Skip to main content

Qevlar Investigation Severity Scores

Updated

Investigation Severity Scores 

Qevlar automatically calculates a severity score for every investigation, combining multiple risk signals into a single prioritisation signal. This guide explains what the score means, how it is calculated, and how to use it in your workflow.

Why it matters

  • Prioritise investigations that require action without wading through low-priority noise
  • Ensure high severity threats are never missed due to incorrect tool-level scoring
  • Drive automation workflows using a single, consistent score across all detection sources
  • Understand exactly why each severity was assigned, with full AI reasoning transparency

How scores are calculated

Qevlar considers four risk signals when determining an investigation's severity score: the original alert severity assigned by the detection source; the investigation verdict (malicious or not harmful); user and device engagement with the threat; and the scope of impact alongside the threat's mitigation status.

Severity level definitions

  • Critical — Confirmed, major impact on business-critical assets, widespread compromise, or ongoing attacker activity. Requires immediate response.
  • High — Confirmed malicious activity with localised impact on a single asset, or strongly suspicious behaviour that could escalate. Requires timely investigation and response.
  • Medium — Malicious intent or suspicious activity that was contained or blocked before impact, or remains inconclusive. Requires review but not immediate response.
  • Low — Informational or very low risk events with no security impact, or confirmed benign activity.
  • Informational — Confirmed benign activity. Nothing further to investigate.

Where to find severity scores

Platform UI

The severity score is displayed as a column in the Investigation List, alongside the Qevlar verdict. This gives analysts an at-a-glance view of priority across all open investigations.

Screenshot 2026-04-10 at 10.45.52.png

Severity score is also available within the Investigation View:

Screenshot 2026-04-10 at 10.47.07.png

API

A new field has been added to the investigation report API response. This is a non-breaking change, however, you should update any custom logic or workflow automations to start benefiting from the Qevlar Investigation score:

{

  "investigation": {

    "report": {

      "id": "...",

      "outcome": "NOT_HARMFUL",

      "severity": "INFORMATIONAL"

    }

  }

}

Related articles