The Content Incident Protocol (CIP) was developed by GIFCT to respond to emerging and active terrorist events and assess any potential online content produced and disseminated by those involved in the planning or conducting of the attack. By declaring a CIP, all hashes of an attacker’s video, and other related content is shared in the GIFCT hash database with other GIFCT member platforms. Furthermore, a continuous stream of communication is established among all GIFCT founding members to identify and address risks and needs during an active CIP. The first CIP was activated on 9 October 2019 following the shooting in Halle, Germany when the attacker filmed his attack and the livestream was circulated on GIFCT member platforms. Ultimately, GIFCT shared hashes, or digital “fingerprints”, from 36 visually-distinct videos from the attack so member platforms could detect and remove the content.