CTEM Identifiers Specification
This document defines the technical specification for CTEM Identifiers (CTEM-IDs), the standard format for labeling security exposure types.
Identifier Format
Structure
CTEM identifiers follow the format: CTEM-{CATEGORY}-{NUMBER}
| Component | Description | Example |
|---|---|---|
CTEM | Fixed prefix | CTEM |
{CATEGORY} | 3-letter category code | DOM, CRD, INF |
{NUMBER} | Sequential number within category | 1, 2, 3... |
Category Codes
| Code | Category | Description |
|---|---|---|
| BND | Brand Impersonation | Counterfeit products and brand misuse |
| CRD | Credential Dump | Leaked credentials |
| DOM | Lookalike Domains | Typosquatting, homoglyphs, phishing domains |
| EXP | System Exposure | Internet-exposed systems and devices |
| FIN | Financial | Bank/routing information exposure |
| INF | Infection | Infected devices |
| RAN | Ransomware | Ransomware data dumps |
| SRC | Source Code | Public repository exposures |
Examples
CTEM-DOM-1- Typo-Squatted DomainCTEM-CRD-2- Vendor System Dump with CredentialsCTEM-EXP-3- Corporate Internet-Exposed Gateway Device
Versioning Policy
Identifier Lifecycle
- Proposed: Under community review
- Active: Approved and in use
- Deprecated: Superseded or obsolete (redirects maintained)
Breaking Changes
- Identifiers are never deleted, only deprecated
- Redirects are maintained for all deprecated IDs
- Category codes are stable and rarely change
JSON Schema
Feed Structure
{
"version": "1.0",
"hash": "md5-hash-of-data-array",
"data": [
{
"id": "CTEM-DOM-1",
"link": "https://ctem.org/docs/ctem-dom-1",
"title": "CTEM-DOM-1 - Typo-Squatted Domain",
"description": "Domains that closely resemble legitimate domains...",
"updated_at": "2/19/2025"
}
]
}
Field Definitions
| Field | Type | Required | Description |
|---|---|---|---|
id | string | Yes | CTEM identifier (uppercase) |
link | string | Yes | Canonical URL to documentation |
title | string | Yes | Full title with ID prefix |
description | string | Yes | Brief description |
updated_at | string | Yes | Last update date (M/D/YYYY) |
Feed URL
The canonical feed URL is: https://ctem.org/source.json
Citation Guidelines
In Reports and Documentation
When referencing CTEM identifiers in security reports:
Exposure Type: CTEM-DOM-1 (Typo-Squatted Domain)
Reference: https://ctem.org/docs/ctem-dom-1
In Code and Tools
When embedding CTEM identifiers in tools or code:
# Example: Tagging an alert with CTEM identifier
alert = {
"ctem_id": "CTEM-DOM-1",
"ctem_url": "https://ctem.org/docs/ctem-dom-1",
# ... other alert fields
}
Academic Citations
Integration Examples
Python
import requests
def get_ctem_identifiers():
response = requests.get("https://ctem.org/source.json")
return response.json()["data"]
identifiers = get_ctem_identifiers()
for id in identifiers:
print(f"{id['id']}: {id['title']}")
JavaScript
async function getCtemIdentifiers() {
const response = await fetch("https://ctem.org/source.json");
const data = await response.json();
return data.data;
}
Changelog
| Date | Change |
|---|---|
| 2024-12-05 | Initial specification published |