Confidence Scoring Methodology
The published 6-signal weighted formula IntrusionLabs uses to score actor confidence. Hand-tuned weights, transparent math, no black boxes.
Node Count
30%
Number of independent sensor nodes that observed this actor. Multiple vantage points increase confidence that activity is real, not spoofed.
Interaction Depth
25%
How deep into the kill chain the actor progressed — from port scanning through authentication to command execution and data exfiltration.
Recency
13%
How recently the actor was observed. Activity within the last 7 days receives full weight; older activity decays linearly.
Total Events
12%
Volume of events generated. Saturates at 1,000 events to prevent noisy scanners from dominating high-intent operators.
External Corroboration
12%
Matches against external threat intelligence feeds (Spamhaus DROP, Feodo Tracker, Tor exit nodes). Three or more feed matches yield full signal.
Protocol Breadth
8%
Number of distinct protocols/services the actor targeted. Multi-protocol activity suggests deliberate reconnaissance over automated scanning.
confidence = 30% × node_count
+ 25% × interaction_depth
+ 13% × recency
+ 12% × total_events
+ 12% × external_corroboration
+ 8% × protocol_breadth
All signals are normalized to 0.0–1.0 before weighting.
Event volume saturates at 1,000 events. Recency decays linearly over a 7-day window.
External corroboration reaches full signal at 3+ independent feed matches.
No black boxes — these are the actual constants from
apps/threats/aggregation.py.