Skip to main content

Qevlar Investigation Severity Scores

Updated

Investigation Severity Scores 

Qevlar automatically calculates a severity score for every investigation, combining multiple risk signals into a single prioritisation signal. This guide explains what the score means, how it is calculated, and how to use it in your workflow.

Why it matters

  • Prioritise investigations that require action without wading through low-priority noise
  • Ensure high severity threats are never missed due to incorrect tool-level scoring
  • Drive automation workflows using a single, consistent score across all detection sources
  • Understand exactly why each severity was assigned, with full AI reasoning transparency

How scores are calculated

Qevlar considers four risk signals when determining an investigation's severity score: 

  • Original Alert Severities assigned by the source vendor
  • Threat prevention/mitigation status — score is downgraded if all alerts have been mitigated (blocked, quarantined, etc.).
  • Reach — score is upgraded if a high number of users or devices are impacted.
  • Active engagement — score is upgraded if a user or device interacted with the threat (for example, clicked a URL, submitted credentials, or executed a payload).
  • User and device context — score is upgraded when VIPs, privileged accounts, or critical assets are affected.

Severity level definitions

  • Critical — Confirmed, major impact on business-critical assets, widespread compromise, or ongoing attacker activity. Requires immediate response.
  • High — Confirmed malicious activity with localised impact on a single asset, or strongly suspicious behaviour that could escalate. Requires timely investigation and response.
  • Medium — Malicious intent or suspicious activity that was contained or blocked before impact, or remains inconclusive. Requires review but not immediate response.
  • Low — Informational or very low risk events with no security impact, or confirmed benign activity.
  • Informational — Confirmed benign activity. Nothing further to investigate.

Where to find severity scores

Platform UI

The severity score is displayed as a column in the Investigation List, alongside the Qevlar verdict. This gives analysts an at-a-glance view of priority across all open investigations.

Screenshot 2026-04-10 at 10.45.52.png

In addition, you can understand Qevlar's justification for each severity score by hovering on the Severity within the Investigation list. 

Screenshot 2026-04-28 at 13.15.05.png

 

Severity score is also available within the Investigation View:

Screenshot 2026-04-10 at 10.47.07.png

API

A new field has been added to the investigation report API response. This is a non-breaking change, however, you should update any custom logic or workflow automations to start benefiting from the Qevlar Investigation score:

{

  "investigation": {

    "report": {

      "id": "...",

      "outcome": "NOT_HARMFUL",

      "severity": "INFORMATIONAL"

    }

  }

}

Related articles