Threat Risk Levels (Low, Medium, High, Critical)

Every threat detected in Selki is assigned a Risk Level, which represents the potential impact and urgency of the exposure.

Risk levels help security teams prioritize which compromised identities require immediate action and which can be reviewed with lower urgency.

The four severity levels in Selki are:

• Low
• Medium
• High
• Critical

These appear in both the Threats List and the threat filters.

How Selki Determines Risk Levels

Risk levels are assigned automatically based on a combination of:

1. Source of Exposure

Some sources inherently represent higher risk:

• Infostealer data → typically High or Critical
• Recent breach dumps → often Medium or High
• Public paste sites → varies by context

2. Password Availability

If an exposure includes a password (plaintext, hashed, or partially redacted), risk increases significantly.

3. Recency of Exposure

Data from active malware logs or recent breaches carries higher threat weight.

4. Identity Type

Employee exposures may carry higher institutional risk than customer threats.

5. Exposure Patterns

Multiple occurrences, repeated exposures, or cross-source detection elevate risk.

These criteria work together to determine the final severity.

Risk Level Breakdown

Below is what each risk level represents operationally:

Low Risk

These exposures have minimal immediate impact and typically include:

• historical breach data
• hashed passwords with low probability of cracking
• old or incomplete metadata
• low-value accounts or disposable identities

Recommended action:

Review when convenient; no immediate escalation needed.

Medium Risk

Moderate exposures that still require investigation:

• breach data that includes partial sensitive details
• exposures of customer accounts with no password attached
• identities seen once but still potentially exploitable

Recommended action:

Review within standard monitoring cycles.

High Risk

Exposures that pose a meaningful security threat:

• infostealer logs without passwords
• exposures with multiple occurrences
• identities tied to important roles or internal systems

Recommended action:

Prioritize investigation and remediation soon.

Critical Risk

The highest-level threat, requiring immediate action:

• infostealer leaks with passwords
• sessions or credentials from infected devices
• repeated exposures in multiple sources
• compromised employee accounts
• anything with real-time or near-real-time exploitation potential

Recommended action:

Immediate remediation.

Force password resets, notify the affected user, and investigate potential misuse.

Using Risk Levels in Workflow

Risk levels assist teams in:

• triaging threats at scale
• building remediation queues
• assigning priority to analysts
• reporting and analytics
• monitoring critical domains or teams

They are especially powerful when combined with filters such as:

• Category (Employee vs Customer)
• Watchers (Domains)
• Status (Active vs Closed)

Summary

Risk levels in Selki provide a clear, structured way to assess the severity of each identity exposure.

By understanding Low, Medium, High, and Critical risks, your team can react faster, prevent account compromise, and reduce operational impact.

Next Article

➡ Article 6 – Threat Types & Sources (Infostealer, Breach, Paste, etc.)

Updated on: 01/12/2025