diff --git a/MANIFEST.json b/MANIFEST.json
index b1d6ed1..457052d 100644
--- a/MANIFEST.json
+++ b/MANIFEST.json
@@ -5,6 +5,11 @@
       "name": "accessnow",
       "description": "Access Now"
     },
+    {
+      "version": 1,
+      "name": "action-taken",
+      "description": "Action taken."
+    },
     {
       "version": 1,
       "name": "admiralty-scale",
@@ -40,6 +45,11 @@
       "name": "cssa",
       "description": ""
     },
+    {
+      "version": 1,
+      "name": "ddos",
+      "description": "Distributed Denial of Service - or short: DDoS - taxonomy supports the description of Denial of Service attacks and especially the types they belong too."
+    },
     {
       "version": 1,
       "name": "de-vs",
@@ -55,6 +65,11 @@
       "name": "diamond-model",
       "description": "The Diamond Model for Intrusion Analysis, a phase-based model developed by Lockheed Martin, aims to help categorise and identify the stage of an attack."
     },
+    {
+      "version": 1,
+      "name": "DML",
+      "description": "The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks.  It's designed for organizations who perform intel-driven detection and response and who put an emphasis on having a mature detection program."
+    },
     {
       "version": 3,
       "name": "dni-ism",
@@ -100,6 +115,11 @@
       "name": "europol-incident",
       "description": "EUROPOL class of incident taxonomy."
     },
+    {
+      "version": 1,
+      "name": "event-assessment",
+      "description": "A series of assessment predicates describing the event assessment performed to make judgement(s) under a certain level of uncertainty."
+    },
     {
       "version": 1,
       "name": "fr-classif",
@@ -160,85 +180,50 @@
       "name": "PAP",
       "description": "The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used."
     },
-    {
-      "version": 3,
-      "name": "tlp",
-      "description": "The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time. Extended with TLP:EX:CHR."
-    },
-    {
-      "version": 2,
-      "name": "veris",
-      "description": "Vocabulary for Event Recording and Incident Sharing (VERIS)."
-    },
-    {
-      "version": 1,
-      "name": "stealth_malware",
-      "description": "Classification based on malware stealth techniques."
-    },
-    {
-      "version": 1,
-      "name": "targeted-threat-index",
-      "description": "The Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victim’s computer. The TTI metric was first introduced at SecTor 2013 by Seth Hardy as part of the talk “RATastrophe: Monitoring a Malware Menagerie” along with Katie Kleemola and Greg Wiseman."
-    },
-    {
-      "version": 1,
-      "name": "stix-ttp",
-      "description": "Representation of the behavior or modus operandi of cyber adversaries (a.k.a TTP) as normalized in STIX"
-    },
-    {
-      "version": 1,
-      "name": "accessnow",
-      "description": "AccessNow Taxonomy"
-    },
     {
       "version": 1,
       "name": "passivetotal",
       "description": "Tags for RiskIQ's passivetotal service"
     },
-    {
-      "version": 1,
-      "name": "vocabulaire-des-probabilites-estimatives",
-      "description": "Vocabulaire des probabilités estimatives"
-    },
-    {
-      "version": 1,
-      "name": "DML",
-      "description": "The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks.  It's designed for organizations who perform intel-driven detection and response and who put an emphasis on having a mature detection program."
-    },
-    {
-      "version": 1,
-      "name": "action-taken",
-      "description": "Action taken"
-    },
-    {
-      "version": 2,
-      "name": "analyst-assessment",
-      "description": "A series of assessment predicates describing the analyst capabilities to perform analysis. These assessment can be assigned by the analyst him/herself or by another party evaluating the analyst."
-    },
-    {
-      "version": 1,
-      "name": "binary-class",
-      "description": "Custom taxonomy for types of binary file."
-    },
-    {
-      "version": 1,
-      "name": "ddos",
-      "description": "Distributed Denial of Service - or short: DDoS - taxonomy supports the description of Denial of Service attacks and especially the types they belong too."
-    },
-    {
-      "version": 1,
-      "name": "event-assessment",
-      "description": "A series of assessment predicates describing the event assessment performed to make judgement(s) under a certain level of uncertainty."
-    },
     {
       "version": 1,
       "name": "rt_event_status",
       "description": "Status of events used in Request Tracker."
     },
+    {
+      "version": 1,
+      "name": "stealth_malware",
+      "description": "Classification based on malware stealth techniques."
+    },
+    {
+      "version": 1,
+      "name": "stix-ttp",
+      "description": "Representation of the behavior or modus operandi of cyber adversaries (a.k.a TTP) as normalized in STIX"
+    },
+    {
+      "version": 1,
+      "name": "targeted-threat-index",
+      "description": "The Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victim’s computer. The TTI metric was first introduced at SecTor 2013 by Seth Hardy as part of the talk “RATastrophe: Monitoring a Malware Menagerie” along with Katie Kleemola and Greg Wiseman."
+    },
+    {
+      "version": 3,
+      "name": "tlp",
+      "description": "The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time. Extended with TLP:EX:CHR."
+    },
     {
       "version": 1,
       "name": "tor",
       "description": "Taxonomy to describe Tor network infrastructure"
+    },
+    {
+      "version": 2,
+      "name": "veris",
+      "description": "Vocabulary for Event Recording and Incident Sharing (VERIS)."
+    },
+    {
+      "version": 1,
+      "name": "vocabulaire-des-probabilites-estimatives",
+      "description": "Vocabulaire des probabilités estimatives"
     }
   ],
   "path": "machinetag.json",
diff --git a/stealth-malware/README.md b/stealth-malware/README.md
deleted file mode 100644
index b52a266..0000000
--- a/stealth-malware/README.md
+++ /dev/null
@@ -1,35 +0,0 @@
-# Stealth Malware Taxonomy
-
-## Malware Types
-
-All malware samples should be classified into one of the categories listed in the table below.
-
-<dl>
-<dt>Type 0</dt>
-<dd>No OS or system compromise. The malware runs as a normal user process using only official API calls.<dd>
-
-<dt>Type I</dt>
-<dd>The malware modifies constant sections of the kernel and/or processes such as code sections.<dd>
-
-<dt>Type II</dt>
-<dd>The malware does not modify constant sections but only the dynamic sections of the kernel and/or processes such as data sections.<dd>
-
-<dt>Type III</dt>
-<dd>The malware does not modify any sections of the kernel and/or processes but influences the system without modifying the OS. For example using hardware virtualization techniques.<dd>
-</dl>
-
-# Machine-parsable Stealth Malware Taxonomy
-
-The repository contains a [JSON file including the machine-parsable tags](machinetag.json)
-along with their human-readable description. The software can use both
-representation on the user-interface and store the tag as machine-parsable.
-
-~~~~
-stealth_malware:type="II"
-~~~~
-
-Based on:
-
-https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf
-
-
diff --git a/stealth-malware/machinetag.json b/stealth-malware/machinetag.json
deleted file mode 100644
index 83e7f48..0000000
--- a/stealth-malware/machinetag.json
+++ /dev/null
@@ -1,37 +0,0 @@
-{
-  "namespace": "stealth_malware",
-  "description": "Classification based on malware stealth techniques. Described in https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf",
-  "version": 1,
-  "refs": [
-    "https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf"
-  ],
-  "predicates": [
-    {
-      "value": "type",
-      "expanded": "Stealth technique type"
-    }
-  ],
-  "values": [
-    {
-      "predicate": "type",
-      "entry": [
-        {
-          "value": "0",
-          "expanded": "No OS or system compromise. The malware runs as a normal user process using only official API calls."
-        },
-        {
-          "value": "I",
-          "expanded": "The malware modifies constant sections of the kernel and/or processes such as code sections."
-        },
-        {
-          "value": "II",
-          "expanded": "The malware does not modify constant sections but only the dynamic sections of the kernel and/or processes such as data sections."
-        },
-        {
-          "value": "III",
-          "expanded": "The malware does not modify any sections of the kernel and/or processes but influences the system without modifying the OS. For example using hardware virtualization techniques."
-        }
-      ]
-    }
-  ]
-}
diff --git a/validate_all.sh b/validate_all.sh
index 1e41f21..2f41fd6 100755
--- a/validate_all.sh
+++ b/validate_all.sh
@@ -15,7 +15,7 @@ fi
 directories=`ls -d */ | wc -w`
 manifest_entries=`cat MANIFEST.json | jq '.taxonomies | length'`
 
-if ! [ $directories -eq $manifest_entries ]; then
+if ! [ $((directories-2)) -eq $manifest_entries ]; then
     echo "MANIFEST isn't up-to-date."
     exit 1
 fi