One may be baffled if NDR (Network Detection and Response) is using risk scoring models. A simple answer to that would be:
Yes, NDR (Network Detection and Response) does use risk scoring models—and they’re a core feature of how NDR solutions help prioritize, classify, and respond to threats.
Risk scoring in NDR refers to the process of evaluating detected anomalies or events based on multiple factors (severity, behavior, intelligence) and assigning a numerical or qualitative score to represent the level of threat.
This score helps determine:
-
Which incidents to investigate first
-
What response (manual or automated) is required
-
Which assets are most at risk
Why NDR Uses Risk Scoring Models
Modern networks generate massive volumes of data and alerts. NDR solutions use risk scoring models to:
-
Prioritize high-risk threats over low-risk anomalies
-
Accelerate analyst response by ranking incidents by severity
-
Automate decisions such as containment, alerting, or escalation
-
Reduce false positives by filtering out benign activity
Risk scoring models help NDR systems:
-
Evaluate the severity of suspicious network activity
-
Prioritize threats for analyst investigation
-
Reduce alert fatigue by surfacing only high-risk events
-
Automate responses based on the risk level
In complex networks with thousands of events per second, risk scoring helps teams focus on what truly matters.
How Risk Scoring Works in NDR (Step-by-Step)
1. Threat Detection
The NDR system detects unusual or suspicious behavior, such as:
-
Unusual traffic volume
-
Lateral movement
-
Communication with known malicious IPs
-
DNS tunneling
-
Encrypted traffic anomalies
2. Factor Analysis
The system evaluates the threat using risk factors, including:
| Risk Factor | Description |
|---|---|
| Threat Type | What kind of activity is occurring (reconnaissance, exfiltration, etc.) |
| Confidence Level | How confident the system is in the detection (AI certainty, signature match) |
| Asset Criticality | Is the affected host a domain controller or a public guest device? |
| Behavioral Deviation | Does the traffic or user behavior deviate from historical norms? |
| Threat Intelligence | Does it match known indicators of compromise (IOCs)? |
3. Scoring and Weighting
Each factor is given a score (0–10) and weighted based on its importance.
Example Calculation:
Sample Event Score:
-
Threat Severity: 8
-
Confidence Level: 9
-
Asset Criticality: 10
-
Anomaly Score: 7
-
Threat Intel Match: 5
Risk Score = 8×0.3 + 9×0.25 + 10×0.2 + 7×0.15 + 5×0.1 = 2.4 + 2.25 + 2.0 + 1.05 + 0.5 = 8.2/10 = 82/100
4. Risk Classification
| Score | Risk Level | Action |
|---|---|---|
| 0–29 | Low | Monitor or suppress |
| 30–59 | Medium | Alert and log |
| 60–79 | High | Escalate for analyst review |
| 80–100 | Critical | Trigger automated response and alert SOC |
5. Automated Response (Optional)
Based on risk score, NDR can:
-
Quarantine or isolate affected host
-
Block suspicious IPs or domains
-
Alert analysts through SIEM/SOAR
-
Begin forensic packet capture
How Risk Scoring Works in NDR
When a suspicious event is detected (e.g., unusual outbound traffic, lateral movement, DNS tunneling), Network Detection and Response evaluates it using a scoring model that considers:
| Factor | Example |
|---|---|
| Threat Severity | Is it a data exfiltration, port scan, or C2 communication? |
| Confidence Level | Is the detection AI/ML-based, signature-based, or correlated? |
| Asset Criticality | Is the asset a domain controller or a guest device? |
| Behavioral Anomaly | How much does this deviate from normal patterns? |
| Threat Intel Match | Does it match known IOCs (malicious IPs, domains, hashes)? |
NDR platforms assign a numerical or categorical risk score to each detected event or behavior. These values are often weighted and combined to produce a risk score, usually on a 0–100 scale.
Types of Risk Scoring Models in NDR
-
Static thresholds – Simple, rule-based scoring
-
Weighted models – Score based on importance of different factors
-
Machine learning models – Adaptive, behavior-based scoring
-
Hybrid models – Combine rules + AI for contextual scoring
Common Risk Scoring Models in NDR
| Model Type | Used For |
|---|---|
| Weighted rule-based | Transparent, formula-based scoring |
| Behavioral analytics | UEBA-based anomaly detection |
| Threat intel correlation | Adjusts scores based on known IOCs |
| MITRE ATT&CK mapping | Higher score for advanced attack tactics |
| Machine learning models | Adaptive, learns from past threat investigations |
Example in Action
An NDR solutions system might observe:
-
Unusual data transfer to an external IP at midnight
-
The IP is on a threat blacklist
-
The device is a domain controller
The system calculates a high risk score (e.g., 92/100), triggering:
-
An alert to the SOC
-
Automatic isolation of the host via NAC or firewall rules
Output: Risk-Based Alerting
NDR tools typically group threats like this:
| Risk Score | Label | Action |
|---|---|---|
| 0–29 | Low | Log or suppress |
| 30–59 | Medium | Queue for analyst review |
| 60–79 | High | Escalate for investigation |
| 80–100 | Critical | Immediate alert & auto-response |
Conclusion:
Yes, NDR absolutely uses risk scoring models—they are essential for transforming raw detection data into actionable, prioritized intelligence that helps security teams respond faster and smarter.
NDR systems rely heavily on risk scoring models. These models are essential to:
-
Detect real threats early
-
Filter out noise
-
Automate incident response
-
Prioritize actions for security teams
Without risk scoring, NDR platforms would be overwhelmed with false positives and lack the context needed for effective decision-making.
Risk scoring in NDR is a critical technique that helps security teams identify, prioritize, and respond to the most dangerous network threats, without being overwhelmed by alerts.