What are Risk scoring in NDR (Network Detection and Response)?

Risk scoring in NDR refers to the process of assigning a numerical or categorical value to a detected threat or network activity to indicate how dangerous or urgent it is. This helps security teams prioritize incidents and respond more efficiently.

In other words, risk scoring in NDR (Network Detection and Response)is a method of assigning a numerical or categorical value to detected threats or anomalies, based on how dangerous or suspicious they are. This helps security teams prioritize alerts, respond faster, and reduce noise from false positives.

What Is Risk Scoring in NDR?

Risk scoring is the process of evaluating the threat level of an event, user, or device by analyzing multiple factors—such as behavior, context, and known indicators—and assigning a score that reflects the likelihood and potential impact of malicious activity.

Purpose of Risk Scoring in NDR

• Prioritize incidents: Focus on the most dangerous or urgent threats first

• Reduce alert fatigue: Filter out low-risk or low-confidence events

• Automate response: Trigger predefined actions based on score thresholds

• Support investigations: Help analysts identify high-risk assets or patterns

How Risk Scores Are Calculated

NDR solutions system typically use a multi-factor scoring model, which may include:

1. Severity of Detected Behavior

• Type of threat: malware, lateral movement, data exfiltration, etc.

• Kill chain phase: initial access vs. C2 vs. data theft

2. Confidence Level

• Detection accuracy: signature match, behavioral model match, threat intel correlation

• AI/ML model certainty

3. Asset Criticality

• Is the device a domain controller, database, or executive endpoint?

• Business context matters

4. Behavioral Deviation

• How much does this deviate from normal traffic for that user or device?

• Unusual times, protocols, or destinations increase risk

5. Threat Intelligence Correlation

• Matches known IOCs (IPs, domains, hashes) from threat feeds

• Known malware families or attacker tools

6. Repetition or Persistence

• While risk scoring in the NDR platforms, is there any repeated suspicious behavior

• Lateral spread across multiple endpoints

Example Risk Scoring Framework

Scores may then be mapped to categories:

Why Risk Scoring Matters in NDR

• Prioritization: Helps SOC teams focus on real threats, not false positives.

• Automation: Triggers automated responses when thresholds are reached.

• Triage: Guides analysts to investigate the highest-risk events first.

• Threat Hunting: Aids in identifying patterns and attack chains in noisy environments.

What Happens After Scoring?

Depending on the score in NDR solutions:

• High-risk threats are escalated for manual investigation

• Medium threats might be monitored or correlated with other events

• Low-risk or benign anomalies can be auto-dismissed

Automated actions (e.g., isolating a device, sending alerts to SIEM, or triggering a SOAR playbook) can also be triggered based on score thresholds.

Key Benefits of Risk Scoring in NDR

In NDR solutions (Network Detection and Response), risk scoring is a calculated value that helps prioritize threats based on their potential impact, behavior patterns, and relevance to the organization. While exact methods vary by vendor, the core formulaic approach generally combines multiple weighted factors.

Key Components of the Calculation

1. Anomaly Score

• Based on how much the observed behavior deviates from historical baselines

• Example: A server that never initiates outbound traffic suddenly contacts external IPs → High anomaly score

2. Threat Intelligence Score

• Based on correlation with known Indicators of Compromise (IOCs)

• Factors in:

  • Malicious IPs/domains

  • File hashes

  • Behavior signatures

• Known bad = high threat score

3. Asset Criticality Score

• Considers how valuable the targeted system or user is

• Examples:

  • Domain controller = high criticality

  • Development laptop = lower criticality

4. Kill Chain Stage Score

• Scores higher if activity is part of advanced stages of attack:

  • Reconnaissance = low score

  • Exfiltration or lateral movement = high score

5. Frequency and Persistence

• Measures:

  • Number of occurrences

  • Duration of anomalous activity

  • Repeated failed login attempts, sustained data transfer, etc.

Purpose of Calculated Risk Scores

• Triage: Focus analysts on highest-priority threats

• Automation: Trigger alerts or automated responses

• Analytics: Track threat trends and measure SOC performance

• Customization: Allow security teams to adjust weights based on business context

Example: Risk Score Calculation

Typical Risk Scoring Calculation

A common approach to risk score calculation is a weighted formula, such as:

Risk Score = (Anomaly Score × W₁) + (Threat Intelligence Score × W₂) + (Asset Criticality Score × W₃) + (Kill Chain Stage Score × W₄) + (Frequency Score × W₅)

Where:

• W₁–W₅ = Weight assigned to each factor

• Total score is usually normalized (e.g., 0–100 or 0–10)

Sample NDR Risk Scoring Formula:

Risk Score =
(Threat Severity × Weight₁) +
(Confidence Level × Weight₂) +
(Asset Criticality × Weight₃) +
(Behavioral Anomaly Score × Weight₄) +
(Threat Intelligence Match × Weight₅)

Each component contributes to the total score, typically scaled from 0 to 100.