Risk Scoring and Classification Framework

Panther's risk scoring system uses a pseudo-Bayesian log-odds ratio approach to evaluate security events, combining both risky and benign indicators into a normalized score that ranges from -1 (benign) to +1 (risky).

Core Methodology

The system requires explicit enumeration of both risky and benign indicators, rather than making binary judgments. Each indicator receives a base score, then three multiplicative weights are applied to reflect confidence, context, and temporal relevance.

Indicator Scoring Scale

Risky Indicators receive positive scores on a 1-10 scale:

• Critical (8-10): Active exploitation, successful compromise, data exfiltration

• High (6-7): Known vulnerabilities targeted, privilege escalation attempts, lateral movement

• Medium (4-5): Reconnaissance, scanning, suspicious patterns, policy violations

• Low (1-3): Minor anomalies, configuration drift, informational findings

Benign Indicators receive negative scores on a -1 to -10 scale:

• Strong Mitigation (-8 to -10): Complete blocking, successful detection, verified false positive

• Moderate Mitigation (-4 to -7): Partial blocking, expected behavior, authorized activity

• Weak Mitigation (-1 to -3): Limited controls, uncertain legitimacy, incomplete data

Weighting Factors

Each indicator's base score is adjusted by three multiplicative factors (all ranging from 0.0 to 1.0):

1. Evidence Confidence: Reliability of the data source and depth of analysis

2. Context Weighting: Asset criticality, environment type (production vs. sandbox), and business impact

3. Temporal Relevance: How recent the activity is

   • Last 24 hours: 1.0

   • 1-7 days: 0.8

   • 7-30 days: 0.6

   • Over 30 days: 0.3

Mathematical Formula

The system aggregates weighted scores into two totals:

ABIS (Aggregate Benign Indicators Score) = Σ(Score × Confidence × Context × Temporal) ARIS (Aggregate Risk Indicators Score) = Σ(Score × Confidence × Context × Temporal)

These are combined into a final score:

CRS (Composite Risk Score) = (ARIS + ABIS) / (ARIS - ABIS)

This normalization formula produces results where:

• CRS = 0: Perfectly balanced (risky and benign evidence equal)

• CRS > 0: High risk (risky evidence dominates)

• CRS < 0: Low risk (benign evidence dominates)

Classification Thresholds

Based on the composite risk score, events are classified as:

• Risky: CRS exceeds the positive threshold

• Benign: CRS falls below the negative threshold

• Inconclusive: CRS falls between thresholds

Theoretical Foundation

This methodology draws from established risk assessment frameworks:

• CVSS v3.1: Multiplicative weighting of base, temporal, and environmental metrics

• FAIR (Factor Analysis of Information Risk): Combines threat frequency, vulnerability, and loss magnitude factors

• Bayesian Risk Scoring: Uses log-odds ratios for binary classification

• OCTAVE Approach: Evidence-based risk management

Key Advantages

The approach avoids binary "good/bad" judgments by requiring analysts to:

• Explicitly document both supporting and contradicting evidence

• Assign confidence levels based on data quality

• Account for environmental context (asset importance, business criticality)

• Weight recent activity more heavily than historical patterns

This forces rigorous, evidence-based reasoning rather than relying on single indicators or gut feelings. The temporal decay ensures that stale indicators don't artificially inflate risk scores, while context weighting allows appropriate differentiation between attacks on critical production systems versus activity in development sandboxes.