how the threat level is calculated
Every five minutes a scheduled job aggregates the latest cybersecurity signals into a single 0–100 score. The score answers a simple question: how alert should a SOC engineer be right now?
inputs
The score is recalculated continuously from the same data feeds that power the live pcap.post home page:
- CVEs added in the last 24 hours, weighted by severity
- CVEs flagged by CISA's Known Exploited Vulnerabilities (KEV) catalogue or with confirmed in-the-wild exploitation
- Critical and high-severity headlines from curated security news feeds, in the last 24 hours
formula
Starting from a baseline of 20, each contributing signal adds points:
| signal | per item |
|---|---|
| active KEV / in-the-wild CVE | +6 |
| critical CVE | +4 |
| critical headline (last 24h) | +3 |
| high CVE | +2 |
| high-severity headline (last 24h) | +1 |
The result is clamped to the 0–100 range.
levels
| score | level | meaning |
|---|---|---|
| ≥ 80 | SEVERE | active mass exploitation; treat ITW CVEs as P0 |
| 60–79 | ELEVATED | multiple critical signals; review and patch this shift |
| 35–59 | GUARDED | routine vigilance; nothing on fire today |
| < 35 | LOW | quiet news cycle; catch up on backlog |
delta
The arrow next to the score (▲ / ▼) shows the difference from the previous tick. In the daily email it shows the change from yesterday's score; on the home page it shows the change from five minutes ago.
caveats
The score is a heuristic, not a predictive model. It tells you whether the last 24 hours have produced more or fewer dangerous signals than usual — it does not assess your specific environment, exposure, or patch posture. It's intended to set the temperature, not to replace threat modelling.
Implementation: functions/_lib/feeds.js · function
fetchThreat.