Threat Scoring Quick Reference
import { LinkCard } from ‘@astrojs/starlight/components’;
This page provides a quick reference for threat scores. For a comprehensive deep-dive into how scoring works, see the Core Concepts guide.
Quick Reference
Section titled “Quick Reference”Score Ranges
Section titled “Score Ranges”| Score | Level | Action |
|---|---|---|
| 0-20 | MINIMAL | Allow |
| 21-40 | LOW | Log |
| 41-60 | MEDIUM | Challenge |
| 61-80 | HIGH | Block |
| 81-100 | CRITICAL | Block + Alert |
Detection Categories
Section titled “Detection Categories”| Category | Weight | Reliability |
|---|---|---|
| Honeypot Signals | 40% | Highest |
| Attack Signatures | 25% | High |
| Browser Fingerprint | 12% | Medium |
| Behavioral Analysis | 10% | Medium |
| TLS Fingerprint | 7% | Medium |
| IP Reputation | 3% | Low |
| HTTP Headers | 2% | Low |
| User Agent | 1% | Low |
Threat Categories
Section titled “Threat Categories”| Category | Meaning |
|---|---|
| Attacker | Active exploitation attempt |
| Bot | Automated with fingerprint anomalies |
| Scanner | Triggered honeypot/decoy |
| Crawler | Known crawler User-Agent |
| Scraper | Fingerprint anomalies only |
| Legitimate | Normal human visitor |
Viewing Scores
Section titled “Viewing Scores”In the Detections Table
Section titled “In the Detections Table”The Threat Score column shows the unified score (0-100). The Category column shows the threat classification.
In Detection Details
Section titled “In Detection Details”Click on any detection to see:
- Full score breakdown by category
- Contributing signals
- Confidence percentage
- Raw detection data
Score Explanation Dialog
Section titled “Score Explanation Dialog”Click the ? icon next to any threat score to open the explanation dialog, which shows how the score was calculated.
Filtering by Score
Section titled “Filtering by Score”Use the filters panel to narrow detections:
- By Score Range: Set min/max thresholds
- By Category: Select specific threat types
- By Level: Filter to HIGH/CRITICAL only
Common Questions
Section titled “Common Questions”Q: Why is my score different from the sum of signals?
A: Scores are weighted averages, not sums. A honeypot score of 30 contributes 30 × 40% = 12 points, not 30 points.
Q: What does “Unknown” category mean?
A: This was a legacy category. All detections are now classified as one of: Attacker, Bot, Scanner, Crawler, Scraper, or Legitimate.
Q: Why is confidence low?
A: Confidence reflects how many signal categories contributed. With only 1-2 categories active, confidence is lower. More signals = higher confidence.
For complete documentation on scoring methodology, category weights, and classification logic, see the Threat Scoring Core Concepts guide.