Back to Blog

Multi-Source Threat Scoring: How We Separate Signal from Noise

February 28, 2026 • Setec Astronomy Team
scoringintelligencecorrelation

Not all threat reports are created equal. A single fail2ban ban on one server is informative but could be a false positive. That same IP appearing in AbuseIPDB, Spamhaus DROP, and three of your peers' fail2ban logs? That's a genuine bad actor.

Today we're releasing multi-source threat scoring — an automatic confidence adjustment engine that weighs incoming threat reports against what we already know about a target.

The Problem with Flat Confidence

Most threat feeds assign a static confidence score when an indicator is published. An IP flagged by AbuseIPDB might arrive with confidence 95, while a fail2ban ban comes in at 80. But these numbers don't account for corroboration — the most powerful signal in threat intelligence.

If five independent sources report the same IP within 24 hours, the real confidence should be much higher than any single source's rating.

How SATIS Scoring Works

When a new threat is published via the API, SATIS checks the blockchain for existing reports against the same target:

  1. Source reliability weights — Each source has a quality weight based on historical accuracy:
  2. Spamhaus DROP: 0.95 (curated by experts)
  3. fail2ban: 0.85 (direct observation)
  4. AbuseIPDB: 0.80 (community-validated)
  5. Emerging Threats: 0.80 (Proofpoint-curated)
  6. Blocklist.de: 0.75 (aggregated fail2ban)
  7. CINS Army: 0.75 (Sentinel IPS community)

  8. AlienVault OTX: 0.70 (community pulses)

  9. Corroboration boost — For each additional independent source that reported the same target, confidence gets a weighted bump. Two sources might push confidence from 80 to 88; four sources could push it to 95+.

  10. Ceiling at 99 — We never assign 100% confidence. Even the best intelligence can be wrong.

The original confidence is preserved in the threat's context metadata, so you always have both the raw and adjusted values.

Correlation Analysis

The new correlation endpoint lets you see which targets are reported by the most sources:

curl -H "Authorization: Bearer tck_your_key" \
     "https://setecastronomyinc.com/api/v1/threats/correlation"

This returns multi-source targets (IPs reported by 2+ independent feeds), high-confidence targets, and source reliability statistics. It's useful for identifying the most dangerous actors in the current threat landscape.

Customer Threat Sharing

Alongside scoring, we've opened up customer threat sharing. Authenticated customers can now publish threats they've observed in their own infrastructure:

curl -X POST -H "Authorization: Bearer tck_your_key" \
     -H "Content-Type: application/json" \
     -d '{"target": "203.0.113.45", "category": "brute-force", "severity": "high"}' \
     "https://setecastronomyinc.com/api/v1/customer/threats"

Customer-submitted threats have safety limits (no BGP blackhole, max 24-hour TTL) and are tagged with source: "customer" so you can filter accordingly. When multiple customers report the same IP, the scoring engine boosts confidence — turning individual observations into collective intelligence.

The Network Effect

This is where SATIS gets interesting. Every new source of intelligence makes every existing source more valuable. A fail2ban ban on its own is informative. A fail2ban ban corroborated by AbuseIPDB, Emerging Threats, and two SATIS customers? That's actionable with high confidence.

The more organizations that participate, the faster bad actors are identified and the higher the confidence. It's a flywheel.

Threat scoring is automatic and available on all plans. The correlation endpoint requires an API key.

Back to Blog