a common set of indicators and categories used for information sharing within MISP and other similar threat sharing platforms.

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.


  • Version 1.2 May 16th, 2018 Updated to include locker, screenlocker and wiper.
  • Version 1.1 March 15th, 2018 Updated to include cryptojacking.
  • Version 1.0 October 1st, 2015 Initial version TLP:WHITE.