Threat Intelligence

Tune CTI prioritization with CTI Modeling and Metric Weights.

Threat Foundry Blog - CTI Modeling

Share on LinkedIn

Threat intelligence teams rarely suffer from a lack of information. They suffer from unclear priority. One feed says a vulnerability is severe. Another says exploitation is active. A vendor advisory mentions a product your customer owns, but gives no behavior to hunt. A malware report has strong ATT&CK mapping, but only weak relevance to your environment.

Threat Foundry's Metric Weights exist for that messy middle ground. They let defenders decide which signals should move CTI to the top of the Auto Triage queue, which signals should trigger automation, and which signals should simply be tracked until more evidence appears.

The trick is not to tune weights by instinct. Use CTI Modeling and reporting to see what your intelligence program is actually learning, then tune the weights so the highest-ranked intelligence becomes useful work: CTI Intake reviews, Sigma candidates, saved hunts, triage handoffs, cases, and detection improvements.

Where Metric Weights fit in Threat Foundry

Metric Weights live in Configuration -> Threat Foundry -> Metric Weights. Each slider uses a 1-10 value. Higher values make that signal contribute more strongly to the Auto Triage priority score.

Those scores influence the daily Auto Triage brief, the Critical/High/Medium/Low severity band, and whether an item crosses the configured Automation Threshold. If OpenAI is configured, Threat Foundry passes the configured ranking profile into the AI refinement step. If AI is unavailable, deterministic scoring still uses the same weights.

Start with CTI Modeling

Open Reporting -> CTI Modeling. This dashboard is the feedback surface for CTI prioritization. It summarizes source yield, CTI review outcomes, Auto Triage records, Sigma candidates, saved hunts, triage handoffs, repeated CVEs, ATT&CK techniques, platforms, telemetry themes, vendor and product concepts, and high-value CTI.

Use it to answer operational questions before changing any slider:

  • Which sources produce reviewed CTI, Sigma candidates, hunts, or triage handoffs?
  • Which sources create Not Relevant or Not Actionable work?
  • Which CVEs, ATT&CK techniques, vendors, products, tools, and telemetry themes repeat?
  • Which high-priority items never become huntable?
  • Which low-priority items later produce useful detections or cases?

If the answer is not visible in CTI Modeling, use the operational and program reporting views to inspect saved hunt creation, triage volume, detection handoff, and investigation outcomes. Metric Weights should reflect operational yield, not just fear.

The tuning loop

A practical weekly tuning loop looks like this:

  1. Review CTI Modeling for source yield, repeated concepts, high-value CTI, and conversion.
  2. Review Auto Triage for actionable CTI and unactioned CTI.
  3. Review CTI Quality Gate outcomes: Hunt Ready, Review First, Needs Triage, and Not Actionable.
  4. Adjust one or two Metric Weights, not the whole model.
  5. Watch the next few intake cycles before changing more.

The goal is not to produce a perfect score. The goal is to make the top of the queue trustworthy enough that analysts know why they are spending time there.

Active Exploitation

Default weight: 10. Active Exploitation is the strongest default signal. It boosts reporting that mentions active exploitation, exploited in the wild, mass exploitation, zero-day, or similar language.

Raise this weight when real-world exploitation should outrank theoretical vulnerability severity. Lower it only when sources overuse exploitation language and create noisy urgency. In CTI Modeling, watch whether Active Exploitation items become Sigma candidates, saved hunts, or triage handoffs. If they mostly become Not Actionable, the feed may be too vague or the weight may be too high.

Zero-Day / No Patch

Default weight: 9. This weight boosts no patch, no fix, unpatched, mitigation only, workaround, vendor fix pending, unknown vulnerability, and zero-day language.

Raise it when your team needs early warning before patch management has a standard remediation path. Lower it when vendor alerts consistently lack exploit behavior, indicators, or telemetry guidance. CTI Quality Gate outcomes are useful here: a large Not Actionable bucket often means Zero-Day / No Patch and CVSS Score are pulling advisory-only items too high.

Ransomware / Destructive

Default weight: 9. This weight boosts ransomware, wiper, destructive activity, extortion, and data leak reporting.

Raise it for ransomware-sensitive customers, executive-risk programs, incident response retainers, or environments where business interruption is the dominant concern. Lower it if broad ransomware news summaries crowd out customer-specific CTI. Use case and triage reporting to validate whether these items are producing real investigation work.

Credential / Supply Chain

Default weight: 7. This weight boosts credential theft, credential dumping, supply chain, backdoor, espionage, breach, campaign, and phishing campaign language.

Raise it when identity compromise, SaaS abuse, vendor compromise, or third-party risk are primary concerns. Lower it if generic breach reporting outranks more concrete exploit, malware, or customer-vendor reporting. In CTI Modeling, compare this signal against ATT&CK techniques, identity telemetry themes, saved hunts, and triage handoffs.

Malware / Phishing

Default weight: 5. This boosts malware, phishing, botnet, command and control, lateral movement, persistence, privilege escalation, remote code execution, and RCE language.

Raise it for malware operations, phishing-driven intrusion, endpoint hunting, and network behavior programs. Lower it if generic malware news creates too many low-quality intake items. Useful validation points include Sigma/YARA generation, Phishing Phinder workflows, and SOC analyst triage outcomes.

ATT&CK / CVE Evidence

Default weight: 8. This weight boosts items containing ATT&CK technique IDs or CVE identifiers. It matters because structured references make downstream work easier to review, map, and automate.

Raise it when you want mapped CTI to beat vague narrative reporting. Lower it if CVE-heavy feeds rank too high without exploit detail or huntable behavior. CTI Modeling's top ATT&CK and CVE panels are the best place to see whether this weight is helping or simply amplifying references.

CVSS Score

Default weight: 7. This weight uses explicit CVSS scores in CTI text. Higher CVSS values contribute more, and CVSS 9.0 or higher can push severity toward Critical.

Raise it for vulnerability-heavy programs where severity drives exposure response. Lower it when CVSS-only advisories overwhelm the queue without exploitation, behavior, or telemetry detail. Pair this with KEV and vulnerability reporting so high CVSS does not outrank known exploitation or customer exposure.

Cross-Source Mentions

Default weight: 5. This boosts repeated concepts seen across multiple source items, such as the same CVE, ATT&CK technique, or recurring title terms.

Raise it when repeated independent reporting is a useful confidence signal. Lower it when syndication, reposting, or duplicate feeds make one story appear more important than it is. CTI Modeling's Source Yield and Not Relevant rates help identify whether repeated mentions are real signal or feed duplication.

Detection Coverage Gap

Default weight: 7. This boosts terms such as living off the land, LOLBin, fileless, encrypted C2, signed driver, BYOVD, log tampering, defense evasion, stealthy, difficult to detect, and blind spot.

Raise it when CTI is meant to drive detection engineering and telemetry improvement. Lower it if marketing-style language repeatedly produces low-value review work. Validate the setting against Sigma candidates, saved hunt notes, detection handoff reports, and telemetry readiness gaps.

Recency

Default weight: 6. Recency boosts newly ingested and recently ingested source items. Items from the last day receive the strongest lift, items within seven days receive less, and items within thirty days receive a smaller boost.

Raise it when daily response tempo matters more than backlog review. Lower it when older but more relevant items are being buried too quickly. Use the Auto Triage brief and CTI conversion over time to see whether fresh items are actually turning into useful work.

Source Priority

Default weight: 4. Source Priority uses each CTI source's configured priority. Higher-priority sources add more score.

Raise it only after CTI Modeling shows that certain sources consistently produce reviews, Sigma candidates, hunts, or triage. Lower it if one noisy source dominates the queue. Source Yield is the main evidence view for this weight.

Selected Vertical Match

Default weight: 6. This boosts CTI that matches selected industry verticals in the Threat Foundry ranking profile.

Raise it for customer-specific programs where healthcare, finance, government, manufacturing, energy, education, or another vertical should influence priority. Lower it if broad vertical keywords rank loosely related articles too highly. CTI Modeling's vertical concepts and high-value CTI sections help validate whether the selected verticals are useful.

Priority Vendor Match

Default weight: 8. This boosts CTI that mentions configured Priority Vendors / Products from Asset Classification. Matches can come from vendor names, product names, or aliases.

Raise it when customer technology exposure should strongly influence CTI ranking. This is especially useful for MSP, MSSP, consulting, and customer-specific hunt programs. Lower it if broad vendor names create false matches. The best fix is often not only changing the weight, but cleaning up aliases in the Priority Vendor list.

Automation Threshold and Threat Count

Metric Weights are not the only controls. Threat Count sets how many items appear in the priority brief. Automation Threshold sets the minimum 0-100 score before Auto Triage automation is eligible to proceed.

If the top of the queue looks good but automation is too aggressive, raise the Automation Threshold. If the queue is useful but too small, increase Threat Count. If the queue is noisy, tune weights first before expanding the list.

What good tuning looks like

Good tuning creates a queue where analysts can explain why every top-ranked item is there. Some items become hunts. Some become Sigma or YARA candidates. Some become cases. Some become Not Actionable because they are relevant but lack huntable details. Some become Not Relevant and train curation learning to down-rank similar noise later.

Metric Weights should not make Threat Foundry louder. They should make the next analyst decision easier.

CTI Modeling tells you what the intelligence program is learning. Reporting tells you what became operational. Metric Weights close the loop between the two.

Threat Foundry

Turn CTI scoring into a measurable operating loop.

Threat Foundry connects CTI Modeling, Auto Triage, Metric Weights, CTI Intake, detections, hunts, and reporting so teams can tune prioritization from evidence instead of guesswork.

Discuss CTI Modeling