Coordinated Response
Services and tools for incident response management

FIRST Recommended Incident Categories

Categorizing incidents helps establish a consistent and effective Incident Response Plan.

FIRST, the Forum for Incident Response and Security Teams, provides great resources for developing an Incident Response Plan through the FIRST Web Site.

One web page provides guidance on Incident Categories that we use as a baseline for the initial categories in our Response Management Framework. The guidance stresses Consistent Case Classification/Categorization to help achieve key objectives:

  • Provide accurate reporting to management;
  • Insure proper case handling; and
  • Form the basis for Service Level Agreements (SLAs) between the CSIRT and other departments.

Consistent Categories also address the following:

  • Effectively communicate the scope of CSIRT responsibility to executives and constituents;
  • Inform the development of appropriate response actions; and
  • Insure consistent case handling.

Like incidents are likely to require like actions. This helps in the development of the response plan and its effective execution.

Incident Categories

The following table presents the FIRST categories on the left and the categories as adapted for the Coordinated Response Management Framework on the right.

  Categories Proposed by FIRST   Comments / Suggestions
Denial of Service – DoS or DDoS attack; attrition. Every organization experiences DoS at some point.
Forensics – any forensic work performed by the CSIRT. Forensics may be one of many services performed by the CSIRT. CSIRT Services might make a better category with Forensic Services as a specific service type.
Compromised Information – attempted or successful destruction, corruption or disclosure of sensitive information.
Compromised Asset – host, network device, application, or user account. The assets mentioned serve as examples. Mobile devices, any computers: desktop, laptop, notepad, might also be compromised. Lost or stolen equipment might be considered compromised, but perhaps this should be an additional category.
Unlawful Activity – theft, fraud, human safety, or child porn. Any number of incident categories might result in illegal action. Perhaps, unlawful activity might better serve as an impact category. In most cases of unlawful activity, this is not known at the incident response outset.
Internal Hacking (inactive or active) – recon or suspicious activity with internal origins.
External Hacking (inactive or active) – recon or suspicious activity with external origins.
Malware – a virus or worm typically affecting multiple corporate devices.
Email – spoofed email, SPAM, etc
Consulting – security consulting unrelated to a specific incident. This is another example of a CSIRT Service.
Policy Violations – inappropriate use, sharing offensive material, or unauthorized access. As with unlawful activity, policy violation may be a measure of incident impact.


The FIRST categories have been re-ordered to more readily reflect the mapping to the Coordinated Response proposed categories.

The categories for Compromised Information and Assets are augmented with a category for Loss or Theft of Equipment. These 3 categories share common actions, but there are distinct actions as well. Because each of these categories represent a number of distinct incident types they are best left as separate categories.

DDoS, Email, and External hacking are better treated as incident types and combined under a category for External Incidents. Attacks originating outside an organization are likely to involve a set of external resources from the Internet Service Provider (ISP) to external reporting authorities.

Internal Incidents very likely involve Human Resources and Legal. Internal Hacking is an incident type. Policy Violation may not represent an incident type, but a level of impact.

Unlawful activity is a measure of the legal impact of the incident. External or Internal hacking might rise the level of Unlawful Activity. Or not.

Finally, CSIRT Services might include Forensics, Consulting, and other services. This reflects an important category. The CSIRT might analyze and summarize Threat Intelligence and provide a synopsis to internal audiences.

Impact Levels

The FIRST guidance on categories also introduces Sensitivity and Criticality. Sensitivity applies to the nature of the incident. Denial of Service might rate S3 – Not Sensitive or Low Sensitivity. Policy Violations might rate S2 – Sensitive or Medium Sensitivity. A Forensics Request or Compromised Information might rate S1 – Extremely Sensitive or High Sensitivity. Criticality is measured in a similar way.

The Response Management Framework considers Sensitivity and Criticality as impact areas with associated impact levels. A future highlight on Impact Assessment will include more on FIRST guidance.

Other Categories

Other organizations propose categories for use in incident response planning – organizations including US-CERT at the Department of Homeland Security, the Office of Management and Budget (OMB), and the National Institute of Science and Technology.

A future highlight will address incident categories advanced by these organizations and how the proposed categories relate to other categories.

Coordinated Response

Recognizing an incident and its category aligns actions with desired outcomes. Categories need to reflect an organization, its response team, and its security controls. The categories presented here are offered as a starting point and a proven best practice.

Refer to our Response Management Framework for added insight.

Let us help you with a response plan review that considers your information security risk assessment.