False-positive learning

Every time you mark a pair as benign, Beacon remembers the pattern and stops bothering you with similar traffic on future uploads. This page explains exactly what gets remembered, how to undo a decision, and the limits per plan.

What “false positive” means

A false positive is when a detection tool flags something as suspicious that turns out to be harmless. Every detection tool has them. The question is how much work it takes to make them stop.

In Beacon, the answer is: one click per pattern. After that, future matches are hidden automatically.

What actually gets suppressed

When you click Mark benign on a pair, Beacon doesn't just remember “that specific IP.” It records the pattern:

• The destination (IP and sometimes hostname)
• The TLS fingerprint (JA3/JA4) if there was one
• The rough behavioral signature (timing cadence, payload shape)

Future uploads are checked against that pattern. If a new pair matches, it's suppressed from the flagged list automatically.

Because the match is pattern-based, not IP-based, you get broad coverage from a single click. Example: you dismiss Windows Update on PC-01 going to one Microsoft IP. Next upload, PC-02 and PC-03 hitting different Microsoft Update IPs are also suppressed, because the fingerprint and behavior match.

Workspace sharing

A workspace is the collaborative container in Beacon: you and your teammates working on the same investigations share one. Suppressions are workspace-wide, when you mark a pair benign, every teammate immediately benefits on their next upload.

If you have multiple workspaces (say, one per client), verdicts don't cross between them. That's deliberate: what's normal at Client A might be suspicious at Client B.

Confirm malicious: what it does (and doesn't) do

Confirm malicious is not the opposite of Mark benign. It does not auto-escalate similar future pairs. What it does:

• Locks the pair's record so future uploads don't re-score it from scratch.
• Adds it to workspace statistics (you'll see a confirmed-malicious count on the Dashboard).
• In a future release: adds the destination to a workspace-private watchlist that elevates severity on subsequent uploads.

The deliberate design is: false positives auto-learn (low cost to dismiss), but true positives get re-scored honestly every time (you don't want a stale verdict to mask a different kind of attack hitting the same destination later).

Undoing a verdict

Open the pair's investigation panel. At the bottom, instead of the usual buttons, you'll see Reset verdict. Click it. The suppression lifts. Similar pairs go back into the queue on your next upload.

To review or bulk-reset many verdicts at once:

1. Open Settings from the top-right menu.
2. Click Workspace.
3. Click Verdicts.
4. Every verdict you (or a teammate) has issued is listed with the pattern it suppresses. Reset one row, or click Reset all.

How many verdicts can I save?

• Recon (free): 3 saved verdicts. When you try to add a fourth, the oldest is evicted. You'll see a warning first.
• Hunter, Operator, Partner: unlimited.