From time-to-time, TF-CSIRT supports a range of Working Groups for the Community.  Information about current and past groups will be maintained here.

1. Reference Security Incident Taxonomy Working Group

Following a discussion amongst the CSIRT community during the 51st TF-CSIRT meeting (15 May 2017 in The Hague, Netherlands), it was concluded that there is an urgent need for a taxonomy list and name that serves as a fixed reference for everyone. This is why ENISA and TF-CSIRT created the Reference Security Incident Taxonomy Working Group. The aim of this working group is to enable the CSIRT community in reaching a consensus on a reference taxonomy.

To join the working group, the requester should send an email to ENISA secretariat or sign up for a physical meeting during a TF-CSIRT event. In case of physical meeting, please notify in presence to the ENISA secretariat or via email the request for addition to the mailing list.

For more info visit the GitHub repository

Check the TF-CSIRT meeting page to register for the next upcoming meeting.

2. CERTS PR Working Group

CERTs’ PR Group – cooperation between PR, marketing specialists and communicators within CERT and CSIRT community! The aim of the group is to initiate and develop collaboration between CERT/CSIRT PR teams – to share experience, “know-how” best practice and information on reports, questionnaires, marketing tools, methods, upcoming events and anything that might be helpful to other colleagues. The scope of the CERTs’ PR Group encompasses all activities related to promotion of the industry, raising awareness and increasing understanding of cybersecurity. Participants are welcome to share experience, ideas and best practices on challenges faced when ensuring PR activities, among those:

  • Awareness rising and marketing campaigns
  • Education and outreach (both to the general public and public bodies)
  • Research and statistics/ data analysis
  • Events
  • Best practices and lessons learned / “tips and tricks”
  • Analysis of communications/marketing tools (including social media), trends and strategies within organisation and outside
  • Financial aspects (how much does it cost? How can we reach maximum with less resources?)
  • Crisis communication

We are a new working group and are still working on a more detailed plan and framework for cooperation. Thus far, we have:

  • Created an e-mail list to share anything important
  • Decided to have one face-to-face meeting per year during one of the TF-CSIRT Meetings
  • Decided to organise online meetings – if there is anything anyone would like to share

If you are interested or know PR, marketing and communication specialists from other CERTs and CSIRTs, who might be interested, you are welcome to join and encouraged to spread the word about the group.
Contact us:

3. CTI Working Group

Cyber Threat Intelligence is systematic collection, analysis and dissemination of information pertaining to a company’s operation in cyberspace and to an extent physical space. It is designed to inform all levels of decision makers.
The analysis is designed to help keep situational awareness about current and arising threats.

At the 68th TF-CSIRT Meeting (31 Jan-2 Feb 2023, Bilbao) a TF-CSIRT CTI-focussed working group was
proposed and approved. A few weeks later the group was formally established with the following goals:


  • Identify an optimal technical solution for exchange of CTI between TF-CSIRT member teams
  • Develop processes and policies/guidelines governing the exchange of CTI within TF-CSIRT
  • Participate in complementary efforts by other groups/forums (as applicable)

With the objectives to:

  • Develop a framework(s) for an improved TF-CSIRT community approach to CTI
  • Increase information exchange between TF-CSIRT members and CSIRTs globally


Up till October 2023, the working group has convened at the 69th and 70th TF-CSIRT meetings as well as virtually in-between.

The initial meetings revealed that we first needed a clearer understanding of the status of TF-CSIRT members’ journeys with CTI – how mature are we as a community, what CTI is currently created and shareable, who has experiences to share, etc.
In order to provide preliminary indicators of the above, a survey was sent out to all accredited teams in September 2023. 63 teams responded providing a good base for the working group to start with.
Other discussions include tools and channels for information sharing, preliminary designs of architectures we could use, information sharing agreements considering the sensitivity of CTI, legal considerations, etc.


If you would like to participate in the group, please email

Other queries can be addressed to Roderick Mooi from GÉANT CERT (contact details available via TI team database).


TF-CSIRT has previously supported working groups on:

  • RTIR – Request Tracker for Incident Response Working Group.
  • IRT – IRT Object Working Group.
  • IODEF – Incident Object Description and Exchange Format Working Group.
  • VEDEF – Vulnerability and Exploit Description and Exchange Format Working Group.
  • OAS-CICTE (Collaboration Group).
  • TF-CSIRT Futures Working Group.