Skip to content
AI Security Wire

Incident Classification Definitions

AI Security Wire uses a structured classification system across all incident reports. The following definitions explain each classification type and how they should be interpreted.

Illustrative

A synthetic incident composite constructed from documented real-world attack patterns, published vulnerability research, and observed threat actor behaviours. Organisation details — including sector, geography, and size — are fictionalised. No specific real organisation or event is reported.

Illustrative reports are intended to help security practitioners understand realistic threat vectors, map plausible attack timelines, and evaluate defensive controls against scenarios they have not yet encountered. The underlying techniques, TTPs, and vulnerabilities described are drawn from verified sources.

How to use: Treat these reports as threat modelling inputs, tabletop exercise scenarios, and detection engineering references — not as news of a specific breach.

Confirmed

A verified incident in which the occurrence of the security event has been independently corroborated — either by the affected organisation, a regulatory body, a credible third-party incident response firm, or multiple independent sources. Core facts (that an incident occurred, the approximate scope, and the primary attack vector) are not in dispute.

Confirmed classification does not mean all details are fully disclosed. Some confirmed incidents are subject to partial disclosure pending regulatory review, litigation, or ongoing remediation.

Unconfirmed

A reported incident that has not yet been independently verified. Details may derive from a single source, early-stage threat intelligence feeds, or unverified social media reporting. The incident may be real but the scope, attribution, or root cause remains unclear.

How to use: Treat unconfirmed reports as early-warning signals requiring further validation before acting on specific technical claims.

Attributed

An incident in which a specific threat actor, group, or nation-state has been formally identified as responsible. Attribution is based on technical indicators (malware signatures, infrastructure overlap, TTPs), official government or law enforcement statements, or corroborated reporting from multiple credible threat intelligence sources.

Attribution is always probabilistic. AI Security Wire follows the standard intelligence confidence scale and will note where attribution is assessed with high, moderate, or low confidence.

Ongoing

An active incident where containment, remediation, or investigation has not yet been completed at the time of publication. Ongoing reports represent the best available information at a specific point in time and will be updated as new details emerge.

How to use: Monitor for follow-up reporting. Defensive recommendations in ongoing reports may evolve as the full attack chain becomes clear.

Resolved

An incident that has been fully contained, the root cause identified, and remediation completed. The affected organisation has returned to normal operations. Regulatory notifications (where required) have been made.

Partially Disclosed

An incident where some details have been made public but the full scope, root cause, or attribution has not been officially confirmed or disclosed. Partial disclosure commonly occurs due to active litigation, regulatory investigation, commercial sensitivity, or national security constraints.

How to use: Treat the disclosed details as reliable but incomplete. Avoid over-extrapolating to undisclosed aspects of the incident.