CAL Global Threat Score

Overview

The CAL™ Global Threat Score provides a globally informed, baseline reputation score for Indicators in ThreatConnect® and Polarity by analyzing aggregated and anonymized intelligence from across the broader security community. This article explains the following:

• What the CAL Global Threat Score represents
• How the CAL Global Threat Score is derived at a conceptual level
• Why this scoring system is designed to be trustworthy and resilient
• How analysts should use the CAL Global Threat Score safely and effectively within investigations, prioritization, and automation

The CAL Global Threat Score is designed to support analyst decision-making, not replace it. It is most effective when used in combination with additional context, enrichment, and customer-specific intelligence.

Before You Start

User Roles

• To view the CAL Global Threat Score for Indicators in your Organization, your user account can have any Organization role.
• To view the CAL Global Threat Score for Indicators in a Community or Source, your user account can have any Community role except Banned for that Community or Source.

Prerequisites

• To view the CAL Global Threat Score for Indicators in your ThreatConnect owners, enable CAL for your ThreatConnect instance and in your Organization:
  • To enable CAL for your ThreatConnect instance, select the CALEnabled checkbox on the Settings tab of the System Settings screen (must be a System Administrator to perform this action).
  • To enable CAL in your Organization, edit your Organization on the Organizations tab of the Account Settings screen and select the Enable CAL Data checkbox on the Permissions tab of the Organization Information window (must be a System Administrator, Operations Administrator, or Accounts Administrator to perform this action).
• Verify that your ThreatConnect instance can receive data from cal.threatconnect.com (if using an On Premises instance).
• To view the CAL Global Threat Score information for Indicators in Polarity, install and configure the ThreatConnect CAL Integration with Polarity.

What Is the CAL Global Threat Score?

The CAL Global Threat Score is a 0–1000 baseline reputation score assigned to Indicators in ThreatConnect and Polarity by the Collective Analytics Layer (CAL). The score represents CAL’s current assessment of an Indicator based on a wide range of globally observed signals, including reporting, activity, prevalence, and contextual intelligence. Rather than acting as a static verdict, the score reflects the current state of global intelligence as it evolves over time.

Key characteristics of the CAL Global Threat Score include the following:

• It is globally informed, leveraging anonymized data across many customers.
• It is continuously updated as new intelligence becomes available.
• It is designed to be comparable across Indicator types.
• It serves as a baseline reputation score, not a confirmation of maliciousness.

A higher CAL Global Threat Score indicates stronger risk-related signals, while a lower CAL Global Threat Score indicates fewer or weaker risk-related signals. Neither extreme should be interpreted in isolation. CAL Indicator enrichments are composed of multiple data dimensions that describe an Indicator’s context, behavior, and reputation and are provided with the CAL Global Threat Score for additional context.

Score Ranges

CAL Global Threat Scores are categorized into the following ranges:

• Low: 0–200
• Medium: 201–500
• High: 501–800
• Critical: 801–1000

These ranges provide a consistent way to interpret the magnitude of CAL Global Threat Scores across Indicators. They are intended to support prioritization and investigation rather than serve as absolute classifications.

The follow are important considerations to bear in mind when interpreting CAL Global Threat Score ranges:

• A Critical score does not mean that an Indicator is confirmed to be malicious.
• A Low score does not mean that an Indicator is safe or benign.
• CAL Global Threat Scores should always be evaluated alongside additional context, enrichment, and customer-specific intelligence.

How the CAL Global Threat Score Works

The CAL Global Threat Score is derived from many independent inputs, referred to as signals. These signals represent different ways an Indicator may appear, behave, or be referenced across the global threat intelligence community. Rather than relying on a single source or heuristic, CAL evaluates multiple categories of signals together and applies safeguards to ensure an Indicator’s CAL Global Threat Score remains stable, explainable, and resistant to noise.

An important design principle of CAL is that scoring logic is Indicator-type aware. While all Indicators share the same high-level scoring framework, the specific signals evaluated and how they are interpreted vary by Indicator type, ensuring relevance and accuracy.

Independent Signals

CAL evaluates Indicators using a wide range of independent signals. Each signal provides a different perspective on risk, behavior, or context. The signals used to evaluate an Indicator depend on the type of Indicator. For example, CAL evaluates network indicators, domains, and files using different combinations of behavioral, structural, and contextual signals that are appropriate to each type.

Examples of signal categories include the following:

• Reporting from open-source intelligence (OSINT) feeds
• Observed activity across participating ThreatConnect and Polarity customers
• Prevalence and rarity within the global dataset
• Structural or behavioral characteristics of an Indicator
• Reputation and enrichment context
• Community-provided false-positive feedback

No single signal is sufficient on its own to determine an Indicator’s CAL Global Threat Score. The CAL Global Threat Score reflects the combined influence of many signals evaluated together.

Balancing Positive and Negative Signals

By design, CAL incorporates both risk-increasing and risk-reducing signals when evaluating Indicators to determine their CAL Global Threat Score.

Risk-increasing signals may indicate the following conditions:

• Malicious or suspicious reporting
• Unusual behavioral patterns
• Elevated or unexpected activity

Risk-reducing signals may indicate the following conditions:

• Known-good or trusted context, such as Indicators associated with widely used services or benign infrastructure
• Benign usage patterns observed across customers
• Community false-positive reports

By explicitly considering known-good context alongside risk signals, CAL avoids treating all activity as inherently malicious and reduces the likelihood of persistent false positives.

Guardrails and Score Stability

The CAL Global Threat Score is designed to be responsive without being volatile. To achieve this, CAL applies multiple guardrails during score evaluation, including the following:

• Bounded signal influence: Individual signals have limits on how much they can affect the score.
• Diminishing returns: Repeated observations of the same signal have decreasing impact.
• Temporal smoothing: Scores may increase rapidly in response to strong new risk signals, while risk decays more gradually as intelligence loses relevance over time, depending on Indicator type.
• Capped activity amplification: High levels of activity are considered, but cannot overwhelm other contexts.

Guardrails are applied consistently across Indicator types, while still allowing each Indicator type to be evaluated using the signals most relevant to it.

Indicator Types Supported by CAL Global Threat Score

CAL creates a CAL Global Threat Score for a wide range of Indicator types commonly used in cyber threat intelligence (CTI) workflows. While all Indicator types share the same high-level scoring framework, each type is evaluated using signals and context appropriate to its characteristics and risk patterns.

CAL Global Threat Score is provided for the following Indicator types:

• IP addresses (Address)
• Domains and hosts (Host)
• URLs (URL)
• Email addresses (Email Address)
• Files and file hashes (File)
• Autonomous System Numbers (ASNs) (ASN)
• CIDR ranges (CIDR)
• Registry keys (Registry Key)
• Mutexes (Mutex)
• User agents (User Agent)

The CAL Global Threat Score is designed to be comparable across Indicator types, enabling analysts to prioritize and investigate diverse Indicators using a consistent scoring scale. At the same time, the underlying signals used to calculate the score vary by Indicator type, ensuring accuracy, relevance, and meaningful interpretation.

Impact Factors: Understanding Score Drivers

CAL provides Impact Factors that provide insight into why an Indicator has its current CAL Global Threat Score. They highlight key signals that contributed to recent score changes or that meaningfully influence the Indicator’s current reputation. Impact Factors are intended to improve transparency and support analyst interpretation, not to expose internal scoring logic.

Some Impact Factors originate from enrichment-focused feeds that provide additional analytical context about an Indicator. These enrichment signals may describe malicious or suspicious characteristics reported by their sources, but they do not, on their own, represent a definitive consensus of maliciousness within CAL.

Enrichment-focused feeds are evaluated differently from customer-facing OSINT feeds when assessing signal strength and confidence. Their purpose is to add context and nuance rather than to determine risk independently.

CAL Global Threat Score and Indicator Status

The CAL Global Threat Score and Indicator Status are closely related, but serve different purposes.

• The CAL Global Threat Score provides a continuous baseline reputation score.
• Indicator Status provides an actionable recommendation used to reduce noise and guide workflows.

How CAL Global Threat Scores Change Over Time

CAL Global Threat Scores evolve as new intelligence becomes available and older signals lose relevance. Score changes are expected behavior and reflect how the threat landscape shifts over time.

Common reasons an Indicator’s CAL Global Threat Score may change include the following:

• Changes in analyst interaction, observed activity, and false positive feedback:
  • Observations: The number of times an Indicator has been observed in an actual customer network. The more observations an Indicator has, the more likely it is to be relevant to an investigation.
  • Impressions: The number of times an Indicator is viewed, searched for, or looked up via the ThreatConnect CAL Integration with Polarity, the ThreatConnect user interface (UI), or the Get CAL Enrichment Playbook App.
  • False-positive reports: Reports from the ThreatConnect CAL Integration with Polarity and reports from ThreatConnect users that an Indicator is a false positive.
• Shifts in global prevalence. Global prevalence reflects how widely an Indicator appears across the CAL dataset. As Indicators become more or less common over time, their risk profile may change. CAL accounts for these shifts to avoid overvaluing either extremely rare or overly common Indicators without supporting context.
• Aging or expiration of older data. CAL places greater emphasis on recent intelligence. Older signals gradually lose influence as they become less representative of an Indicator’s current behavior. This aspect of scoring focus on recency prevents Indicators from being permanently scored based on outdated activity.

CAL Global Threat Score changes reflect the current intelligence landscape, not a retroactive reassessment of past behavior.

As CAL has expanded beyond platform-based workflows into real-time analysis and intelligence delivery systems, ongoing work is focused on increasing the frequency at which signals are evaluated and CAL Global Threat Scores are updated. This approach ensures that the CAL Global Threat Score continues to balance freshness, stability, and trust as it is applied across a broader set of use cases.

Using the CAL Global Threat Score in Analyst Workflows

The CAL Global Threat Score is designed to support analyst workflows by providing a globally informed baseline. How the score is used, especially in automation, has a significant impact on its effectiveness and reliability.

A Baseline Score, Not a Standalone Trigger

The CAL Global Threat Score is best used as a baseline reputation score to support the following activities:

• Indicator prioritization
• Investigative focus
• Contextual decision-making

As a global baseline, the CAL Global Threat Score reflects broad trends rather than customer-specific risk tolerance, environment, or asset criticality. Using the score alone as a direct trigger for large-scale alerting or blocking can amplify early or incomplete signals before sufficient context is available.

Signals and Automation

The CAL Global Threat Score is derived from a mix of proprietary intelligence, community signals, and OSINT sources. While all intelligence sources can contain incomplete or evolving data, OSINT sources may provide early or less-curated signals.

CAL is designed to balance these inputs through multiple independent signals and guardrails. However, when customers apply automation at scale, relying solely on a global baseline score can amplify early or incomplete signals before sufficient local context is available.

For this reason, automation built on CAL Global Threat Scores should incorporate personalized scoring layers that reflect an customer’s specific environment, risk tolerance, and intelligence sources. One example of this layered approach is ThreatAssess, which builds on the CAL Global Threat Score by incorporating customer-owned feeds, local context, and analyst input to produce a more refined, customer-specific score. This model enables customers to leverage global intelligence while maintaining local control, empowering them to make informed decisions for triggering alerts, blocking, or response actions.

CAL Global Threat Score Across Products

The CAL Global Threat Score is calculated using the same underlying logic regardless of where it is accessed, including the following products:

• ThreatConnect
• Polarity
• Dataminr Pulse
• Integrations and APIs

Differences in the CAL Global Threat Score between products reflect how the score is presented and integrated into workflows, not differences in scoring behavior. This consistency ensures that analysts see the same intelligence outcome whether they encounter an Indicator during investigation, enrichment, or real-time analysis.

ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.

20179-01 v.01.A