How Silent Push Calculates Risk Scores

New
  • Published on Nov 4, 2025
  • 1 minute(s) read
Prev Next

Silent Push’s risk scoring system provides security teams with an at-a-glance assessment of potential threats associated with indicators such as domains, IPv4 addresses, and IPv6 ranges. This article explains the core components of our proprietary scoring algorithm, its derivation, and why it's designed for actionable threat intelligence.

The SP Risk Score is a composite numerical value (typically on a scale of 0-10, where 0 indicates low risk and 10 indicates high risk) displayed prominently at the top of query results in the Total View interface. It aggregates multiple data points to evaluate the threat level of an observable, enabling quick prioritization without requiring manual deep dives.

Key Principles

  • The score is calculated using Silent Push’s first-party data, with an emphasis on recency, severity, and behavioral patterns.

  • An optional Explain feature in enrichment queries reveals the methodology, including weighted factors such as listing density (the concentration of blacklists) and age anomalies (unusual domain lifespans).

  • Scores refresh based on real-time, ensuring relevance as threats evolve.

Calculation Methodology

Our scoring engine processes observables through a multi-layered algorithm:

  • Reputation Factors (30% Weight)

    • Draws from ASN reputation, nameserver trustworthiness, and IP history.

    • Example: A domain resolving to an ASN with a high takedown history (e.g., frequent abuse reports) lowers the reputation sub-score.

    • Subfield: asn_reputation_explain provides takedown metrics.

  • Listing Exposure (25% Weight)

    • Aggregates appearances across curated threat feeds (e.g., blacklists for phishing or malware).

    • Listing Score: Quantifies frequency and recency (e.g., 0 = clean, 85 = heavily listed).

    • Subfield: listing_score_explain breaks down feeds and counts.

  • Behavioral Indicators (25% Weight)

    • Flags like Dynamic Domain Indicator (DGA probability) or URL Shortener Indicator.

    • Detects evasion tactics such as server changes (IP/ASN shifts) or fast flux.

  • Warning Flags and Enrichments (20% Weight)

    • Includes misconfigurations like open directories, expired SSL certificates, or exposed S3 buckets.

    • Incorporates WHOIS age, Tranco Rank (a measure of popularity), and PADNS historical context.

    • The final score uses a decider logic to categorize (e.g., high_listings_and_dynamic_indicator for elevated risk). For reputation queries on subnets, an optional explain reveals per-factor contributions.

Example

In a bulk domain enrichment query for "suspicious-domain.net":

  • Listing Score: 85 (high exposure).

  • Dynamic Domain Indicator: True.

  • Result: SP Risk Score = 9, with explanation: {"decider": "high_listings_and_dynamic_indicator"}.

This methodology ensures that scores are not just numbers, but gateways to deeper forensics, such as raw scan outputs for vulnerabilities.

For API users, scores are accessible via enrichment endpoints.