Browse docs

Features

Policy Confidence for Production Firewall Policies

Why Cybora evaluates indicators not only by risk, but also by policy confidence, enforceability, and possible collateral damage.

Last updated: June 26, 2026

On this page

Firewall policies are different from pure analysis. An entry in a report can be interesting, but an entry in a production blocklist can affect applications, users, and customers. Cybora therefore evaluates indicators with production enforceability in mind.

The goal is a feed admins can defend in real policies. It is not enough for an indicator to look suspicious. It must have enough evidence and must not create disproportionate risk for legitimate traffic.

Risk is not the same as blockability

A target may appear risky but still be unsuitable for hard blocking. Examples include:

  • large cloud providers with many legitimate customers
  • CDNs and shared-hosting platforms
  • mail, identity, or collaboration services
  • dynamic provider networks and VPN exits
  • IPs whose use can quickly move between customers

Such environments require stronger evidence than clearly abused infrastructure. Cybora therefore distinguishes between suspicious signals and signals that belong in a production feed with acceptable risk.

Confidence as an internal decision model

Confidence does not come from a single field. It results from multiple factors: observed behavior, freshness, repetition, independent sources, indicator type, possible legitimate use, and previous review experience.

The exact thresholds remain internal. What matters publicly is that Cybora evaluates not only the likelihood of threat activity, but also the consequences of blocking.

Rollout in production environments

Even a well-curated feed should be introduced in a controlled way. Where the platform supports it, starting with monitoring, logging, or limited scope is useful. Blocking can then be enabled step by step where benefit and risk fit together.

Practical checks for retrieval, import, and policy effect are documented in Validation and Troubleshooting.