Every finding includes a confidence score from 0-100 indicating how certain Content Guard Pro is that the finding represents a genuine threat.
Understanding the Score #
| Score Range | Confidence Level | Interpretation |
| ————- | —————— | —————- |
| 90-100 | Very High | Almost certainly malicious |
| 75-89 | High | Likely malicious, requires action |
| 50-74 | Medium | Possibly malicious, investigate |
| 25-49 | Low | Uncertain, review needed |
| 0-24 | Very Low | Likely false positive |
How Scores Are Calculated #
Content Guard Pro calculates confidence by adding and subtracting weighted signals:
Score Increases (Threat Indicators) #
| Signal | Points Added |
| ——– | ————– |
| Reputation hit (Safe Browsing/PhishTank) | +50 |
| External script tag | +30 |
| External iframe tag | +25 |
| Hidden element with external link/script | +20 |
| Obfuscation detected | +15 |
| URL shortener domain | +10 |
| SEO spam keywords | +5 to +20 |
| On custom denylist | +25 |
| Event handler attributes | +10 |
Score Decreases (Trust Indicators) #
| Signal | Points Subtracted |
| ——– | ——————- |
| Domain on allowlist | -25 |
| Accessibility class (sr-only, etc.) | -15 |
| Known safe pattern | -10 |
Example Calculations #
Example 1: External Script (Critical)
| Factor | Points |
| ——– | ——– |
| External script tag found | +30 |
| Domain not on allowlist | +0 |
| No reputation data | +0 |
| Initial score | 30 (Suspicious) |
| If flagged by Safe Browsing | +50 |
| Final score | 80 (Critical) |
Example 2: Hidden Element (Suspicious)
| Factor | Points |
| ——– | ——– |
| Hidden content detected | +10 |
| Contains external link | +20 |
| Link uses URL shortener | +10 |
| Initial score | 40 (Review) |
| If domain on denylist | +25 |
| Final score | 65 (Suspicious) |
Example 3: False Positive Avoided
| Factor | Points |
| ——– | ——– |
| Hidden content detected | +10 |
| Uses accessibility class | -15 |
| No external resources | +0 |
| Final score | 0 (Not flagged) |
Score Breakdown in UI #
View score details for any finding:
1. Go to Content Guard Pro → Findings
2. Click on a finding to expand details
3. Look for Confidence Score Breakdown
The breakdown shows:
- Base score for the detection pattern
- Each modifier applied
- Final calculated score
Interpreting Scores by Pattern Type #
External Resources (Scripts/Iframes) #
| Score | Likely Meaning |
| ——- | —————- |
| 85-100 | Known malicious domain or confirmed threat |
| 70-84 | Unknown domain, suspicious characteristics |
| 50-69 | Unknown domain, no additional signals |
| Below 50 | Likely on partial allowlist or common CDN |
Hidden Content #
| Score | Likely Meaning |
| ——- | —————- |
| 75-100 | Hidden element with external resources |
| 50-74 | Hidden content with suspicious patterns |
| Below 50 | Accessibility-related hiding (sr-only) |
SEO Spam #
| Score | Likely Meaning |
| ——- | —————- |
| 70+ | Multiple spam keywords or patterns |
| 50-69 | Single clear spam term |
| Below 50 | Ambiguous or single word match |
Score Thresholds and Actions #
Automatic Actions (Configurable) #
| Threshold | Possible Automation |
| ———– | ——————— |
| 80+ | Auto-quarantine (future feature) |
| 70+ | Immediate email alert |
| 50+ | Include in daily digest |
| Any | Log and display in findings |
Recommended Manual Actions #
| Score | Recommended Action |
| ——- | ——————- |
| 80+ | Quarantine immediately, investigate source |
| 60-79 | Review within 24 hours, likely needs action |
| 40-59 | Check when convenient, may be false positive |
| Below 40 | Evaluate, likely ignore or allowlist |
Improving Score Accuracy #
Reduce False Positives #
1. Add trusted domains to allowlist – your CDNs, analytics, embeds
2. Review “Review” findings – identify patterns to allowlist
3. Report false positives – helps improve detection patterns
Increase Detection #
1. Add known-bad domains to denylist – sites you know are malicious
2. Keep patterns updated – ensure automatic updates are enabled
3. Enable reputation services – Safe Browsing and PhishTank
Score Limitations #
Confidence scores are estimates based on pattern matching and reputation data. They cannot:
- Guarantee a URL is safe (no reputation data doesn’t mean safe)
- Catch zero-day threats before pattern updates
- Account for context (legitimate security articles may contain example patterns)
Always use human judgment for final decisions on borderline findings.
