Strixl LabsStrixl.Labs
Get started
Docs/Severity modifiers

Severity modifiers

Severity is a label, score is a number. A pair with a behavioral score of 75 can land on any severity level depending on what else is true about the destination. This page lists what shifts severity and in which direction.

Score vs severity

The score(0 to 100) measures how beacon-like the pair's behavior is. It's covered in Behavioral scoring.

The severity (Info, Low, Medium, High, Severe) is the triage priority you should treat the pair at. It combines the behavioral score with external signals about the destination: fingerprint matches, threat intel, certificate weirdness, and more.

What bumps severity up

  • Known-bad JA3 or JA4 match. The strongest modifier. A Cobalt Strike fingerprint on an unremarkable beacon is still Cobalt Strike.
  • Known-bad JA4H match. HTTP client fingerprint hits on the same operator-tool corpus.
  • Self-signed certificate. Legitimate servers rarely present self-signed certs to clients. C2 servers often do, especially for short-lived campaigns.
  • Threat-intel hits. Multiple feeds flagging the same destination IP compound. A hit on Emerging Threats plus a confidence score on AbuseIPDB plus a VirusTotal cluster counts more than any single hit.
  • Suspicious ASN or registrant. Fresh or bulletproof hosting providers, recently-registered networks, or ownership transitions within the last 30 days.
  • Missing Accept-Language on HTTP.Browsers always send it. Many C2 agents don't. A small flag, but it counts.

What dims severity

  • Well-known ASN for the destination. Microsoft, Google, Cloudflare, and other major providers carry a mix of legitimate and questionable traffic, but the base rate strongly favors benign. Severity is dimmed, not suppressed.
  • Clean threat intel across every feed. Not a guarantee of benign, but reduces severity relative to a no-data response.
  • Recognized software User-Agent with a matching JA4H. Consistent, well-known client fingerprints that match the declared User-Agent.

How this shows up in the panel

Every flagged pair has an Explain why section that lists every severity modifier that applied, with the direction and magnitude. If a pair landed on Severe but you disagree, the modifiers tell you exactly which signal to challenge.

Tuning

Severity weights are set in the engine and are the same for every customer in the current release. Per-workspace tuning is planned. For now, the primary tuning knob you have is confirm/dismiss, which doesn't move severity weights but does suppress future matches of patterns you've seen before.

← Previous

Threat intel

Next →

Investigation panel