Beyond Decay Curves: Rethinking IOC Scoring
Jun 14, 2026
Most security teams assume IOC scoring is a solved problem. Indicators arrive from threat feeds, confidence values are assigned, decay functions reduce scores over time, and detections are prioritized accordingly. On paper, the process appears objective and systematic.
In practice, adversaries exploit exactly these assumptions. Infrastructure is designed to evade validation, stale indicators are continuously republished as fresh intelligence, and simplistic scoring models often mistake visibility for relevance. The challenge is not assigning a number to an IOC – it’s determining whether that indicator still has operational value in an environment where both attackers and the intelligence ecosystem actively distort the available signals.
This is where many IOC scoring implementations begin to fail. They treat time as a proxy for relevance, assume all intelligence sources deserve equal trust, and rely on verification techniques that attackers have learned to manipulate. None of these approaches is inherently wrong, but each creates blind spots that become increasingly dangerous when combined. The result is a confidence score that looks precise while gradually drifting away from reality.
Dynamic IOC Scoring: A Hybrid Actuality Model
No single method reliably reflects whether an indicator remains operationally relevant. Statistical decay alone is gamed by behavioural patterns; live verification alone is defeated by adversary-aware infrastructure; source volume alone conflates noise with signal. This model combines three complementary layers precisely because each method’s weaknesses are partially covered by the others.
Layer 1: Statistical Decay
Different IOC types follow different decay curves. For example, phishing URLs may degrade faster than C2 domains. Rather than applying a single exponential decay, we model each IOC type with empirically derived decay functions (fitted against historical confirmation and takedown data) and modulate them by observed frequency patterns:
- Sustained high frequency over long periods is often a negative signal – it correlates with sinkholed infrastructure, background scanning, and commodity noise rather than active adversary use.
- Sudden high frequency within a short recent window is a strong positive signal of active campaign deployment, C2 beaconing, or active exploitation — but only when cross-validated against source diversity (see Layer 3).
- Low-and-slow patterns are treated carefully: some APT infrastructure is deliberately minimal in observable traffic to avoid exactly this kind of scoring. Low frequency is not the same as low confidence.
Decay rates are not static parameters – they are updated as verification results and new observations arrive, creating a feedback loop between layers.
Layer 2: Active Verification — With Adversarial Awareness
Live checks confirm operational status, but adversaries actively defeat naive probing. The verification layer is designed with these evasion techniques explicitly in mind:
- Domain registration and DNS resolution confirm basic infrastructure existence, but fast-flux DNS and CDN fronting mean a resolving domain tells you less than it appears to. A domain resolving to a major CDN edge node warrants different treatment than one resolving to dedicated hosting.
- Reachability checks confirm an IP responds, but geofenced delivery, victim-profile filtering, and staging infrastructure that serves benign content to non-credentialed probes mean reachability ≠ active maliciousness. We treat reachability as a necessary but not sufficient condition.
- Content and behavioral validation — fingerprinting known infrastructure patterns, TLS certificate characteristics, response header signatures, and redirect chains — provides stronger signal than simple page load checks, but is inherently a partial view. Polymorphic loaders and multi-stage delivery chains will defeat fingerprinting on first-stage infrastructure.
- Absence of response is not treated as confirmed takedown. It is scored as unverified until corroborated by other signals – takedown reports, passive DNS gaps, or source consensus.
Verified-live indicators with corroborating source agreement receive dramatically slowed decay. Indicators that have gone dark and lost source corroboration decay rapidly. Indicators that have gone dark without corroboration are held in a degraded-but-not-expired state.
Layer 3: Multi-Source Confidence and Source Scoring
Collecting the same indicator across multiple independent sources provides something neither decay nor verification can offer alone: a basis for source confidence scoring.
Sources are modelled individually over time. A source that consistently reports indicators later confirmed active scores higher than one whose indicators are frequently unverifiable or stale on arrival. This allows the system to weight incoming intelligence dynamically rather than treating all feeds equally:
- High-agreement across high-confidence sources significantly accelerates an indicator’s score and slows decay.
- Single-source indicators from low-confidence sources are treated with appropriate skepticism regardless of recency.
- Source disagreement – where one source marks an indicator active and another marks it resolved – is surfaced explicitly as an analytical flag rather than silently averaged away.
- Source behaviour patterns also help identify feed contamination, re-sharing of stale data, and the recycling of historical IOCs dressed as fresh intelligence – a real and underappreciated problem in commercial threat feeds.
Why the Combination Matters More Than Any Single Method
The key claim is not that any of these methods is reliable in isolation – it’s that their failure modes are partially orthogonal:
| Failure Mode | Decay Alone | Verification Alone |
| Fast-flux / rotating infrastructure | Partially handles | Defeated |
| Geofenced / victim-aware delivery | No signal | Defeated |
| Sinkholed infrastructure | Scores too high | Falsely confirms active |
| Stale feed recycling | No defense | No defense |
| Low-and-slow APT | Underscores | Misses |
No combination fully solves these problems. The goal is a continuously updated relevance score that is harder to game than any single signal, with full auditability – analysts can inspect the decay trend, the latest verification result, and the source agreement profile side by side, and understand why a score is what it is rather than treating it as a black box output.
Yury Sergeev, Director of RST Cloud
A hybrid approach that combines statistical decay, adversary-aware verification, and source confidence scoring provides a more resilient way to assess IOC actuality than any single method alone. More importantly, it gives analysts visibility into why a score exists, rather than forcing them to trust a black-box number.
If your team is facing challenges with IOC quality, confidence scoring, enrichment, or threat intelligence operationalisation, feel free to reach out. We’d be happy to discuss practical approaches, share lessons learned from large-scale CTI deployments, and explore how dynamic scoring models can improve detection outcomes.