How the record is built

Lead time

Every indicator carries two anchors: first observed (when SENTINEL first saw the infrastructure) and the first public disclosure (when an open source first listed it). Lead time is the gap between them — how many days SENTINEL was ahead. It is computed per source; the headline figure is the gap to the earliest public source.

Corroboration sources

We pull the recent bulk lists from public threat-intel and sandbox feeds and match them locally against our own indicators. We never query our indicators against these services — only consume their newest lists. That protects our preemptive indicators (they never leave our infrastructure) and keeps the call volume to one bulk pull per source per cycle.

• ThreatFox
• URLhaus
• MalwareBazaar
• AlienVault OTX
• ROSTI
• Triage
• Hybrid Analysis
• FileScan
• MWDB

A value that turns up across several of these is a strong corroboration: independent sources, one piece of infrastructure.

Decay

Indicators are not equal. Per David Bianco's Pyramid of Pain, the harder an artefact is for an adversary to change, the longer it stays actionable. An IP rotates in days; a file hash lasts weeks; certificate / infrastructure reuse lasts months. So each indicator decays over a type-specific lifetime:

The score follows the model used by threat-intel platforms like MISP:

score(t) = base × ( 1 − (t / lifetime)^1/speed )

where t is days since the indicator was last seen active, base is set by confidence on the STIX 2.1 DNI scale (confirmed 95 / probable 85 / possible 70), and speed shapes the curve. A sighting — the indicator re-appearing in any source — applies an additive bump (capped at base), not a hard reset to base: a single low-quality sighting cannot resurrect an indicator to full strength. When the score reaches 0 the indicator is expired and burned (purged from active detection). Fast-rotating IoCs expire fast; durable ones persist.

States

Operational: active (live) or burned (decayed to expiry, or confirmed dark).

Public-facing: active (live, undisclosed — value withheld), disclosed · active (live but a public source already listed it — value shown), and burned.

Decay band: fresh, decaying, stale, expired — derived from the score above.

Value disclosure

An indicator's value is withheld while it is live and no public source has disclosed it — revealing it then would burn our own visibility. Once a public source lists it, or it is burned, the value is shown. The decay score is computed without leaking the indicator type for withheld records.

Validation & limits

The polynomial form is identical to MISP's published decaying model (Mokaddem, Wagener, Dulaunoy & Iklody, 2019) and the curve family used by OpenCTI. The short network-indicator lifetimes are supported by empirical work: Tanabe et al. (2022) found 90% of IoT-botnet C2 servers lived under five days; Censys (2025) reports a ~5-day median Cobalt Strike team-server lifetime; Tostes et al. (IEEE CSR 2023) measured finite IoC shelf-lives in the days-to-weeks range. The additive-bump-over-hard-reset choice follows MISP's own roadmap and OpenCTI's stated design concern.

Known limits, by design, of a time-and-type model:

• Actor tier. APT infrastructure can be dormant and reused for years (Avgetidis et al., RAID 2025). A pure commodity-speed decay will retire still-malicious APT indicators early — an actor-tier lifetime multiplier is the planned mitigation.
• DGA / RDGA domains live ~24h and should not share the 7-day domain default — a fast lane (τ = 1d) is planned.
• Kill-chain phase. A delivery URL is worthless after a campaign; a long-haul C2 domain may matter for months.
• Sighting quality. Negative / false-positive sightings should reduce the score; not yet modelled.
• Benign infrastructure (geo-IP, CDNs, code hosting, messaging) that malware merely contacts is filtered by an allowlist before it can become an indicator.