Behavioral scoring

Every row in your Detections list has a number between 0 and 100 next to it. This page explains what the number means, where it comes from, and how to read it without needing a security background.

What a “pair” is

Throughout Beacon, a pair means one source IP (a computer on your network) talking to one destination IP (something on the internet, usually). Beacon doesn't score packets one at a time. It collects every conversation between the two during the recording window and scores the whole relationship.

This matters because malware “beacons”: it calls home over and over on a schedule. Any single packet looks harmless. It's only when you step back and watch the whole pattern over minutes or hours that the beaconing becomes obvious. That's why Beacon scores pairs, not packets.

What the score means

The score is a number from 0 to 100. Higher = more beacon-like.

• It is not a probability. A score of 80 does not mean “80% chance this is malware.”
• It is not a verdict. Beacon never says “this is malicious.” It says “this looks suspicious enough that you should check.”
• Think of it as a priority: look at the high scores first, skip the low ones.

Next to the score you'll see a severity label (Info, Low, Medium, High, Severe). The severity combines the behavior score with extra signals like fingerprint matches and threat intel. See Severity modifiers.

What goes into the score

Beacon looks at four different aspects of the pair's behavior. Each one produces a sub-score, and they're combined into the final number.

• Timing regularity. Are the connections happening on a schedule? Real malware often calls home every 60 seconds, or every 5 minutes, or every hour, consistently. Even when attackers add random delays (“jitter”) to hide the pattern, the average interval is still visible if you record long enough.
• Payload symmetry. How does the amount sent compare to the amount received? A typical beacon sends a small “anything for me?” message and occasionally gets back a bigger command. Normal user traffic (loading a webpage, streaming video) is rarely that clean. Websites usually send back way more than the browser sends up.
• Duration stability. Are the connections all roughly the same length? A human clicking around uses connections of wildly varying length. A program checking in every minute tends to produce nearly-identical connection durations.
• Session characteristics. Structural oddities like very low session counts over a long window, talking to only one port, or other patterns that don't match how normal apps use the network.

Each of the four axes is scored on its own. The final score combines them, and importantly, it rewards convergence. One suspicious axis alone gives you a moderate score. Three or four suspicious axes at once gives you a high score. That's intentional: lots of legitimate software looks weird on one axis.

Seeing exactly why a pair scored high

Click any pair in the Detections list. The panel that opens has a section called Explain why. It lists every signal that contributed to the score, how much each one contributed, and whether it pushed the score up or down.

If Beacon flags a pair and you don't understand why, this section is always the answer. You don't have to trust the number. You can see the math.

What the score doesn't tell you

A high score means the behavior looks beacon-like. It does not mean the destination is malicious. Plenty of legitimate software beacons:

• Windows Update checks Microsoft's servers on a regular schedule. Very regular timing.
• Antivirus and EDR agents phone home to report status every few minutes. Very regular timing and very asymmetric payloads.
• Software update checkers (Chrome, Slack, Zoom, etc.) all behave like well-mannered beacons.

Beacon will flag these. That's expected. The threat intel section tells you who owns the destination IP, and the investigation panel gives you the tools to tell “Microsoft Update” from “a C2 server pretending to be Microsoft.” Once you've confirmed a pair is benign, one click and Beacon suppresses similar matches forever. See False-positive learning.