sikkerapi@prod ~$
Why SikkerAPI|
Sikker-CLISikkerGuard
Honeypot DatabaseEmail LookupUsername LookupDetection CatalogSubnet CalculatorEncoder / Decoder
Prices
|
Fail2BanCSF FirewallNginxiptables / ipset
|
Blog
OverviewIP CheckBlacklistReportBulk ReportTAXII FeedSikker-CLIConfidence Score Algorithm
Top CountriesTop ASNsTop ProtocolsTop IPsSMTP Database
CIDR Range AlertsIP AlertsUsername AlertsEmail AlertsBlacklist Web-UIInstall SikkerGuard
|login|signup
Loading
SikkerAPI

Open source threat intelligence from a global honeypot sensor network. Real attacker behavior, not purchased feeds.

Product
PricingDocumentationReport an IPThreat MapSystem Status
Resources
BlogFAQAboutContactComparisons
Tools
Sikker-CLISikkerGuardDetection CatalogSession DatabaseTAXII Feed
Browse
Top CountriesTop ASNsTop ProtocolsTop IPsSMTP Wall of Fame
© 2026 SikkerAPI
TermsPrivacyRemove Me

Confidence Level

Version
v3 evidence-weighted, no time decay
Output
0–100 integer
Normalization
100 × (1 - e-raw/70)
Evidence Sources
Sensor + Contributor

← Back to Docs

Pipeline

The algorithm runs on every sensor session end and every community report submission. It produces a single 0–100 integer stored in the IP reputation table. The IP Check API returns this value as confidenceLevel.

Calculation steps (in order)
1. SensordoubleSum of behavior, primitive, volume, and protocol evidence from honeypots
2. ContributordoubleSum of credibility, category severity, and protocol evidence from community reports
3. CorroboratedoubleMultiply by 1.15–1.25 if both sensor and contributor evidence present
4. Normalize0–100Saturation curve: 100 × (1 - e-raw/70)
5. FloorintegerIf any behavior has critical severity, enforce minimum score of 75

Sensor Evidence

Evidence from the global honeypot network. Each component is calculated independently, then summed into the raw sensor score. All use logarithmic or square-root scaling to prevent extreme outliers from dominating.

Behavior Evidenceseverity-weighted
critical55.0Per behavior with critical severity
high35.0Per behavior with high severity
medium20.0Per behavior with medium severity
low8.0Per behavior with low severity
info3.0Per behavior with info severity
countFactorformulamin(6, sqrt(count)) per behavior
diversity+6.0Per additional distinct behavior (n-1)
// IP with 2 behaviors: // ssh_authorized_keys_persistence // severity=high, count=4 // ssh_history_file_tampering // severity=medium, count=2 b1 = 35.0 × min(6, sqrt(4)) = 35.0 × 2.0 = 70.0 b2 = 20.0 × min(6, sqrt(2)) = 20.0 × 1.41 = 28.3 diversity = 6.0 × (2 - 1) = 6.0 behavior_score = 70.0 + 28.3 + 6.0 = 104.3
Primitive Evidencelog-scaled, discounted if behaviors exist
countWeight2.0Per primitive: 2 × ln(1 + count)
diversityWeight2.02 × ln(1 + primitiveTypes)
discount×0.4Applied when behaviors are present (not eliminated)
// 3 primitives, behaviors present: // wget_download (count=5) // curl_download (count=3) // chmod_execute (count=8) raw = 2×ln(6) + 2×ln(4) + 2×ln(9) + 2×ln(4) // diversity = 3.58 + 2.77 + 4.39 + 2.77 = 13.52 with discount = 13.52 × 0.4 = 5.41
Volume Evidencevelocity-based
sessions/day10.010 × ln(1 + sessionsPerDay)
events/day8.08 × ln(1 + eventsPerDay)
burst5.05 × ln(1 + events/sessions)
daysActivederivedmax(1, (lastSeen - firstSeen) / msPerDay)
// 300 sessions, 4500 events over 3 days spd = 300 / 3 = 100 epd = 4500 / 3 = 1500 burst = 4500 / 300 = 15 volume = 10×ln(101) + 8×ln(1501) + 5×ln(16) = 46.2 + 58.5 + 13.9 = 118.5
Protocol Evidencecapped at 6
weight2.0Per distinct protocol
max6Protocol count capped at 6 (max 12 points)
// SSH, HTTP, MySQL protocols = 2 × min(6, 3) = 6.0

Contributor Evidence

Evidence from community abuse reports. Reports from multiple independent sources carry more weight than volume from a single reporter.

Credibilityreporters + reports
uniqueReporters7.07 × ln(1 + uniqueReporters)
totalReports4.04 × ln(1 + totalReports)
// 8 unique reporters, 47 total reports reporters = 7 × ln(9) = 15.4 reports = 4 × ln(48) = 15.5 credibility = 15.4 + 15.5 = 30.9
Category Severityweight × ln(1 + count)
critical (8.0)catDDoS, Web Exploit, SQL Injection, Exploited Host, Malware
high (5.0)catBrute Force, Phishing, DNS Abuse, IoT, Spoofing, Fraud
medium (3.0)catOpen Proxy
low (1.5)catPort Scan, Spam, Bad Bot, Other
// brute_force: 12 reports // ddos: 5 reports brute_force = 5.0 × ln(13) = 12.8 (high) ddos = 8.0 × ln(6) = 14.3 (critical) categories = 12.8 + 14.3 = 27.2
Contributor protocol diversity
contrib_protocols = 2.0 × ln(1 + protocol_count) // 3 protocols reported (ssh, http, smtp) result = 2.0 × ln(4) = 2.77

Corroboration Multiplier

When both sensor and contributor evidence are present, a multiplier rewards cross-source agreement. The multiplier scales with the weaker signal to prevent a single stray report from inflating a high sensor score.

Corroboration1.15–1.25
base1.15Minimum multiplier when both sources present
bonus+0.10Scaled by signal strength (0–1)
sensorSignalscountbehaviorCount + (1 if primitives exist)
contribSignalscountmin(10, uniqueReporters)
signalStrengthformulaclamp01(ln(1 + min(sensor, contrib)) / ln(7))
// sensor: 2 behaviors + primitives = 3 // contrib: 8 unique reporters signals = min(3, min(10, 8)) = min(3, 8) = 3 strength = ln(4) / ln(7) = 1.386 / 1.946 = 0.71 multiplier = 1.15 + 0.10 × 0.71 = 1.221 // If either source is 0, multiplier = 1.0

Normalization & Floors

The raw score is unbounded (sensor + contributor can sum well past 100). The saturation curve maps it to 0–100 while preserving ranking order. A critical behavior floor prevents dangerous IPs from scoring low due to limited total evidence.

Final Normalizationsaturation + floor
saturationformula100 × (1 - e-raw/70)
criticalFloor75Minimum score if any behavior has critical severity
clamp0–100min(100, max(0, score))
// Full pipeline example sensor = 104.3 + 5.4 + 118.5 + 6.0 = 234.2 contributor = 30.9 + 27.2 + 2.8 = 60.8 corroboration = 1.221 raw = (234.2 + 60.8) × 1.221 = 360.2 score = 100 × (1 - e-360.2/70) = 100 × (1 - 0.0058) = 99

Score Bands

Confidence levels map to threat levels. These are guidelines, not hard thresholds. Your security posture and false positive tolerance should determine your response thresholds.

Threat levels and recommended actions
90–100CRITICALBlock immediately
70–89HIGHBlock or strict rate limiting
50–69MEDIUMMonitor or rate limit
25–49LOWMonitor
0–24NONENo action needed

Whitelist Discount

Known-benign IPs (CDNs, cloud providers, research scanners) receive a per-source discount multiplier on the final score. Each whitelist source (Googlebot, Censys, Cloudflare, etc.) has its own configurable discount factor between 0.0 and 1.0. The discount is applied after normalization, not inside the scoring algorithm. Users can bypass the discount with the ignoreWhitelist query parameter to get the raw score. The IP Check API returns the discounted score as confidenceLevel by default.

Whitelist behavior
// Each source defines its own discount (0.0–1.0) risk_score = risk_score_raw × discount // If an IP matches multiple sources, the lowest // (most aggressive) discount is used. // With ignoreWhitelist=true risk_score = risk_score_raw × 1.0 // Whitelisted IPs can still score high if // activity is very suspicious. The discount // is a multiplier, not a hard cap.
Try it — Look up any IP to see its confidence level, behaviors, and community reports. Free tier includes 1,000 lookups per day. Create free API key →