Skip to content


Data collection and processing

We gather, process, and analyse data from public reports of cyber incidents through a combination of data science tools and expert knowledge. Our data pipeline enables us to track and report changing trends in the global, and particularly European, cyber threat environment.

Articles scanned everyday
> 0
Variables coded

Our data pipeline:

The scientific coding of cyber incidents is an ongoing, iterative process. It necessitates continuous refinement and recalibration – for instance, adjusting intensity scores and attribution evidence. As fresh data is obtained, it is continuously incorporated into our existing dataset, which subsequently updates our interactive dashboard. In addition, we have strict coding procedures that mandate frequent assessment by both internal (secondary) and external reviewers.

Standardised and interdisciplinary coding

Using a standardised codebook, our team of experts in IT forensics, political science and international law assesses data on cyber incidents worldwide against a set of 60 criteria. For each incident, the following categories of information are recorded:


Cyber incidents that fit the following criteria are included in our database:
  • Cyber incidents in violation of the "CIA-triad of information security"

    As a first technical requirement, a cyber incident must have violated the “CIA-triad of information security” to be relevant to our repository.

  • Cyber incidents that have been publicly reported

    Second, our data covers only cyber incidents that are publicly reported, thus leaving out a potentially great number of unreported cases due to non-detection or nondisclosure.

  • Cyber incidents with a political dimension

    Third, only cyber incidents that have a political dimension are included. This means cyber incidents that a) have affected political or state actors/institutions, b) have been associated with state-actors as the actual “masterminds” or exhibit a political motivation, or c) have been “publicly politicized, regardless of the affected target” (Steiger et al. 2018).

  • Cyber incidents against critical infrastructure

    Finally, since February 2023, we also cover all cyber incidents against critical infrastructure entities, regardless of the attributed initiator, due to their increased threat situation.

This means that some cyber incidents are consciously cut out (e.g., many criminally motivated ransomware attacks against commercial entities) when they concern specific stakeholders but are not addressed particularly by political actors.

Cyber intensity indicator

Our Cyber intensity indicator measures the severity of a cyber incident. This is achieved by evaluating the duration of the incident itself and of its effects, as well as the criticality of targets. See our calculation method below: