Continue your mission
VERIS is a standardized incident classification framework using the A4 model (Actors, Actions, Assets, Attributes) that enables structured incident recording, trend analysis, and benchmarking against the Verizon DBIR dataset.
# VERIS Incident Classification
VERIS (Vocabulary for Event Recording and Incident Sharing) provides security teams with a structured, standardized methodology for documenting and sharing incident data across organizational and industry boundaries. Without a common classification vocabulary, incident records become incomparable: one organization classifies an event as a "breach," another calls it an "exposure," and neither can contribute meaningfully to industry-wide pattern recognition or statistical analysis. VERIS solves this fragmentation by defining explicit taxonomies for every element of an incident, from the actor who initiated it to the specific data attributes compromised.
Developed by Verizon and maintained as the analytical backbone of the annual Data Breach Investigations Report (DBIR), VERIS transforms raw incident narratives into structured data that supports statistical analysis, regulatory reporting, and security program benchmarking across thousands of organizations and industries. The framework operates as both an internal incident classification system and a community data-sharing standard, enabling organizations to compare their incident patterns against peer statistics while contributing to collective threat intelligence.
VERIS addresses a fundamental problem in cybersecurity: the inability to learn from incident data at scale. When every organization describes incidents using different terminology and categories, valuable patterns remain hidden within individual incident databases. VERIS creates the standardized vocabulary necessary to aggregate incident data across organizational boundaries, revealing attack trends, control effectiveness patterns, and threat actor behaviors that only become visible through large-scale analysis.
---
VERIS encodes each incident across four structured dimensions known as the A4 model: Actors, Actions, Assets, and Attributes. Each dimension contains enumerated values organized into categories and subcategories, ensuring that two analysts working independently will reach compatible, comparable classifications for similar events.
Actors identify who initiated or contributed to the incident. The framework defines three top-level categories: External (attackers outside the organization, including organized crime, nation-states, activists, and unaffiliated individuals), Internal (employees, contractors, executives, and other authorized users), and Partner (third-party vendors, suppliers, managed service providers, and business partners). Each actor classification captures additional details including motive (financial gain, espionage, ideology, convenience, grudge), variety (the specific type within the category), and whether the actor was organized or acting individually.
The Actor dimension handles complex scenarios involving multiple parties. For example, an incident might involve an external organized crime group that exploited credentials initially stolen by a malicious insider. VERIS accommodates this by allowing multiple actor entries per incident, each with distinct motive and variety classifications. This granularity proves crucial for understanding attack chains and designing appropriate countermeasures.
Actions describe what the actor did to compromise security. VERIS defines seven action categories: Malware (unauthorized software installation or execution), Hacking (exploitation of systems, networks, or applications), Social (deception-based manipulation of people), Misuse (abuse of authorized access privileges), Physical (tangible interaction with assets), Error (unintentional human mistakes), and Environmental (natural disasters or accidental non-human events).
Each action category contains specific varieties that describe the precise technique used. Under Hacking, varieties include "Use of stolen credentials," "SQL injection," "Brute force," "Exploit public-facing application," and "Network intrusion." The Social category includes varieties such as "Phishing," "Pretexting," "Bribery," and "Elicitation." Vectors describe the delivery mechanism: web application, email, network propagation, physical access, removable media, or direct install.
Assets capture what was affected during the incident. The schema classifies assets by type: Server (database, web, file, mail, directory services), Network (routers, switches, firewalls, controllers), User Device (desktop, laptop, tablet, mobile phone), Person (as a social engineering target or authorized user), and Media (physical storage devices, documents, paper records). Each asset entry records the number of assets affected, which feeds aggregate impact calculations across datasets.
The Asset dimension also captures ownership and management details. Assets can be owned by the victim organization, a partner, or a third party. They can be managed internally or externally. This distinction proves critical for understanding supply chain risks and third-party security dependencies that contribute to incident causation.
Attributes describe which security properties were compromised using the classic CIA triad: Confidentiality (data was disclosed or accessed without authorization), Integrity (data or systems were altered without authorization), and Availability (systems or data became inaccessible). Most incidents involve multiple attribute compromises. A ransomware attack typically affects both Integrity (through encryption) and Availability (through system inaccessibility).
The Confidentiality attribute includes a comprehensive data taxonomy covering Personal (PII, contact information), Medical (PHI, health records), Financial (payment cards, bank accounts), Credentials (passwords, certificates), Internal (proprietary business information), Source Code, System configuration data, and other categories. Record counts document the scale of compromise where known, though VERIS allows "unknown" entries rather than requiring estimates that would compromise statistical accuracy.
Timeline fields capture temporal aspects of the incident: when the incident occurred, when it was discovered, when it was contained, and when recovery was completed. These timestamps enable analysis of attack duration, discovery effectiveness, and response efficiency across incidents and organizations.
A complete scenario demonstrates how these dimensions work together: A finance department employee receives a phishing email containing a malicious attachment (Action: Social, Variety: Phishing, Vector: Email). The employee opens the attachment, installing credential-stealing malware (Action: Malware, Variety: Credential stealer). The malware captures the employee's domain credentials and transmits them to an external command-and-control server operated by an organized crime group (Actor: External, Variety: Organized Crime, Motive: Financial).
The attackers use the stolen credentials to access the organization's payroll database server (Action: Hacking, Variety: Use of stolen credentials, Vector: Network, Asset: Server - Database). They export employee payroll records containing names, addresses, Social Security numbers, and salary information before detection (Attribute: Confidentiality, Data Variety: Personal and Financial, Record Count: 4,200 employees).
The incident timeline shows the phishing email was sent on January 15, credentials were stolen on January 16, database access occurred on January 18, and the breach was discovered on January 30 through unusual database query alerts. This complete VERIS record enables statistical analysis of phishing-to-data-exfiltration attack chains, average discovery times for credential-based attacks, and the effectiveness of database monitoring controls.
Implementation considerations require organizations to capture VERIS data throughout the incident lifecycle rather than retrospectively. Incident response procedures should include mandatory VERIS field collection during initial triage, with updates as investigation reveals additional details. Asset inventories must be current enough to support accurate asset-type classification. Training programs should ensure consistent application of VERIS categories across different analysts and teams.
Organizations typically implement VERIS through integration with existing incident management platforms such as ServiceNow, Jira, or SOAR systems. VERIS fields become structured form inputs with controlled vocabularies rather than free-text fields, preventing classification drift over time. Automated population of certain fields (such as asset types from CMDB integration) reduces analyst workload while improving data consistency.
---
The business value of structured incident classification operates on multiple levels: internal program improvement, external benchmarking, regulatory compliance, and strategic risk management. Without consistent classification, security teams cannot answer fundamental operational questions about their own incident history. Are phishing attacks increasing year over year? Do insider threats concentrate in specific departments? Is mean time to detection improving? Raw incident narratives stored in ticketing systems cannot support this analysis at scale.
VERIS transforms these questions into answerable queries against structured data. A security manager can filter three years of incidents by Action: Social and Variety: Phishing to produce trend lines showing whether email-based attacks are increasing. That analysis directly informs investment decisions about security awareness training, email security controls, and detection capabilities. Similarly, filtering by Actor: Internal reveals patterns of insider risk that inform access control policies, monitoring strategies, and HR security procedures.
External benchmarking through VERIS-encoded data allows organizations to compare their incident patterns against DBIR statistics for their industry vertical and organization size. A healthcare organization experiencing frequent insider misuse events can validate whether this pattern reflects sector-wide trends (it typically does, according to DBIR data) or indicates specific weaknesses in their access controls and monitoring. Manufacturing organizations can compare their operational technology security incidents against peer data to assess whether their OT security posture requires additional investment.
Regulatory compliance benefits from VERIS classification prove substantial and immediate. Privacy regulations including GDPR, CCPA, and HIPAA require detailed incident characterization in breach notifications: what data was affected, who was responsible, how the breach occurred, and when it was discovered. VERIS fields map directly to these regulatory disclosure requirements, enabling automated population of notification templates rather than manual incident reconstruction under regulatory deadlines.
The California Consumer Privacy Act requires organizations to describe the "categories of personal information" involved in breaches. VERIS Data Variety classifications provide this categorization automatically. GDPR Article 33 notifications must describe "the nature of the personal data breach." VERIS Action and Actor classifications fulfill this requirement with standardized terminology that regulators recognize from industry reporting.
Strategic risk management improves when incident data contributes to enterprise risk assessment rather than remaining isolated within security operations. VERIS-classified incidents feed risk registers by providing quantitative evidence of threat materialization. When board-level risk discussions address insider threats, VERIS data can demonstrate whether insider incidents are increasing, what business functions they affect most frequently, and how detection capabilities are performing.
Insurance considerations increasingly require structured incident data. Cyber insurance providers request detailed loss histories during underwriting and claims processing. VERIS-classified incident records provide this documentation in a format insurance carriers recognize and accept, potentially reducing premiums through demonstrated risk management maturity.
What happens without structured classification creates multiple organizational vulnerabilities. Security teams routinely underestimate their true incident frequency because they cannot search unstructured records effectively. Critical patterns remain hidden: recurring attack methods that indicate control failures, seasonal variations that could inform staffing decisions, or threat actor persistence that suggests inadequate containment procedures.
During regulatory investigations, organizations without structured incident classification struggle to produce required timelines and characterizations. Reconstructing incident details months or years after occurrence introduces errors and gaps that regulators interpret as inadequate incident response capabilities. The resulting enforcement actions often exceed the cost of implementing proper classification procedures by several orders of magnitude.
A critical misconception suggests that incident classification should wait until post-incident review completion. This approach introduces systematic errors as timeline details, discovery methods, and initial actor assessments become reconstructed rather than captured contemporaneously. VERIS proves most accurate when fields are populated progressively throughout incident response, updated as investigation reveals new information, and finalized during post-incident review rather than created during review.
---
CDA approaches VERIS incident classification through the Risk Governance and Accountability (RGA) domain of the Planetary Defense Model. RGA encompasses the structures, processes, and records that enable organizations to demonstrate that their risk posture is understood, actively managed, and continuously verified. Incident classification represents a fundamental data collection discipline that feeds the Perpetual Compliance Assurance (PCA) methodology rather than a reporting afterthought.
PCA operates on the principle that compliance is not an event but a state. This principle applies directly to incident data: conducting annual reviews of incident trends constitutes an event-based approach. Maintaining a continuously updated, consistently classified incident register that feeds quarterly risk reporting, control effectiveness reviews, and regulatory readiness assessments creates a compliance state. VERIS provides the vocabulary infrastructure necessary to achieve and maintain this state.
CDA's operational approach to VERIS integration focuses on embedding classification requirements into existing incident response workflows rather than creating parallel documentation processes. During client engagements, CDA maps VERIS fields to the client's incident response platform, typically ServiceNow, Jira, or integrated SOAR systems. Mandatory VERIS fields become structured form inputs with controlled vocabularies rather than free-text fields, preventing classification drift as different analysts apply inconsistent terminology over time.
CDA connects VERIS classification outputs directly to RGA reporting infrastructure. Incident trend data, expressed through VERIS dimensions, feeds the organization's risk register where it updates control effectiveness scores for relevant security controls. When clusters of credential-based incidents appear in VERIS-encoded incident history, PCA processes automatically flag associated access control objectives for re-verification rather than waiting for scheduled audit cycles.
What distinguishes CDA's approach from conventional VERIS implementations is treating the incident classification schema as a living governance instrument rather than a static documentation tool. Classification quality receives quarterly review through analyst calibration exercises that ensure consistent application of VERIS categories across security operations teams. VERIS Community Database (VCDB) contribution is evaluated as a mechanism for regulatory goodwill and peer benchmarking rather than optional participation.
The result produces an incident record system that supports both operational security decisions and audit-ready compliance evidence simultaneously. When auditors request evidence of incident response effectiveness, VERIS-classified records provide quantitative metrics: mean time to detection by attack vector, containment success rates by incident type, and trend analysis demonstrating continuous improvement. This evidence satisfies regulatory requirements while supporting data-driven security program optimization.
---
---
---
CDA Theater missions that address topics covered in this article.
COBIT 2019 is ISACA's IT governance framework with 40 objectives across five domains, featuring a flexible design factor system that aligns IT strategy with business goals and maps to standards like NIST CSF and ISO 27001.
CMMC 2.0 requires defense contractors to demonstrate cybersecurity maturity at three levels.
HITRUST CSF harmonizes multiple frameworks into one certifiable standard for healthcare.
Written by CDA Editorial
Found an issue? Help improve this article.