Annex D
How the incident was identified. FIRE provides 18 standardised methods grouped as External, Internal, Unknown, and Other. This field is essential from the Intermediate phase.
| Method | Description |
|---|---|
| External discovery | |
| Actor Disclosure | The incident was disclosed by the actor responsible for causing it (e.g., a threat actor claiming responsibility or issuing a ransom demand). |
| Authority or Agency | The incident was reported or disclosed by a regulatory or supervisory authority or other government agency. |
| Law Enforcement | The incident was reported or disclosed by a law enforcement body. |
| Third Party | The incident was reported or disclosed by an external third party such as a supplier, vendor, or service provider. |
| Customer or Client | The incident was reported or disclosed by a customer or client of the entity. |
| Peer or Competitor | Information about the incident was shared by a peer institution or competitor (e.g., through information sharing arrangements). |
| External Audit | The incident was identified during an external audit, review, or assessment. |
| Monitoring Service | Discovered through a third-party cyber monitoring, threat intelligence, or dark web monitoring service. |
| Unrelated Party | Discovered or disclosed by a party with no direct relationship to the entity — for example, a security researcher, journalist, or member of the public. |
| Unknown (External) | The incident was discovered via an external source, but the specific method or party is unknown. |
| Internal discovery | |
| Incident Response | Discovered through the entity's own incident response processes or procedures. |
| Security Operations Centre (SOC) | Identified by the entity's Security Operations Centre through active monitoring. |
| Existing Detection Technique | Detected by an established security control — such as a SIEM, endpoint detection and response (EDR), intrusion detection system, or similar automated tooling. |
| Internal Audit | Identified during an internal audit, assessment, or compliance review. |
| Staff | Discovered by a member of staff — not through a formal detection process — for example, by noticing an anomaly during normal work. |
| Unknown (Internal) | The incident was discovered internally, but the specific internal method or person is unknown. |
| Other | |
| Unknown | The discovery method is entirely unknown — it is not possible to determine whether discovery was internal or external. |
| Other | The discovery method does not fit any of the above categories. A free-text description should be provided where possible. |