Risk & Confidence Scoring Methodology
Overview
Every observable in Port Six receives three scores that help you prioritize threats and tune detection thresholds for your environment. Unlike binary "malicious/benign" classifications, our multi-dimensional approach gives you the nuance needed for production security operations.
Risk Score (0-100)
Measures the probability that this observable is malicious and the potential impact.
Factors
- Behavioral indicators - C2 communication = high risk, scanning = medium risk
- Malware family association - Ransomware = critical, adware = low
- Threat actor attribution - Known APT = higher risk
- Historical activity - Repeated malicious behavior increases score
- Infrastructure characteristics - Bulletproof hosting = bonus risk
Interpretation
| Score | Severity | Recommended Action |
|---|---|---|
| 80-100 | Critical | Block immediately, investigate |
| 60-79 | High | Alert, review within 4 hours |
| 40-59 | Medium | Log, review daily |
| 0-39 | Low | Monitor only |
Confidence Score (0-100)
Measures how certain we are about the risk assessment. High confidence means you can act automatically; low confidence suggests manual review.
Factors
- Source count - Multiple independent confirmations increase confidence
- Source reliability - Weighted by historical accuracy
- Corroborating evidence - Related observables strengthen assessment
- Recency - Recent confirmations boost confidence
Interpretation
| Score | Meaning | Use Case |
|---|---|---|
| 80-100 | High confidence | Safe for automated blocking |
| 50-79 | Medium confidence | Suitable for alerting |
| 0-49 | Low confidence | Research/investigation only |
Combining Scores
Automated Blocking
For production automated blocking, use restrictive thresholds:
risk_score >= 70 AND confidence >= 70Alerting
For analyst review queues, cast a wider net:
risk_score >= 50 AND confidence >= 50Threat Hunting
For proactive hunting, include lower confidence indicators:
risk_score >= 40 OR (tags CONTAINS 'behavior:c2' AND confidence >= 40)API Example
# Get high-confidence critical threats
curl -H "X-API-Key: YOUR_API_KEY" \
"https://api.portsix.io/api/v1/intel/observables?min_risk_score=70&min_confidence=70"
# Response includes scores for each observable
{
"results": [
{
"value": "185.220.101.45",
"type": "ip",
"risk_score": 92,
"confidence_score": 88,
"tags": ["behavior:c2", "malware_family:cobalt-strike"]
}
]
}Related Documentation
- IP Enrichment - See how risk scores appear in IP lookup responses
- API Reference - Full endpoint documentation with score examples