A multi-dimensional map of classic cyber incidents. The same event set analysed across five dimensions: geography, sector, threat type, threat actor and impact (CIA triad + financial / legal / reputational dimensions). Layer 1 of the K0NSULT model: classic cyber.
disabled) — they serve UI presentation only.Distribution of reports by the location of the affected entity. Demonstration values — they do not reflect a real threat map.
| Region | Incidents | P0/P1 | Dominant type | Trend |
|---|---|---|---|---|
| Region 1 (capital) | 34 | 4 | Phishing / BEC | ▲ +21% |
| Region 2 (industrial) | 18 | 2 | Ransomware | ▲ +9% |
| Region 3 | 15 | 1 | Vulnerabilities/CVE | ▬ 0% |
| Region 4 | 12 | 1 | Phishing | ▲ +6% |
| Region 5 | 11 | 2 | DDoS | ▲ +14% |
| Region 6 (coastal) | 9 | 1 | Malware | ▼ −4% |
| Region 7 | 7 | 0 | Phishing | ▬ 0% |
| Other (9 regions) | 22 | 2 | mixed | ▲ +5% |
Sectors aligned with the scope of essential and important entities under NIS2. Finance and public administration are the most frequent targets in the demonstration data.
| Sector | Incidents | Most common vector | Avg. priority | Flag |
|---|---|---|---|---|
| Finance / banking | 31 | Phishing / BEC, fraud | P1 | CRITICAL_INFRA |
| Public administration | 24 | Ransomware, vulnerabilities | P1 | NIS2_RELEVANT |
| Healthcare | 17 | Ransomware, data leak | P1 | GDPR_PERSONAL_DATA |
| Energy | 12 | OT/ICS vulnerabilities | P0 | CRITICAL_INFRA |
| Education / research | 11 | Phishing, credential theft | P2 | — |
| Transport | 9 | DDoS, misconfiguration | P2 | NIS2_RELEVANT |
| AI / digital providers | 10 | Supply chain, model abuse | P1 | AI_ACT_RELEVANT |
| Media | 8 | Deepfake, DDoS | P2 | — |
| NGO / third sector | 6 | Phishing | P3 | — |
Eight categories in the classic-cyber layer. Each type has a dedicated response playbook.
Playbooks: phishing · ransomware · DDoS · vulnerabilities · data breach · supply chain
The attribution category carries an evidence status — attribution without proof stays in GAP or DISPUTED status and is never presented as fact.
| Threat actor | Share | Typical modus | Attribution status |
|---|---|---|---|
| Cybercrime (financial motive) | 47% | Phishing, ransomware, BEC | CONFIRMED |
| Bot / automated scan | 21% | Vulnerability scan, credential stuffing | CONFIRMED |
| APT (advanced group) | 11% | Supply chain, long persistence | DISPUTED |
| Insider | 8% | Privilege abuse, exfiltration | MEDIA |
| Hacktivist | 6% | DDoS, defacement | PUBLIC |
| AI agent (abused / hijacked) | 4% | Agent hijack, API abuse | CONFIRMED |
| Unattributed | 3% | — | GAP |
Impact is assessed against the CIA triad (confidentiality / integrity / availability) plus three secondary dimensions: financial, legal and reputational.
Breached in 38 events. Mainly data leaks, credential theft, misconfiguration.
GDPR_PERSONAL_DATA
Breached in 19 events. Ransomware (encryption), data tampering, defacement.
high impact
Breached in 27 events. DDoS, ransomware, post-attack outages.
NIS2_RELEVANT
Est. total loss 4.1 M PLN (demo). Fraud, ransom, downtime, remediation.
14 events with a reporting obligation: GDPR 72h, NIS2 24/72h, national cyber-security act.
6 events with media exposure / risk of losing customer trust.
Cross-tab table: concentration of threat types across selected sectors (demonstration numbers).
| Sector \ Type | Phishing | Ransomware | DDoS | Vulnerabilities | Leak |
|---|---|---|---|---|---|
| Finance | 14 | 3 | 4 | 6 | 4 |
| Administration | 7 | 6 | 2 | 7 | 2 |
| Healthcare | 4 | 5 | 1 | 3 | 4 |
| Energy | 2 | 1 | 1 | 7 | 1 |
| Education | 6 | 0 | 1 | 2 | 2 |