Introducing the Global Cyber Threat Index (GCTI)
Every major cybersecurity vendor publishes some form of threat index. Quarterly reports, monthly threat barometers, annual risk scores. What they share is a fundamental problem: the underlying data is proprietary, the methodology is opaque, and the numbers are unverifiable. You cannot reproduce them. You cannot audit them. You cannot know whether the index moved because the threat landscape changed or because the vendor updated their classification rules last Tuesday.
SATIS solves this with the Global Cyber Threat Index — GCTI — a composite real-time cybersecurity risk index computed exclusively from blockchain-verified threat data, using a public formula, with every input available for independent verification.
A Five-Component Formula
GCTI runs on a 0–100 scale with five bands: Low (0–20), Guarded (21–40), Elevated (41–60), High (61–80), and Critical (81–100). The composite is a weighted sum of five components:
C_vol — Threat Volume (30%): Current active threat count normalized against the 30-day rolling baseline. When threat volume triples relative to baseline, this component saturates at 100. A quiet day below baseline scores near zero. This is the heaviest-weighted component because raw volume is the strongest leading indicator of a broad campaign in progress.
C_sev — Severity Distribution (25%): A weighted average of active threat severities, where Critical=1.0, High=0.75, Medium=0.5, and Low=0.25. This component distinguishes between a high-volume scan-and-spray campaign of low-severity probes versus a concentrated wave of critical threats targeting production infrastructure.
C_vel — Velocity (20%): The coefficient of variation of hourly threat counts over the last 24 hours. A steady trickle of threats produces low velocity. A threat landscape that spikes 800% in a two-hour window and then quiets down produces high velocity — which is often the signature of a coordinated campaign launch. Velocity catches what raw volume misses: the shape of the threat arrival pattern.
C_div — Source ASN Diversity (15%): Shannon entropy of the source ASN distribution across active threats. A single botnet generating 10,000 threats from one ASN scores low on diversity — the attack is concentrated. Threats originating from 200 distinct ASNs across six continents score high — that's a broadly distributed campaign or simultaneous exploitation across many independent actors. Diversity characterizes the nature of the threat, not just its size.
C_nov — Novelty (10%): The ratio of IPs new to the SATIS database in the last 24 hours relative to total active threats. High novelty means attackers are cycling through fresh infrastructure, which correlates with active campaigns using unburned assets. Low novelty means the platform is mostly tracking persistent bad actors already in the database.
The full formula:
GCTI = 0.30·C_vol + 0.25·C_sev + 0.20·C_vel + 0.15·C_div + 0.10·C_nov
Why Blockchain Attestation Changes Everything
Every threat data point that feeds GCTI is a MultiChain blockchain transaction. When an IP is published to the SATIS threats stream, it is permanently recorded on a permissioned blockchain with a block timestamp, a block height, and cryptographic continuity linking it to every block before and after. No one — not Setec Astronomy, not a node operator, not anyone — can alter that history retroactively without invalidating the entire chain.
This means GCTI is reproducible. Given any historical timestamp, anyone with a node on the SATIS network can reconstruct the exact set of threats that were active at that moment and compute the GCTI value that would have resulted. The formula is public. The inputs are on-chain. The output follows deterministically.
Compare this to any vendor threat index published today. Can you reproduce last quarter's reading? Can you verify that the number you see tomorrow is computed the same way as the number from six months ago? In almost every case, the answer is no.
The Financial Derivative Angle
The GCTI design was deliberately influenced by the architecture of financial volatility indices like the VIX — indices that became underliers for derivatives markets. VIX-based options and futures exist because the VIX is computed from a transparent, reproducible formula applied to publicly observable market data.
GCTI has the same structural property, applied to cybersecurity: a deterministic formula, applied to tamper-resistant on-chain inputs, producing a continuous scalar index. This makes GCTI a credible candidate underlier for cybersecurity derivatives — instruments that would allow organizations to hedge against broad increases in the threat landscape, or insurers to price policies against index-correlated cyber events.
No existing cybersecurity index has this property. The ones that are published are not reproducible. The ones that are reproducible are not real-time. GCTI is both.
Live on the Dashboard
GCTI appears on the /dashboard page as a composite gauge bar with a breakdown of all five components. It updates every 60 seconds. The gauge shows both the current score and the current band, and the component bars let you see at a glance which factors are driving the index — whether it's a volume surge, a severity spike, or an unusual novelty ratio indicating fresh attacker infrastructure.
The API is available at GET /api/v1/gcti — no authentication required. The response includes the current GCTI score, band, all five component values, the active threat count, and the formula_spec field, which documents the exact formula and component weights used to compute the index. There is no black box. The /api/v1/gcti response contains everything needed to verify or reproduce the computation.
Historical backtest data is available at GET /api/v1/gcti/history?days=30 for admin API keys, grouping the threat record by publication date to reconstruct what GCTI would have read on each of the past 30 days.
The formula spec is public. The data is on-chain. The computation is open. That combination has not existed in cybersecurity risk measurement before.
Back to Blog