The Incident Response Framework is a process by which GIFCT member companies quickly become aware of, assess, and address potential content circulating online resulting from an offline terrorist or violent extremist event.
Awareness Communications
GIFCT acts as a communication hub for members to share situational awareness regarding potential terrorist or violent extremist events occurring globally. This awareness empowers members with the contextual knowledge needed to respond to global events in accordance with their internal policies and processes. Even if an event does not result in an Incident Response Framework (IRF) activation, GIFCT frequently supports members as needed regarding these various events and related topics.
Overlaps with Hash Sharing
The Perpetrator Content Incident (PCI) overlaps with GIFCT’s Hash Sharing Database. This is due to the PCI being designed to respond to offline terrorist or violent extremist events involving the creation of perpetrator-produced content. This content may include the live stream of murder or attempted murder produced by the attack’s perpetrator or an accomplice. In previous IRF iterations, this overlap was a feature of the now-retired Content Incident Protocol (CIP) and Content Incident (CI).
Once a PCI is activated, all hashes of an attacker’s video or other related content may be shared in the GIFCT hash database, which gives members the ability to detect if the content is being re-shared on their respective platforms. Furthermore, communications and situational awareness updates are established among all GIFCT members to identify and address risks and needs during an activation.
The PCI can only be activated after following a multi-step process that includes the formal activation decision from GIFCT’s operating board. Following that decision, GIFCT works to communicate the decision, review content assets, and inform GIFCT member companies and relevant governments that content from the offline violent incident is manifesting online.
Incident Response Framework Activations
GIFCT’s IRF has been activated several times since its initial creation in 2019 as a response to the attacks in Christchurch, New Zealand. These activations occurred over time as the framework grew in scope to encompass more and varied events. This includes the creation of the Content Incident Protocol (CIP), Content Incident (CI), Incident (I), and the 2025 retirement of each of these activation types in lieu of the contemporary IRF activation types.
Activation Location | Date | Type |
|---|---|---|
Christchurch, New Zealand | March 15, 2019 | CIP (Prototype) |
October 9, 2019 | CIP | |
May 20, 2020 | CIP | |
Amsterdam, Netherlands | July 6, 2021 | Incident |
Kabul, Afghanistan | August 27, 2021 | Incident |
Kunduz, Afghanistan | October 8, 2021 | Incident |
Colleyville, TX, USA | January 15, 2022 | Incident |
Washington DC, USA | April 22, 2022 | Incident |
May 14, 2022 | CIP | |
June 28, 2022 | CI | |
Mogadishu, Somalia | August 19, 2022 | Incident |
September 7, 2022 | CIP | |
Bratislava, Slovakia | October 12, 2022 | Incident |
Michigan, USA | February 13, 2023 | Incident |
April 10, 2023 | CIP | |
Sderot, Israel | October 7, 2023 | Incident |
January 4, 2024 | CIP | |
January 30, 2024 | CIP | |
Moscow, Russia | March 22, 2024 | Incident |
August 21, 2024 | CIP | |
August 23, 2024 | CI | |
New Orleans, Louisiana, USA | January 1, 2025 | Incident |
Nashville, TN, USA | January 22, 2025 | Incident |
Palm Springs, CA, USA | May 18, 2025 | Incident |
May 20, 2025 | CIP | |
Washington, DC, USA | May 22, 2025 | Incident |
Minneapolis, Minnesota, USA | August 27, 2025 | Incident |
Orem, UT, USA | September 10, 2025 | Incident Advisory* |
Evergreen, CO, USA | September 10, 2025 | Digital Footprint Incident |
*GIFCT launched the revised version of the IRF in September 2025. All IRF activations after that date are classified using the updated activation types.