Escalation Lens
Analyze how cyber operations move through phases of escalation — from initial access to strategic consequences — and how states signal, restrain, or intensify.
Unpeace Spectrum
Each incident is positioned on a 0–100 unpeace axis reflecting escalation severity, threshold crossings, and governance weight. Hover or tap an incident to inspect.
Stable (0)
No incidents in this zone.
Contested (5)
Escalatory (25)
- NotPetya100
- Sony Pictures100
- Viasat KA-SAT100
- Albania / Iran100
- Kyivstar100
- Stuxnet90
- WannaCry90
- Exchange/Hafnium90
- Shamoon / Aramco90
- Bangladesh Bank90
- SolarWinds80
- Ukraine Grid I80
- Ukraine Grid II80
- Colonial Pipeline80
- Costa Rica / Conti80
- Iran Nuclear Cyber80
- MGM / Scattered Spider80
- Change Healthcare80
- Industroyer270
- Storm-055870
- Oldsmar Water60
- Taiwan Telecom60
- Volt Typhoon60
- Ecuador Data Exposure60
- Bangladesh e-Gov60
Escalation Categories
Cyber operations are classified along a six-tier escalation ladder. Each tier describes a qualitative shift in the nature and severity of the operation, not a linear progression.
Scanning, reconnaissance, and testing defences without meaningful disruption. Establishes access potential.
0 incidents in dataset
Unauthorized access gained and maintained. Data may be collected but no operational effect is imposed on the target.
7 incidents in dataset
Operations that temporarily deny or degrade services. Systems recover without permanent damage, but operational continuity is interrupted.
6 incidents in dataset
Sustained impairment of target capabilities. May involve data destruction, prolonged outages, or significant economic cost.
10 incidents in dataset
Irreversible damage to systems, data, or infrastructure. Recovery requires rebuilding rather than restoring.
5 incidents in dataset
Operations with national-security or international significance — affecting critical infrastructure, economic stability, or interstate relations.
2 incidents in dataset
Compellence vs. Deterrence
Thomas Schelling distinguished two coercive logics: compellence (forcing an adversary to change behaviour through imposed costs) and deterrence (dissuading action by signalling capability and willingness to retaliate). Cyber operations often blur this distinction — the same intrusion can serve as intelligence collection and a latent threat. This split offers an analytical lens, not a definitive classification.
Compellence
Operations that impose costs to force a change in behaviour
NotPetyaJune 2017
Crossed 2 thresholds: First cyber operation to cause >$10B in collateral economic damage.
Stuxnetcirca 2007 – 2010
Crossed 2 thresholds: First known cyber operation to cause physical destruction of industrial equipment.
Sony PicturesNovember – December 2014
Crossed 2 thresholds: State-sponsored destructive attack against a private company over expressive content.
Ukraine Grid IDecember 2015
Crossed 2 thresholds: First publicly confirmed cyber attack to cause a power outage.
Ukraine Grid IIDecember 2016
Crossed 2 thresholds: First known malware purpose-built to attack electric grid protocols.
WannaCryMay 2017
Crossed 2 thresholds: First state-linked ransomware to cause widespread disruption to healthcare services.
Colonial PipelineMay 2021
Crossed 2 thresholds: Ransomware caused a national-level fuel supply disruption for the first time.
Oldsmar WaterFebruary 2021
Crossed 2 thresholds: Demonstrated that remote access to water treatment SCADA can enable potentially harmful chemical manipulation.
Viasat KA-SATFebruary 2022
Crossed 2 thresholds: First confirmed cyber attack synchronized with the opening of a conventional military invasion.
Costa Rica / ContiApril – May 2022
Crossed 2 thresholds: First country to declare a national emergency over ransomware.
Albania / IranJuly – September 2022
Crossed 2 thresholds: First known severance of diplomatic relations over a cyber attack.
Shamoon / AramcoAugust 2012
Crossed 2 thresholds: Largest destructive cyber attack against a single enterprise at that time.
Iran Nuclear Cyber2020 – 2021
Crossed 2 thresholds: If confirmed as cyber-enabled, represents continued willingness to physically damage nuclear infrastructure through non-kinetic means.
Industroyer2April 2022
Crossed 2 thresholds: First known use of purpose-built ICS malware during an active conventional war.
MGM / Scattered SpiderSeptember 2023
Crossed 2 thresholds: Demonstrated that social engineering alone can defeat sophisticated technical security at major enterprises.
Change HealthcareFebruary 2024
Crossed 2 thresholds: Largest disruption to US healthcare infrastructure from a single cyber attack.
KyivstarDecember 2023
Crossed 2 thresholds: Largest cyber attack on a telecommunications company during an active armed conflict.
Deterrence
Operations that signal capability without imposing irreversible harm
SolarWindsMarch 2020 – December 2020
Restraint observed: Operated within traditional espionage norms — collection, not disruption.
Exchange/HafniumJanuary – March 2021
Restraint observed: Initial phase was narrowly targeted espionage.
Bangladesh BankFebruary 2016
Restraint observed: A typo in a transfer request triggered manual review, limiting losses.
Australia ParliamentJanuary – February 2019
Restraint observed: No destructive or disruptive actions taken — activity consistent with intelligence collection.
Taiwan Telecom2022 – 2023 (disclosed 2023)
Restraint observed: No disruptive or destructive actions observed.
Storm-0558May – July 2023
Restraint observed: Activity consistent with targeted intelligence collection, not disruption.
Volt Typhoon2023 – 2024 (disclosed 2024)
Restraint observed: No disruptive or destructive actions observed — activity consistent with preparation, not execution.
Midnight BlizzardNovember 2023 – January 2024 (disclosed January 2024)
Restraint observed: Activity consistent with espionage — no destructive or disruptive payload deployed.
India–Pakistan Cyber2016 – 2019 (multiple incidents)
Restraint observed: Operations remained within espionage parameters — no destructive payloads documented.
Gaza Cybergang2018 – 2022 (ongoing, landmark incidents)
Restraint observed: Operations remained focused on intelligence collection, not disruption.
Thailand Election2019
Restraint observed: No evidence of data manipulation or vote-count interference.
Ecuador Data ExposureSeptember 2019 (disclosed)
Restraint observed: Not an offensive cyber operation — exposure resulted from negligent security practices.
Bangladesh e-Gov2021 – 2022
Restraint observed: No destructive payloads deployed.
Analytical note: This classification uses the operation's primary coercive function as a heuristic. Many operations serve both logics simultaneously — an espionage campaign that pre-positions destructive capabilities deters through demonstrated access while also enabling future compellence. The distinction is most useful as a teaching tool for examining how states signal intent through cyber operations, not as a rigid taxonomy.
On reading escalation
Escalation is not a conveyor belt — incidents do not inevitably progress from probing to destruction. Restraint is as analytically important as escalation. States frequently choose not to escalate, and understanding those choices requires examining governance constraints, norm commitments, and deterrence calculations alongside technical capabilities.
The categories and positions shown here are derived from the dataset's incident records. They reflect analytical judgement, not predictive modelling. All assessments should be read alongside the source material linked in each case.