Skip to main content
Risk is a shared vocabulary across all three entities in Pulsedive, but it works differently depending on the entity. This section covers the risk levels Pulsedive uses and how risk rolls up from indicators into threat and feed summaries. To learn how risk is determined and overridden on each entity, refer to the Indicators, Threats, and Feeds sections.

Risk Levels

Pulsedive uses six risk levels across its data:
LevelMeaning
unknownPulsedive hasn’t assessed risk yet, either because there isn’t enough data or the data available doesn’t point to an elevated or reduced risk level
none/very lowPulsedive’s assessment points to benign activity
lowPulsedive has identified a small number of risk factors, or risk factors with limited severity
mediumPulsedive has identified a moderate number of risk factors, or risk factors with moderate severity
highPulsedive has identified a substantial number of risk factors, or risk factors with high severity
criticalPulsedive has identified risk factors with the highest severity, strongly indicating malicious activity
Retired indicators carry a retired status in place of a risk level in summary contexts.

Risk Distributions

Feeds don’t carry a directly assigned risk score. Threats can: you can assign a risk score to a threat directly, independent of its linked indicators. Both threats and feeds also surface risk distributions: breakdowns of indicator risk levels across all linked indicators. A risk distribution tells you the count of linked indicators at each risk level, giving you a high-level read on the severity profile of a threat’s or feed’s associated activity. For a threat, this distribution exists alongside its own assigned risk score, not instead of it. You can retrieve a risk distribution as a flat total count or split by risk level using the splitrisk parameter.

How Risk Is Determined

Risk works differently across the three entity types.

Indicators

Pulsedive calculates a risk score for each indicator automatically. The system-recommended score (risk_recommended) reflects Pulsedive’s evaluation based on observed data and risk factors. The active score (risk) is what the indicator currently carries, which may match the recommendation or reflect a manual override. When manualrisk is set, a manual override has replaced the system-recommended score. Risk factors (riskfactors) are human-readable explanations that describe why an indicator received its score. Contributors and admins can override an indicator’s risk in several ways:
  • Through feed configuration
  • Through bulk management in Explore
  • By editing an indicator directly
  • Through individual or bulk submission via Analyze

Threats

Threat risk reflects a direct human judgment about the threat’s severity. Pulsedive assigns it manually, rather than calculating it automatically the way it calculates indicator risk. Threats carry a risk score that you assign manually; they don’t have a system-recommended score or risk factors the way that indicators do. A threat also surfaces a risk summary derived from its linked indicators, showing the distribution of risk levels across its associated activity. The threat’s own risk score and its risk summary are independent of each other: assigning or changing one doesn’t affect the other.

Feeds

Pulsedive does not assign risk directly to feeds. A feed’s risk summary reflects the distribution of risk levels across its linked indicators, giving you a quick read on the overall severity of the activity the feed tracks.