Contact Frequency (CF) Rubric
- FAIR INTEL
- 6 days ago
- 6 min read
Overview
Contact Frequency (CF) measures how often a threat actor comes into contact with organizations matching the target profile. In FAIR methodology, "contact" occurs when the threat reaches or touches the target—regardless of whether the attack succeeds.
CF is expressed as an annual rate (events per year) and is combined with Probability of Action (PoA) to calculate Threat Event Frequency (TEF):
TEF = CF × PoACF Estimation Context
Inferred vs. Observed Contact Frequency
This rubric estimates CF based on threat intelligence reporting, not direct observation. There are two distinct perspectives:
Perspective | Source | What It Measures | Typical Range |
Inferred CF | Threat intelligence reports | Campaign activity, targeting patterns, operational tempo | 1-50/year |
Observed CF | SOC telemetry | Actual contact attempts (phishing, scans, probes, watering-hole hits) | Potentially 100s-1000s/year |
Why They Differ
Threat intelligence reports campaigns, not individual contact attempts
A single "campaign" may generate thousands of contact attempts
SOC telemetry captures every attempt; threat intel captures what gets reported
Inferred CF underestimates actual contact volume
How to Use This Rubric
If you lack organizational telemetry: Use the inferred CF from this rubric as a baseline estimate
If you have SOC telemetry: Replace the inferred CF with your observed CF for more accurate calculations
For comparison: Inferred CF represents a lower-bound estimate; actual contact is likely higher
Disclaimer
The CF values in this analysis are inferred from publicly available threat intelligence and represent campaign-level activity, not individual contact attempts. Organizations with SOC telemetry matching this threat actor's TTPs should substitute observed contact frequency for more accurate risk calculations.
The Typical Target Assumption
CF assessments assume the reader is a typical target: a mid-tier organization squarely within the described victimology—not the highest-value target, not the smallest.
Target Type | Description | How Treated |
High-exposure | Largest organizations, highest value to attacker | Noted in "Exposure context" but not used in calculation |
Typical | Mid-tier organization matching targeting profile | Used for CF estimate |
Peripheral | Outside primary targeting profile | Noted in "Exposure context" but not used in calculation |
Contact Frequency Scale
Scale Design: Calendar-Anchored Operational Tempo
The CF scale cutoffs are anchored to calendar periods that organizations use for planning, budgeting, and security operations:
Tier | Range | Calendar Anchor | Operational Meaning |
Very High | 50+/year | Weekly or more | ≥1 contact per week; continuous threat requiring persistent defense posture |
High | 12-50/year | Monthly to weekly | 1-4 contacts per month; sustained monitoring and active defense required |
Moderate | 4-12/year | Quarterly to monthly | 1-3 contacts per quarter; periodic review and threat hunting cycles |
Low | 1-4/year | Annually to quarterly | ≤1 contact per quarter; intermittent threat, may not warrant dedicated resources |
Very Low | <1/year | Less than annually | Contact not expected every year; rare or dormant threat |
Why These Cutoffs?
Why 50 separates Very High from High: 50 ≈ weekly cadence. Weekly or more frequent contact represents a persistent, ongoing threat requiring continuous defense. Less than weekly but more than monthly represents regular but manageable threat activity.
Why 12 separates High from Moderate: 12 = monthly cadence. A threat contacting you monthly or more requires sustained monitoring and active defense posture. A threat contacting you less than monthly allows periodic review and threat hunting cycles.
Why 4 separates Moderate from Low: 4 = quarterly cadence. Quarterly contact means the threat is present but not persistent. Less than quarterly contact means the threat is intermittent.
Why 1 separates Low from Very Low: 1 = annual cadence. Annual contact represents a real but infrequent threat. Less than annual means contact may not occur in any given year.
Contact Frequency Rubric
Tier | Range | Observable Criteria |
Very High | 50+/year | Mass targeting with automated delivery (botnets, exploit kits, mass phishing). Indiscriminate campaigns with no sector or geographic limits. Continuous operations observed (daily/weekly activity). Multiple simultaneous delivery vectors. Threat actor known for high-volume operations. |
High | 12-50/year | Broad sector or regional targeting. Regular campaign activity (monthly or more). Multiple delivery vectors employed. Watering-holes on high-traffic sites. Sustained operational tempo with multiple campaigns per year. |
Moderate | 4-12/year | Sector-specific targeting with periodic campaigns. Quarterly to monthly activity observed. Focused delivery methods (targeted watering-holes, spear-phishing). Geographic or industry constraints limit target pool. 2-4 campaigns observed over reporting period. |
Low | 1-4/year | Highly targeted operations against specific organization types. Annual to quarterly activity. Narrow delivery methods requiring specific conditions (physical access, insider, highly tailored lures). Single campaign observed or sporadic activity. |
Very Low | <1/year | Rare or dormant threat. No predictable campaign pattern. Highly specialized targeting (single organization, specific individuals). Newly emerged actor with limited history. Target is peripheral to main victimology. |
Evidence Mapping Guide
Use the following to map article evidence to the appropriate tier.
Delivery Method
Observable Evidence | Typical Tier |
Mass spam/phishing, exploit kits, malvertising | Very High |
Broad spear-phishing, watering-holes on major sites | High |
Sector-specific watering-holes, targeted spear-phishing | Moderate |
Highly tailored lures, single delivery vector | Low |
Physical access, insider recruitment, single-target focus | Very Low |
Campaign Activity
Observable Evidence | Typical Tier |
Continuous daily/weekly operations | Very High |
Multiple campaigns per year, monthly activity | High |
2-4 campaigns over reporting period, quarterly activity | Moderate |
Single campaign observed, annual activity | Low |
Sporadic/dormant, multi-year gaps between activity | Very Low |
Targeting Scope
Observable Evidence | Typical Tier |
Indiscriminate, any organization | Very High |
Multiple sectors, broad organizational types | High |
Single sector or 2-3 related sectors | Moderate |
Specific organization types within sector | Low |
Named organizations or specific individuals | Very Low |
Geographic Focus
Observable Evidence | Typical Tier |
Global, no geographic constraints | Very High |
Multi-region (e.g., APAC + Europe + Americas) | High |
Single region (e.g., Asia-Pacific) | Moderate |
Single country or small group of countries | Low |
Single city, organization, or facility | Very Low |
Determining the Tier
Map article evidence to each of the four categories above
Identify the tier that appears most frequently across categories
If evidence is mixed (e.g., two High, two Moderate), select the tier that best reflects overall threat posture and document the uncertainty
Select the full range for that tier—do not pick a point estimate
Endpoint Justification
Each CF estimate must justify what conditions push toward the low versus high end of the selected tier range.
Factors That Push Toward Low End of Range
Smaller organization with less exposure
Limited use of targeted services/sites
Geographic distance from primary targeting region
Lower profile within the sector
Reduced online presence or attack surface
Factors That Push Toward High End of Range
Larger organization with greater exposure
Heavy use of targeted services/sites
Located in primary targeting region
High profile within the sector
Extensive online presence and attack surface
Exposure Context
In addition to the typical target estimate, provide context for organizations at different exposure levels. This is informational only and not used in calculations.
High-exposure: Organizations at the center of targeting (largest, most valuable, most visible)
Peripheral: Organizations outside the primary targeting profile
Handling Insufficient Evidence
When threat intelligence does not provide sufficient evidence to map to rubric criteria:
Step | Action |
1 | Identify which rubric criteria cannot be assessed |
2 | Document the specific evidence gap |
3 | Default to Moderate tier as baseline |
4 | Mark estimate as [LOW CONFIDENCE] |
5 | Note impact on analysis reliability |
6 | Recommend update when additional intelligence becomes available |
Why Default to Moderate?
Moderate represents the mathematical center of the scale
Avoids overstating (High/Very High) or understating (Low/Very Low) risk
Provides a consistent, repeatable baseline across analyses
Allows calculations to proceed while flagging uncertainty
When NOT to Default
Do not default to Moderate if:
Evidence explicitly indicates a different tier (even if incomplete)
Partial evidence strongly suggests High or Low
The analysis would be misleading with a Moderate estimate
In these cases, use the best available evidence and document the uncertainty.
Scale Limitations
1. Uneven Numeric Spreads
Tier | Numeric Spread | Calendar Spread |
Very High | Unbounded (50 to ∞) | Weekly to continuous |
High | 38 points (12-50) | Monthly to weekly |
Moderate | 8 points (4-12) | Quarterly to monthly |
Low | 3 points (1-4) | Annually to quarterly |
Very Low | <1 (fractions) | Less than annually |
The numeric spreads are uneven because calendar periods are uneven. There are more weeks in a year (52) than months (12) than quarters (4). This is a feature of how time works, not a flaw in the scale.
2. Very High is Unbounded
50/year and 5000/year are both "Very High." This is intentional:
Both represent continuous operational threat
The difference between daily and hourly contact matters less than the difference between monthly and weekly
Organizations facing Very High CF need the same response: persistent defense posture
For organizations needing finer granularity at the high end, subcategories could be added (e.g., Very High-Weekly, Very High-Daily, Very High-Continuous).
3. Very Low Involves Fractions
"<1/year" means contact expected less than once per year. Alternative framing:
<1/year = may not see contact this year
0.5/year = contact expected every other year
0.25/year = contact expected once every 4 years
4. Inferred CF ≠ Observed CF
As noted in the disclaimer, these values are inferred from threat intelligence reporting. Actual contact frequency observed via SOC telemetry may be orders of magnitude higher. This scale represents campaign-level activity, not individual contact attempts.
5. Ranges Reflect Uncertainty, Not Precision
The ranges (e.g., 4-12) are intentionally wide. They represent:
Uncertainty in threat intelligence completeness
Variability across organizations within the typical target profile
Temporal fluctuation in threat actor activity
Analysts should use the full range in calculations, not midpoints.
Version History
Version | Date | Changes |
3.0 | January 2026 | Revision |
Comments