The operational statistics cover the activities related to the incident response activities of CIRCL especially in regards to the reporting (e.g. incident reports, request for analysis or support during computer security incident) and notifications (e.g. take-down notification, notification about vulnerability) from/to third parties. The statistics exclude automatic structured notifications and information exchange happening via threat intelligence platforms such as the CIRCL MISP information sharing platform or any other automatic exchange setup with partners.

In this section some statistics are presented about incidents handled by CIRCL between 2011 and 2017. During this time frame the attackers evolved, forcing CIRCL to adapt its internal procedures. Although the reporting to CIRCL is not mandatory, the reporting behaviour of constituents has changed. On one hand, the reputation of CIRCL increased, thereby increasing the amount of reporting to CIRCL. On the other hand, due to the trainings such as Introduction to incident response, forensic analysis and many others offered by CIRCL, have helped local organisations build up their own incident response capacities thereby reducing the number of reported incidents. This makes comparing the statistics of successive years challenging. Tickets are no indicators for the overall workload as there are some tickets that are very resource intensive whereas others are quickly solved. Nevertheless, the workload for the overall triage of the tickets is increasing and showing an increase in diversity when it comes to attacker practices.