Explainability Center
This page documents how analytical conclusions are reached, labeled, and revised in this platform.
How We Reason
A raw fact recorded directly β what was seen or measured
The source material that supports or challenges a claim
What the evidence might mean β always labeled as inference
Connecting an observation to an entity or cause
How certain we are, given all available evidence and its limitations
How Confidence Levels Are Determined
The claim is directly supported by authoritative, independently verifiable data sources. No significant contradictions exist.
β’Authoritative source (registry data, official logs)
β’Independently verifiable by a third party
β’No contradicting evidence found
β’Timestamps and provenance are clear
Multiple consistent indicators support the claim, but complete independent verification is not achievable with current data.
β’Two or more consistent data sources
β’Behavioral patterns match known signatures
β’No significant contradictions
β’Some gaps remain in the evidence chain
The claim is plausible given the surrounding context, but relies on circumstantial or indirect evidence. Alternative explanations have not been ruled out.
β’Pattern similarity or contextual fit
β’Based on statistical likelihood, not direct observation
β’Alternative explanations remain viable
β’Limited to circumstantial indicators
Insufficient evidence exists to assess confidence in either direction. The situation requires further investigation.
β’Data is ambiguous or incomplete
β’Multiple equally plausible explanations exist
β’Investigation is still in progress
β’Key data sources are unavailable
Available evidence directly contradicts the claim or hypothesis. The initial hypothesis has been shown to be incorrect.
β’Authoritative evidence refutes the claim
β’User/system confirmation contradicts the hypothesis
β’Multiple independent sources agree in contradiction
β’Initial assumption was based on incomplete information
Observations vs. Interpretations
Observation
A directly measurable fact that can be recorded without analyst judgment. Observations are logged as-is from data sources.
Example: βIP 185.220.101.47 sent 3,400 SYN packets to port 22 over 6 hours on 2025-05-18.β
Interpretation
An analyst-derived conclusion based on observations. Interpretations involve judgment, pattern matching, or inference, and must be explicitly labeled as such.
Example: βThe scan pattern is consistent with automated reconnaissance toolkits.β
Attribution Limitation Types
Proxy / Anonymization Layer
Traffic routed through Tor, VPN, or proxy services. True origin is obscured.
Example: Tor exit node 185.220.101.47 β we cannot determine who is upstream of the exit node.
Shared Infrastructure
IP addresses or domains hosted on shared infrastructure (CDNs, cloud providers). Many actors share the same IPs.
Example: CloudFront edge node 203.0.113.142 serves millions of different customers.
WHOIS Privacy
Domain registration data is hidden behind privacy services.
Example: paypa1-secure.net uses NameCheap privacy service; registrant identity is unknown.
Common TTPs
Tactics, techniques, and procedures are too common to attribute to a specific actor.
Example: Credential stuffing via distributed IPs is used by many different entities with unresolved attribution.
No Payload Visibility
Encrypted traffic (HTTPS, TLS) cannot be inspected for content without interception.
Example: HTTPS transfer to 203.0.113.142 β content unknown; could be backup or exfiltration.
Evidence Reliability Matrix
| Source Type | Reliability | Notes |
|---|---|---|
| Registry Data (WHOIS, RDAP, RIPE) | High | Authoritative; independently verifiable |
| Official Threat Intel Feeds | Medium-High | Current but may have false positives |
| Behavioral Pattern Matching | Medium | Probabilistic; multiple tools match the same patterns |
| User Interview | Medium | Cannot be independently verified; requires corroboration |
| Sandbox Analysis | Medium | Snapshot in time; malware may detect sandbox environment |
| Name/Domain Similarity | Low-Medium | Circumstantial; multiple legitimate sites use similar names |
| Geolocation Data | Low | IP geolocation is approximate; VPNs invalidate it entirely |
Confidence Change Log
Observed svchost.exe outbound connections to unknown external IPs β WORKSTATION-01
Investigation created from probe observation. No enrichment performed. Destination IPs and process legitimacy are unknown.
Observed svchost.exe outbound connections to unknown external IPs β WORKSTATION-01
RDAP and BGP evidence confirms Anthropic PBC ownership of 160.79.104.10 (AS399358). RPKI ROA valid. DNS corroboration via claude.ai and anthropic.com resolution. Three independent authoritative sources corroborate IP block ownership.
Observed svchost.exe outbound connections to unknown external IPs β WORKSTATION-01
Historical BGP data (ev-spike-010) shows 160.79.104.0/23 was briefly announced via Lumen (AS3356) as alternate transit in Q4 2025. While IP ownership (AS399358) is unchanged, the assumption of exclusive Cloudflare transit was contradicted. Routing continuity requires verification before conclusion can stand.
Observed svchost.exe outbound connections to unknown external IPs β WORKSTATION-01
Investigator review confirmed: (1) the routing anomaly affected transit PATH only, not IP block OWNERSHIP β AS399358 registration to Anthropic PBC was continuous throughout Q4 2025; (2) investigator note-spike-001 confirms Claude Desktop installation providing service attribution; (3) note-spike-002 confirms process legitimacy. The contradiction was specific to a transit path assumption, not the core attribution. All original attribution evidence (ev-spike-001, ev-spike-002, ev-spike-006, ev-spike-007) remains valid and unaffected.
Observed svchost.exe outbound connections to unknown external IPs β WORKSTATION-01
Investigator confirmed process legitimacy via note-spike-002: process tree shows legitimate parent (services.exe), image path is C:\Windows\System32\svchost.exe, and digital signature is valid (Microsoft Windows Publisher). Process is not a malware impersonator.
Observed svchost.exe outbound connections to unknown external IPs β WORKSTATION-01
Service attribution to Claude Desktop is circumstantial: consistent with all evidence (Claude Desktop installed, DNS queries for claude.ai, Anthropic IP attribution, HTTPS connection pattern) but not independently verified via automated endpoint analysis. The linkage between the installed application and these specific network flows was not confirmed programmatically.