THREAT VISIONS
Threat Visions · Global Internet Health Index · Live

Threat Visions.

Threat Visions is a defensible seven-dimension aggregation of Internet-scale cyber risk — Vulnerability, Exploitation, C2/Malware Infrastructure, Threat Actors, Outages, Ransomware, Supply Chain (the VECTORS acronym) — computed live from authoritative public sources. Each dimension is scored independently and combined under a transparent weighting. The index reads global Internet threat conditions from the outside-in; it is not a company-specific internal cyber risk score.

Threat Visions · Global Internet Health Index
/ 100
CALIBRATING
0 NORMAL25 GUARDED50 ELEVATED70 HIGH85 CRITICAL
CTI = 0.18·V + 0.17·E + 0.13·C + 0.12·T + 0.15·O + 0.13·R + 0.12·S
Trend Confidence Primary Drivers
V
Vulnerability
/ 100
Weight 0.18 · what is exploitable
E
Exploitation
/ 100
Weight 0.17 · what is being weaponized
C
C2 / Malware Infra
/ 100
Weight 0.13 · attacker machinery
T
Threat Actors
/ 100
Weight 0.12 · who is attacking
O
Outages
/ 100
Weight 0.15 · what is already disrupted
R
Ransomware
/ 100
Weight 0.13 · ransomware operations layer
S
Supply Chain
/ 100
Weight 0.12 · trust-graph compromise
Plate I

Live Breakdown

UPDATING…
All inputs live
V

Vulnerability Pressure

What exploitable weaknesses exist right now — published CVEs, known-exploited vulnerabilities, vendor advisory flow.
/ 100 · weight 0.18
FactorCurrentNormalizationWeightContribution
E

Exploitation

The live weaponization signal — EPSS top-10 concentration above 0.9, CVEs with confirmed public exploit references, and KEV catalog burn rate. The "is this being used right now" layer.
/ 100 · weight 0.17
FactorCurrentNormalizationWeightContribution
Weaponization Velocity · 30d
days median
Sample: KEV adds resolved
Prior 30–90d: days
Time elapsed between a CVE's publication on NVD and its addition to CISA's Known Exploited Vulnerabilities catalog. Lower = faster weaponization. A directional indicator, not a measurement of adversary speed — faster KEV adds can also reflect CISA process changes, not threat changes.
C

C2 / Malware Infrastructure

The attacker-machinery layer — active C2 servers tracked by abuse.ch, their growth velocity over 24 hours, and mass-scanning intensity from SANS DShield. Carved out of the old Weaponization dimension in r46.
/ 100 · weight 0.13
FactorCurrentNormalizationWeightContribution
T

Threat Actors

Who is operating — distinct named adversaries mentioned across thirteen threat-intelligence feeds (90-day window), plus reporting velocity. Narrower than the old Threat Activity dimension.
/ 100 · weight 0.12
FactorCurrentNormalizationWeightContribution
O

Outages / Operational Impact

What disruption is already visible — vendor statuspage outages, SEC 8-K Item 1.05 disclosures, CISA infrastructure advisories, and a binary tier-1 concentration-risk indicator. Absorbs the old Impact dimension plus concentration risk from the retired Systemic Stress.
/ 100 · weight 0.15
FactorCurrentNormalizationWeightContribution
R

Ransomware

Ransom operations layer — victim posts in the last 24 hours and 7 days from ransomware leak sites, plus CISA's KEV ransomware-tagged adds over 7 days. Promoted from a sub-signal to its own dimension in r46.
/ 100 · weight 0.13
FactorCurrentNormalizationWeightContribution
S

Supply Chain

Pressure on the software trust graph — GitHub Advisory Database, OSV.dev, PyPI security announcements, npm security advisories, and Sigstore / SLSA. Backed by a classifier in /api/supply-chain that watches CISA Cybersecurity Advisories and Analysis Reports for registry/repo compromise language. Replaces the old Systemic Stress dimension in r46.
/ 100 · weight 0.12
FactorCurrentNormalizationWeightContribution
Plate II

Threshold Bands

What each level means operationally
0 — 24
Normal
Background operations. Patch on schedule, watch the wire, sleep well.
25 — 49
Guarded
Above baseline. Review patch queues. Brief security leadership.
50 — 69
Elevated
Active concerns converging. Accelerate critical patches. Activate threat-hunting.
70 — 84
High
Multiple drivers stacking. Executive notification. Emergency response posture.
85 — 100
Critical
Full incident posture. Sustained executive engagement.
Plate IV

Index History

CTI · last 30 days · local archive
30-day trace · composite score current
Building the archive.History accumulates from your first visit. Refresh the dashboard daily to grow the trace.
Plate V

Methodology

Why this is defensible

Seven-dimension aggregation — VECTORS

Internet-scale cyber risk is multidimensional. What is exploitable, what is being weaponized right now, what machinery attackers have built, who is operating, what is already disrupted, how active is ransomware, and how compromised is the software supply chain — these are seven separate questions. Collapsing them into a single weighted sum hides the picture. Threat Visions keeps all seven visible and combines them transparently:

CTI = 0.18·V + 0.17·E + 0.13·C + 0.12·T + 0.15·O + 0.13·R + 0.12·S

The brand is Threat Visions. The technical acronym VECTORS names the seven dimensions in display order: Vulnerability, Exploitation, C2/Malware Infrastructure, Threat Actors, Outages, Ransomware, Supply Chain. Each dimension is bounded 0–100 and computed independently. All seven move in the same direction — higher = worse — so the composite reads as a single risk thermometer.

This index reads global Internet threat conditions from the outside-in. It is not a company-specific internal cyber risk score — it measures the wider Internet's health using only public, authoritative sources.

VECTORS replaced the earlier TVIEWS methodology in r46 (2026-05-13). Two structural changes accompanied the rename: the old Weaponization dimension was split into C2 infrastructure and Threat actors (those signals had always been distinct); and the old Systemic Stress dimension — which had measured concentration risk and cloud/CDN outages — was retired in favor of Supply Chain, which measures pressure on the software trust graph (npm, PyPI, GHSA, OSV, Sigstore) and on CISA-confirmed registry/repo compromises. Concentration risk moved into Outages. Ransomware was promoted from a sub-signal under the old Threat dimension to its own dimension, since it is the consequence layer most operators track separately.

Logarithmic normalization

Cyber telemetry has long tails — port-scan record counts can range from 1 to 10,000,000. Linear weighting either makes outliers blow up the index or makes everyday signal vanish. Each count input is normalized as log₁₀(v + 1) / log₁₀(ceiling + 1), clamped to [0, 1].

Ceilings are calibrated to "high but not catastrophic" levels — for KEV adds 7d the ceiling is 20; for active C2 servers it is 500; for top-port records it is 1,000,000.

Authoritative sources only

Every input is sourced from a public-record authoritative feed: NVD JSON 2.0 for CVEs, CISA KEV for known-exploited vulnerabilities, FIRST.org EPSS for exploit-prediction scoring, SEC EDGAR for Item 1.05 cyber disclosures, abuse.ch Feodo for active C2, SANS DShield for probe records, ransomware.live for victim posts, and named-actor extraction from Mandiant, CrowdStrike, Microsoft Threat Intel, Talos, Kaspersky, and SentinelLabs blogs.

No proprietary scoring is opaque-boxed; every weight, ceiling, and source is in the page source.

Calibrated for signal, not show

Weights and ceilings are tuned so a routine day reads NORMAL or low GUARDED. When the index climbs, it means something. Specifically: a typical day with a handful of high-severity CVEs, normal KEV flow, and one or two minor incidents reads around 20–35. A day with a critical zero-day, multiple ransomware victims, and a major-provider outage reads 55–75. A multi-incident crisis with regulatory disclosures stacking, or a CISA-confirmed supply-chain compromise, reads 85+.

The composite is a heuristic, not a standard. The advantage of transparency is that disagreements about weights are productive — change one number and watch the index move.