Cyber incident reporting guidelines: Key information sharing requirements – Canadian Centre for Cyber Security
Summary
This Cyber Centre guidance (effective 29 January 2026) sets out what information organisations should share during a cyber incident and what the Centre considers “actionable.” It defines two main categories: contextual information (timelines, scope, user anomalies, communications, mitigations, IOC lists, contact details) and technical artifacts (IPs, domains, file hashes, URLs, malware samples, security logs, forensic images).
The document includes Table 1 listing required actionable artefacts and how the Cyber Centre analyses them, plus annexes: Annex A (pre-incident sharing such as alert rules and security logs) and Annex B (recommended sharing: threat reports, IoCs, vulnerability data, anonymous sharing mechanisms, STIX/TAXII and collaborative analysis).
It emphasises pre-approval and cross-organisational coordination (including managed security service providers), privacy protections under the Communications Security Establishment Act and the Privacy Act, and that shared IoCs should exclude Canadian personal data or assets owned by the reporting organisation.
Key Points
- Purpose: clarify what information the Cyber Centre needs to take action during an incident.
- Two core categories: contextual information (who, what, when, impact) and technical artefacts (IPs, domains, hashes, URLs, malware samples, logs, forensic images).
- Table 1 maps required artefacts to internal Cyber Centre analysis and expected outcomes (confirmation, enrichment, sharing back to CI community).
- Pre-incident sharing (Annex A) is encouraged to improve detection tuning, reduce false positives and identify gaps (alert rules, security logs, EDR/XDR configuration).
- Recommended sharing (Annex B) covers threat intelligence, IoCs, vulnerability and patch details, incident reports, anonymous channels and automated exchange (STIX/TAXII).
- Cyber Centre will not share raw victim-identifying data externally and may use NDAs with critical infrastructure partners to protect confidentiality.
- Organisations should obtain executive, legal and operational pre-approval for the types of information to share and engage MSSPs to ensure a coordinated approach.
- Shared IoCs are assumed not to be owned by the reporting organisation and must not contain Canadian individuals’ data.
Context and relevance
This guidance is essential for organisations that either operate or support critical infrastructure and those responsible for incident response. It provides a clear checklist of artefacts and contextual details that the Canadian Centre for Cyber Security expects to receive to investigate and act quickly.
The document aligns with ongoing trends toward standardised threat intelligence sharing and automated exchange formats (STIX/TAXII), and it reinforces good practice on pre-incident preparation, cross-organisational coordination and privacy safeguards. Following this guidance improves recovery, helps the broader sector by enabling faster defensive action, and reduces duplication during incident analysis.
Why should I read this
Short version: if you run IT, security or protect critical services in Canada, this is the checklist the Cyber Centre wants. Read it so you know what to collect, who needs to sign off, and how to share without leaking personal or owned-data. It saves time in an incident — and could stop you fumbling when it matters most.