For modern IT infrastructures, it is essential to know not only the presence of an attack, but also the ability to trace its process, details and severity. The increasingly widespread security operational center approach makes this much easier, events logged by countless systems can be managed and processed centrally. In our article, starting from this principle, we develop a theoretical concept for an attacker maturity model, as well as its detection and classification method, based on the actions of an intruder. By the creation of a specific research purpose honeynet which simulates the network of a corporate environment, enough data can be collected, to analyze the attacker behavior. Based on our previous research, such system can greatly aid the work of security analysts by indicating the type of threat they are facing right from the start of an attack.