Browse docs

Features

Behavior-based Signals, Not Reputation Alone

Why Cybora evaluates indicators not only by reputation, but also by observed behavior and operational enforceability.

Last updated: June 29, 2026

On this page

A pure reputation hit says little about why an IP, domain, or URL is dangerous. For production firewall policies, a generic “bad” is rarely enough. Admins need to understand whether an indicator stands out through scanning, exploit attempts, botnet communication, phishing, malware delivery, or repeated credential attacks.

Cybora therefore evaluates not only whether an indicator appears in a source. The relevant questions are which behavior was observed, how fresh it is, whether it is independently confirmed, and whether blocking is possible with acceptable collateral damage.

Why behavior matters more than a black-box score

An abstract score can be useful for prioritization, but it is hard to defend. If a block affects a business connection, a traceable behavior category is more useful than a number without context.

Behavior-based Signals answer more concrete questions:

  • Was the source observed during mass scanning?
  • Were there exploit attempts against known services?
  • Does the infrastructure match botnet or command-and-control communication?
  • Is a domain or URL used for phishing or malware delivery?
  • Does the same source appear in repeated credential attacks?

This classification makes threat intelligence more operational. An admin can better decide whether an indicator should be blocked, logged first, or reviewed more closely.

Relationship with correlation

Behavior becomes stronger when it is observed repeatedly and independently. A single scanner hit is a hint. The same origin across multiple sources, points in time, or environments is much more reliable.

That is why behavior-based evaluation belongs closely with Signal Correlation. The category explains what happened; the correlation explains how well the observation is supported.

Why this lowers false-positive risk

Not every suspicious behavior automatically justifies hard blocking. An IP in a shared hosting, CDN, VPN, or cloud environment can have multiple roles. Even when a signal is technically correct, collateral damage may be too high.

Cybora therefore combines behavior category, evidence, freshness, and collateral damage. An indicator must not only look suspicious; it must be defensible for use in a production firewall policy.

What stays internal

The public documentation explains the logic, not the recipe. Concrete categories, weights, thresholds, source priorities, and internal scoring rules remain protected. This prevents attackers from deliberately evading feed admission and competitors from copying the curation logic.

For admins, the important principle is this: the feed is not just a list of reputation hits. It is the result of observed behavior, independent evidence, freshness assessment, and operational risk evaluation.