The AI verdict structure
Every successful analysis produces a verdict with five sections.Veredicto — the classification
Veredicto — the classification
The overall threat classification of the IoC. There are three possible values:
The verdict is the AI’s judgment based on all data returned by the threat intelligence sources. It is not a deterministic rule — it reflects the model’s reasoning over the aggregated data.
| Value | Meaning |
|---|---|
| Malicioso | The IoC is assessed as malicious. It has been associated with known threats, abuse, or malware. |
| Sospechoso | The IoC shows suspicious characteristics but cannot be conclusively classified as malicious. Treat with caution. |
| Benigno | The IoC appears benign based on the available intelligence. |
Confianza — confidence level
Confianza — confidence level
How confident the AI is in its verdict. There are three levels:
Low confidence often occurs when only one or two sources returned data, or when the IoC has minimal historical activity across sources.
| Value | Meaning |
|---|---|
| Alta (High) | Strong, consistent signals across multiple sources support the verdict. |
| Media (Medium) | Some supporting evidence exists but the signals are mixed or partial. |
| Baja (Low) | Limited or ambiguous data was available. The verdict is a best assessment under uncertainty. |
Resumen — summary
Resumen — summary
A concise narrative summary of the analysis. This paragraph explains the key findings from the threat intelligence sources and the reasoning behind the verdict in plain language.
Motivos — supporting reasons
Motivos — supporting reasons
A bullet list of specific evidence or observations that support the verdict. Each point corresponds to a concrete signal found in the intelligence data — for example, a detection count from VirusTotal, an abuse confidence score from AbuseIPDB, or a PolySwarm assertion.
Acciones recomendadas — recommended actions
Acciones recomendadas — recommended actions
A bullet list of actions you should consider taking based on the verdict and confidence level. Examples include blocking the IP at the firewall, quarantining a file, or conducting further investigation. These are the AI’s recommendations — apply your own judgment before acting.
Source warnings
CyberThreat AI queries multiple intelligence sources for each IoC. If a source returns no data, encounters an API key issue, or is temporarily unavailable, a source warning appears alongside the verdict. Warnings are displayed inline in the results panel. Each warning identifies the source by name and includes a short reason. Common reasons include:- Invalid API key — the key provided for that source was rejected. Check your key in the settings modal.
- No data returned — the source had no records for this IoC. This is not always an error; new or private IPs and hashes may simply have no history.
- Source unavailable — the source API returned an unexpected error or was unreachable.
When all sources return no data
If every threat intelligence source queried returns no data for your IoC, the analysis stream completes without generating an AI verdict. The results panel will show the IoC type and any source warnings, but no Veredicto, Confianza, or other verdict sections will appear. This can happen with:- Newly registered domains with no threat history
- Private or internal IP address ranges
- Recently generated file hashes not yet indexed by any source
Understanding the metadata
Above the verdict, the results panel shows metadata from themeta event emitted at the start of the stream:
| Field | Description |
|---|---|
| IoC | The indicator you submitted, exactly as entered. |
| Type | The detected IoC type: IPv4, IPv6, domain, hash/md5, hash/sha1, or hash/sha256. |
| Model | The AI model used. If you selected openrouter/auto, this updates to show the real routed model once streaming begins. |