Module 3 of the K0NSULT system. A deterministic engine that turns a raw report into a structured record across 6 independent axes. Classification is the input for risk scoring, playbook selection and computation of regulatory obligations — and every axis is auditable and versioned.
The axes are orthogonal: the same incident type may involve different actors, vectors and impacts. Only the full set of axes yields a risk weight and a set of obligations.
Where in the technology stack the incident plays out. It determines the lead team and the control set.
| Layer | Scope | Typical incidents | Lead role |
|---|---|---|---|
| Human | social engineering, awareness | Phishing, vishing, BEC | SOC / awareness |
| Identity | accounts, MFA, tokens, sessions | Credential theft, session hijack | IAM / SOC |
| Application | web, API, mobile | Vulnerability, misconfig, injection | DevSecOps |
| Data | databases, backups, PII | Leak, ransomware, exfiltration | Legal/DPO + SOC |
| AI / agent | models, agents, plugins | Prompt injection, agent hijack, poisoning | AI Safety Officer |
| Infrastructure | network, cloud, endpoints | DDoS, malware, lateral movement | SOC / NetOps |
| Continuity | backup, DR, segmentation | Backup loss, DR failure | BCM / DevSecOps |
| Type | Layer | Default P | Suggested playbook |
|---|---|---|---|
| Ransomware | Data / infra | P0 | playbook-ransomware |
| Data breach | Data | P0 | playbook-data-breach |
| Agent hijack | AI / agent | P1 | playbook-agent-hijack |
| Prompt injection | AI / agent | P1 | playbook-prompt-injection |
| Phishing (active) | Human / identity | P1 | playbook-phishing |
| DDoS | Infrastructure | P1 | playbook-ddos |
| Exploited CVE | Application | P1 | playbook-vulnerabilities |
| Supply chain | Application / infra | P2 | playbook-supply-chain |
| Harmful hallucination | AI / agent | P2 | playbook-hallucination |
| Misconfiguration | Application / infra | P3 | playbooks |
Financial, opportunistic motive. Mass scale.
Ransomware-as-a-Service. Affiliates + operators, revenue-split model.
Phishing-as-a-Service. Ready-made kits, AiTM toolkits.
Sponsored / persistent actor. Goal: long-term access, intelligence.
Ideological motive. Often DDoS / defacement.
An internal person — malicious or accidental.
Misconfiguration, faulty change, missing process.
A hijacked or malicious agent acting autonomously.
Default when there is no attribution — status GAP.
actor = unknown, status GAP. Do not promote to CONFIRMED on the basis of TTP alone.| Vector | ATT&CK Tactic | Example Technique |
|---|---|---|
| Email (attachment/link) | Initial Access | T1566 Phishing |
| SMS (smishing) | Initial Access | T1566.002 Spearphishing Link |
| Website / watering hole | Initial Access | T1189 Drive-by Compromise |
| API | Initial Access / Credential Access | T1190 Exploit Public-Facing App |
| VPN / remote access | Initial Access | T1133 External Remote Services |
| Vulnerability (CVE) | Initial Access | T1190 Exploit Public-Facing App |
| Token / session | Credential Access | T1528 Steal Application Access Token |
| Prompt (AI input) | Initial Access (AI) | Prompt Injection (ATLAS AML.T0051) |
| Agent plugin / tool | Execution (AI) | Tool abuse / tool poisoning |
| Connector / integration | Lateral Movement | T1210 Exploit Remote Services |
| Dependency | Initial Access / Supply Chain | T1195 Supply Chain Compromise |
AI vectors are auxiliary-mapped onto MITRE ATLAS (adversarial ML). The identifiers above are an example of a reference mapping, not an assignment to a real event.
Data disclosure / exfiltration. Trigger for GDPR / banking secrecy.
Data modification, model poisoning, forged transaction.
DDoS, ransomware, service outage. Trigger for NIS2 (service disruption).
Direct loss, fraud, recovery cost.
Notification obligations, penalties, supervisory proceedings.
Loss of customer trust, media pressure.
Process interruption, team load, roll-back.
Impact on OT / critical infrastructure / personal safety.
| Classification condition | Flag | Obligation (regulatory frame) | Clock |
|---|---|---|---|
| Personal data compromised | GDPR_BREACH | GDPR Art. 33 — notification to the authority; Art. 34 — notification of individuals when high risk | 72h to authority |
| Entity/service in NIS2 scope | NIS2_RELEVANT | NIS2 — early warning, notification, final report | 24h / 72h / 1 month |
| KSC entity (PL) | KSC_RELEVANT | National Cybersecurity System — report to the competent CSIRT | per KSC |
| High-risk AI system | AI_HIGH_RISK | AI Act — requirements for Annex III systems | — |
| Serious AI incident | AI_SERIOUS_INCIDENT | AI Act Art. 73 — report a serious incident to the market surveillance authority | without undue delay |
| Critical infrastructure | CRITICAL_INFRA | Sectoral regimes + KSC; possible authority involvement | sectoral |
Demonstration record — sample data, not operational.
{
"id": "INC-DEMO-2026-0417",
"evidence_status": "st-confirmed", // artifact: AiTM proxy log
"axis_1_layer": "identity",
"axis_2_type": "phishing (AiTM)",
"axis_3_actor": "PhaaS", // hypothesis, TTP consistent
"axis_4_vector": "email → website",
"attack": { "tactic": "Initial Access", "technique": "T1566.002" },
"axis_5_impact": ["C", "financial", "reputational"],
"axis_6_legal": ["GDPR_PERSONAL_DATA", "NIS2_RELEVANT"],
"priority": "P1", // active phishing, sessions being hijacked
"sla_h": 24,
"playbook": "playbook-phishing"
}
Related: ← Incident Intake · Threat Map → · Legal Board → · Roles and priorities P0–P3 →