Threat object
The threat payload should describe observed indicators, confidence, and analyst-facing reasoning.
Scoring fields
- risk level
- confidence score
- weighting breakdown
- signal categories
Confidence
Confidence should reflect the support behind the signal, not just the final label.
Threat payload
{
"risk_level": "HIGH",
"confidence": 98.1,
"indicators": ["malicious_redirect", "new_domain"]
}Notes
Stable contracts
Keep the response shape consistent so both the dashboard and external consumers can use the same intelligence fields.
