Risk score

Updated
  • Updated on Aug 27, 2025
  • Published on Apr 30, 2023
  • 2 minute(s) read
Prev Next

Silent Push risk score provides an at-a-glance assessment of the risk associated with the indicator. The risk score is displayed at the top left of the Total View screen, as well as in color-coded dots located next to the indicator.

Scanning through passive DNS data returns a risk indication for every record. As soon as the colored dots appear, you can hover over them to view the risk score and the reason for the risk score assignment, which explains why the risk score was assigned to the indicator.

The risk score displayed is derived from a variety of attributes, which vary by domain and IP observable type.

Domain-based scoring

Metric

Description

Flag Impact

IOFA Feed History Score listing score

Based on the frequency and recency of an observable's presence within IOFA feeds

NS Reputation Score ns_reputation_score

Based on the name servers currently associated with the domain. The reputation score is based on the number of domains hosted on the name server versus the number of those domains listed in threat intelligence feed

NS Entrophy Score ns_entrophy_score

Reflects the recency, frequency, and  number of name server changes associated with the domain

Age Score age_score

Based on the age of the domain as seen in DNS zone files, with more recently created domains receiving a higher score

Is New Score is_new_score

100 if created within the last 24 hours, indicating higher risk

Is Expired is_expired

Flag indicating the domain has expired

Reduces SP Risk Score to 0

Is Parked is_parked

Flag indicating the domain is parked

Reduces SP Risk Score to 0

Is Sinkholed is_sinkholed

Flag indicating the domain is a sinkhole

Reduces SP Risk Score to 0

SP Risk Score sp_risk_score

Highest of: listing_score, ns_reputation_score, ns_entropy_score, age_score, is_new_score. Set to 0 if any flag (is_expired, is_parked, is_sinkholed) is true.

IP-based scoring

Metric

Description

Flag Impact

IOFA Feed History Score listing_score

Based on the frequency and recency of an observable's presence within IOFA feeds

IP Reputation Score ip_reputation_score

Based on the number of DNS A record names resolving to this IPv4 address, and that have been listed on the IOFA feeds

ASN Takedown Reputation Score asn_takedown_reputation

Based on the time an ASN owner takes to react to takedown requests, a higher score indicates a slower response

ASN Reputation Score ask_reputation_score

Ratio of blacklisted IPs to total active IPs in an ASN over the last 30 days

Subnet Reputation Score subnet_reputation

Ratio of blacklisted IPs to total active IPs in a subnet over the last 30 days

Known Benign known_benign

Flag indicating that the IP is known benign

Reduces SP Risk Score to 0

Known Sinkhole known_sinkhole_ip

Flag indicating that the IP is a sinkhole

Reduces SP Risk Score to 0

SP Risk Score sp_risk_score

Highest of: listing_score, ip_reputation, asn_takedown_reputation, asn_reputation, subnet_reputation. Set to 0 if any flag (known_benign, known_sinkhole_ip) is true.