Stop Guessing.
Score Every Threat.
The OFA Crime Score assigns a 0–1000 risk value to every IP, domain, URL, and file hash in the Alliance ecosystem — powered by six validation layers and 180+ member organisations.
Understanding the Score Bands
Every asset gets a score. Higher scores mean stronger, multi-source confirmation of malicious intent. Use the bands below to calibrate your enforcement policy.
Clean / Unobserved
Asset not observed in the Alliance ecosystem, or observed with insufficient evidence. No enforcement action recommended.
Watchlist / Monitor
Asset flagged by one or more members with low-to-medium confidence. Monitor closely. Suitable for logging and alerting only.
Block Recommended
Multi-member confirmation with moderate-to-high confidence. Block recommended. Start here with ≥400 for safe initial deployment.
Immediate Block
High-confidence, multi-sector confirmed malicious activity. Immediate enforcement. Alliance validation ≥190 balances accuracy and prevention.
{
"ip": "185.220.101.45",
"score": 847,
"band": "IMMEDIATE_BLOCK",
"confidence": 0.94,
"members_seen": 23,
"components": {
"alliance_freq": 340,
"trust_weight": 180,
"confidence_meta":165,
"stix_enrichment":100,
"temporal_decay": 62
},
"last_seen": "2026-02-19T09:14:00Z",
"mitre_ttps": ["T1190", "T1133"],
"tags": ["tor-exit", "brute-force"]
}
Six Scoring Components
No single signal determines the score. Six independent components combine to produce a tamper-resistant, multi-validated risk value.
Alliance Member Frequency
Multiple independent organisations reporting the same asset increases the score nonlinearly. A single reporter raises suspicion — a dozen independent confirmations raises certainty.
Source Trust Weight
Each contributing member is weighted by their historical accuracy, false-positive rate, and validation consistency. High-trust reporters have greater influence on the final score.
Confidence Metadata
Reporting depth — whether the member observed exploitation, confirmed compromise, sandbox execution, or live C2 traffic — directly weights the score contribution upward.
Temporal Decay
Time-based score reduction applies to IPv4 addresses as threat context ages. Domains, URLs, and file hashes retain their scores indefinitely — representing durable malicious identity.
STIX 2.x Enrichment
Structured threat intelligence — threat actors, malware family associations, MITRE ATT&CK technique mappings — elevates precision by linking assets to known campaigns and adversaries.
Cross-Member Temporal Correlation
When multiple members report the same asset within a compressed timeframe, the synchronised activity dramatically elevates the score — a hallmark of active campaign infrastructure.
Who Acts on the Crime Score
The Crime Score is designed for action — consumed by firewalls, SIEMs, SOARs, and analysts who need decisive, evidence-backed risk values.
SOC Analysts
Triage alerts faster with a single risk number. No more hunting across 5 threat feeds — the score aggregates them all.
Firewall Administrators
Configure score-based auto-block rules. Set threshold ≥190 and let the WCF Agent enforce blocks automatically, 24/7.
Security Engineers
Integrate score lookups into CI/CD pipelines, SOAR playbooks, and custom threat enrichment workflows via the CTI API.
CISOs
Report on threat posture using objective metrics. Crime Score trends reveal exposure patterns and validate security investment.
Block Threats by Score, Not Guesswork
Ready to replace manual threat hunting with score-based enforcement? Talk to our team and start a Proof of Value to see Crime Score precision on your own traffic.