Risk Model — Calibration & Score Bands
Note (0.4.4+): The scan verdict (
ALLOW/FLAG/BLOCK) is no longer derived fromrisk_scorecrossing a threshold. The verdict is now derived from finding classes — see Risk Scoring & Verdict Model. The numbers below remain useful as customer-facing risk bands on dashboards, but they do not gate the verdict.
Threshold Calibration (analytics-only)
Auto-generated by
scripts/calibrate_thresholds.py. Last refresh:
- Dataset: 1185 records (986 malicious, 199 benign)
- ROC-AUC: 1.0000
The numbers below are the operating points that best separate benign from malicious in this corpus; they're a useful reference for dashboard band-labeling but they are not the BLOCK gate any more.
Risk-band reference
| Band label | Risk score | Suggested UX |
|---|---|---|
clean | < 0.25 | Display as green / pass |
notable | 0.25 – 0.50 | Yellow / show findings drawer |
elevated | 0.50 – 0.70 | Orange / encourage manual review |
severe | ≥ 0.70 | Red / route to senior reviewer |
These thresholds map to the historical config.thresholds.flag / config.thresholds.block values, which are still settable on ScanConfig (flag = 0.25, block = 0.70 by default). Setting them no longer changes which files BLOCK — it only changes how the score is labeled if you display bands in a UI.
How to apply (UI-only, not enforcement)
# These set the *labels* the band-renderer uses. They do NOT decide which
# files get blocked — see concepts/risk-scoring.md for the actual verdict
# rules.
config.thresholds.flag = 0.25
config.thresholds.block = 0.70
If you want a file to be blocked, ensure at least one of its findings carries verdict_class = BLOCK. The detectors that emit BLOCK-class findings are documented in Risk Scoring & Verdict Model.
Re-run
scripts/calibrate_thresholds.pywhenever your benchmark corpus changes if you want the band boundaries to track its statistics.