Doppler Logo
Jul 28, 2025
6 min read

Understanding the VERIS framework

Dylan Villeneuve Avatar
Dylan Villeneuve
Developer Advocate
Understanding the VERIS framework

For those of you up to date on the Verizon 2025 Data Breach Investigation Report (DBIR) and for those of you who are not, the Verizon team uses the VERIS Framework to classify and record the incidents it studied in this report. Here, we’ll dive into what the VERIS Framework is, why it was developed, and what makes it so useful in the threat modeling landscape.

TL;DR

The VERIS Framework is a standardized template for translating data breaches into numerical strings for use in large data sets. These large incident data sets can be analyzed to identify industry and global trends, shedding light on the frequency and type of data breaches.

Why measure incidents in the first place?

In short, we measure incidents so they don’t happen again. Understanding exactly what went wrong helps us identify weak points in our infrastructure to be corrected in the future. Sharing that information helps prevent similar incidents, and learning from others’ mistakes helps protect our infrastructure. It’s a mutually beneficial exchange of information to combat an evolving digital threat landscape. Verizon’s DBIR compiles a massive amount of incident data across industries and countries and shares it for free. This isn’t without significant challenge, though.

What do we need to know about an incident?

An incident response team is tasked with measuring and explaining an amorphous concept: Risk. In cybersecurity, risk represents the intersection of every relevant metric affecting a potential data breach. As you might imagine, risk is difficult to adequately quantify because of the breadth of factors involved.

The team at VERIS marks the four key landscapes intersecting to form risk as Asset, Impact, Threat, and Control. An organization’s capability to understand and manage risk requires information from each landscape.

  • Asset: An asset represents anything of value to an organization, including data, hardware, software, and intellectual property.
  • Threat: A threat encompasses events that could potentially harm or damage an asset. These range from malware and DDoS attacks to natural disasters and network outages.
  • Impact: The impact is the potential damage that would result from a successful threat on an asset. Fines and legal fees in the wake of a data breach are examples of impact, as are reputational damage and operational disruption.
  • Control: Controls are measures to mitigate threats from exploiting or affecting assets. Controls might look like data encryption, access controls, or in-house physical security measures like backup generators and security cameras.

A risk assessment is the culmination of all these factors. This intersection asks: What in the company holds value, who might be targeting it, what would be the damage of an incident, and what controls are in place to mitigate the threat and its damage?

Where did VERIS come from?

If measuring risk wasn’t hard enough, communicating that risk only adds to the challenge. The difficulties facing incident response teams are threefold:

  1. Difficulty in gathering incident data
  2. Few coherent classification systems for the gathered data
  3. Limited ability to share data due to incompatible classification systems

The VERIS Framework was developed in response to this classification and communication issue. According to their website:

“The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. VERIS is a response to one of the most critical and persistent challenges in the security industry - a lack of quality information. VERIS targets this problem by helping organizations to collect useful incident-related information and to share that information - anonymously and responsibly - with others. The overall goal is to better measure and manage risk.”

The ability to anonymously share incident information is very beneficial to the industry as a whole. Rather than risking additional reputation damage in the wake of a breach, companies can freely contribute to the safety of the industry without worry.

How does VERIS work?

The VERIS Framework is a scaffold to be filled in by incident response and security teams in the wake of a breach. It’s a standardized format that eases the integration of incidents into large data sets to be compared within and across industries. VERIS employs the A4 threat model to measure incident details. The four As:

  • Actor: Whose actions affected the asset?
  • Action: What actions affected the asset?
  • Asset: Which assets were affected?
  • Attribute: How was the asset affected?

A response is further subdivided into each of these categories. Threat actors may be split into external, internal, and partner categories. Various standardized questions may be asked about these categories, such as those of the external actor category: motive, variety, origin, and notes.

By splitting each aspect of an incident into these subdivisions, and by assigning values to their associated variables, such as a string for actor.external.country, large datasets may be easily sorted through and compared. Similarly, the action category has been split into subdivisions as well, with insertable values for its various facets. Strings for action.malware.variety, or action.malware.vector make classifying and comparing incidents relatively simple.

Bolster your incident response with VERIS

While the VERIS Framework won’t prevent data breaches, it may still improve your security posture. As the dust settles on a cybersecurity incident, DevOps directs its focus from recovery to prevention. The VERIS Framework is a powerful comparative tool that DevOps can use to classify the parameters and extent of the breach and identify patterns of similar breaches across the industry.

Armed with this knowledge, DevOps can make more informed decisions on future resource allocation, training efforts, and security software. The ability to share anonymized VERIS reports into the global database helps everyone learn about emerging cybersecurity threats before they become widespread, decreasing global damage from day-zero vulnerabilities.

For more information, check out the VERIS Framework homepage, complete with examples and implementation support.

VERIS FAQs

The VERIS Framework is a standardized template filled in by incident response teams in the wake of a data breach. The format eases the integration of complex incidents into large data sets for comparison within and across industries.

Back to the blog
Share
Enjoying this content? Stay up to date and get our latest blogs, guides, and tutorials.

Related Content

Explore More
The AI boom’s hidden cost: Managing millions of machine and non-human identities
DevRel
The AI boom’s hidden cost: Managing millions of machine and non-human identitiesSecrets sprawl is the hidden cost of scaling AI. See how to govern machine identities with short-lived credentials and centralized policies.
Read More
What it means to build 'secure defaults' into your workflow
Security
What it means to build 'secure defaults' into your workflowLearn how secure defaults reduce risk by blocking unsafe behavior, enforcing least privilege, and preventing secrets mismanagement across environments.
Read More
Best practices for securing secrets in staging environments
Engineering
Best practices for securing secrets in staging environmentsDiscover the most common secrets management mistakes in non-prod environments and how to fix them using scoped tokens, runtime injection, and tools like Doppler.
Read More

Enter the new era of secrets management

Trusted by the world’s best DevOps and security teams. Doppler is the secrets manager developers love.

Start for FreeGet Demo