Silent Push risk scores are designed to provide customers with an immediate, high-confidence signal of the potential threat level of any IPv4, IPv6, or domain asset. While the exact scoring logic is proprietary, this article explains the methodology we use and the signal categories that feed the score.
Why Risk Scores Exist
The goal of a risk score is to condense large volumes of raw Internet telemetry, passive DNS, host changes, content analysis, listings, enrichment feeds, and more into a single numeric signal. That signal helps analysts quickly prioritize:
Potentially malicious infrastructure
Dynamic or fast-changing domains
High-exposure assets
Items worth deeper investigation
Risk scores appear across the platform in both UI- and API-driven workflows, including the Advanced Query Builder, Live Scan, Domain/IPv4/IPv6 risk endpoints, bulk enrichment, and integrations (e.g., Tines).
The Core Components of a Risk Score
Silent Push combines several evidence categories to determine a score. The components below are consistent across the platform; the internal weightings and thresholds are proprietary.
Exposure and Listing Indicators
We maintain global listings for indicators such as:
High-volume or suspicious domain registrations
Suspicious naming patterns
New or untrusted hosting
Infrastructure categories associated with abuse
When an asset appears on these listings, it contributes to an elevated exposure value. In API/enrichment responses, these may be represented as listing_score or “Listings Score.”
Dynamic Domain Behavior
We flag domains that show dynamic or fast-changing behavior:
Frequent IP changes
Sudden NS or WHOIS updates
Patterns consistent with fast-flux or disposable infrastructure
These signals are surfaced as the Dynamic Domain Indicator and can raise the overall risk score.
Content-Based Evidence
Content and page-level telemetry are important inputs:
Body, header, and JavaScript hashes (known malicious fingerprints)
Suspicious redirects, hidden iframes, or injected content
Untrusted SSL issuers or problematic cert chains
Open directories, exposed admin paths, or embedded phishing content
These contribute to domain- and IP-level categorical outputs often shown as sp_risk_score in API results.
Infrastructure Reputation
Reputation signals are tracked across ASNs, hosting providers, and IP ranges:
ASN reputation and historical abuse
Known abusive hosting providers
Shifts to low-reputation providers or new, suspicious blocks
Reputation elements can appear in enrichment fields such as ip_asn_scores or nameserver_reputation.
Historical Trends
We evaluate behavior over time—longitudinal signals help distinguish temporary noise from sustained abuse. Historical context reduces false positives and improves confidence in the final score.
Scores across the Platform
Scores and supporting signals are available in multiple places:
Single-asset Queries
APIs for single asset scoring include endpoints like:
GET /explore/ipv4/riskscore/{ipv4}
GET /explore/ipv6/riskscore/{ipv6}
GET /explore/domain/riskscore/{domain}These return a numeric sp_risk_score and contextual signals (listing, ASN reputation, indicators, enrichment details).
Bulk and UI Tools
Bulk endpoints and UI features support large-scale reviews:
Bulk IPv4/IPv6/domain risk score APIs
Bulk domain enrichment (includes listing score, server changes, hashes)
Advanced Query Builder (domain/IPv4/IPv6 queries)
Live Scan (color-coded domain + IP scores)
Feed search automations and integrations (Tines, SOAR)
How the Final Score Is Decided
Silent Push uses a proprietary scoring model to combine the evidence categories described above. The model determines:
Severity of each signal
Relative weight of behavior vs. reputation vs. content
When multiple weak signals should aggregate into a meaningful risk
When high-confidence malicious indicators should override weaker signals
The objective is to produce scores that are:
Stable enough to trust
Sensitive enough to catch emerging threats
Reflective of real-world threat posture rather than transient noise
A risk score is not a confirmation that an asset is malicious, an indicator of compromise, or an attributional judgment. It is a data-driven reputation signal that helps you prioritize investigation.