Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/jazbengu/ThreatDetect/llms.txt

Use this file to discover all available pages before exploring further.

Every record ThreatDetect analyses produces four output fields and an associated SHAP explanation. Understanding what each field means — including its formula, scale, and implications — helps you make better decisions about which employees warrant further investigation and how to prioritise review. This page explains each output in depth and provides guidance on using them together.

Output fields

The table below summarises all four fields that appear in the results CSV and in the app’s UI.
FieldTypeRangeDescription
Predictionstring"Malicious" or "Normal"The model’s classification for this employee
Risk_Probfloat0.0 – 1.0XGBoost’s estimated probability that the employee is malicious
Anomaly_Scorefloatunbounded (typically −0.5 – 0.5)IsolationForest decision function output
Confidencefloat0.0 – 1.0Model certainty for the assigned class

Prediction

Prediction is the final binary label assigned to each employee. It is derived by comparing Risk_Prob against the model’s optimised threshold: 
Prediction = "Malicious"  if  Risk_Prob ≥ best_threshold
Prediction = "Normal"     if  Risk_Prob <  best_threshold
The best_threshold is stored inside the model package and was determined during training to maximise the F1 score on the validation set. It is not necessarily 0.5.

Risk probability

Risk_Prob is the raw XGBoost output — the probability the model assigns to the Malicious class for this record. It is a continuous signal more informative than the binary Prediction alone:
  • Values near 1.0 indicate strong model confidence that the employee is malicious.
  • Values near 0.0 indicate strong confidence they are normal.
  • Values near best_threshold indicate uncertainty; the model cannot clearly distinguish this employee.
Use Risk_Prob to rank employees by risk severity, not just to flag them as Malicious or Normal.

Anomaly score

Anomaly_Score is the decision_function output of the IsolationForest component, computed before XGBoost scoring. It measures how different an employee’s behavioral profile is from the bulk of the training population, regardless of whether that difference is malicious.
  • More negative values indicate a more anomalous profile (the employee is harder to isolate into a small partition, which IsolationForest treats as unusual).
  • Values near zero or positive indicate a typical, easily-characterised profile.
Anomaly_Score is fed into XGBoost as a feature (isolation_forest_anomaly_score), so it influences Risk_Prob but is also reported separately for transparency.
An employee can have a highly anomalous Anomaly_Score but still receive a Normal prediction if the anomaly pattern does not match the XGBoost model’s malicious patterns. Conversely, a moderately anomalous score can still produce a Malicious prediction if other features align strongly with the threat profile.

Confidence

Confidence expresses how certain the model is about the class it assigned, not the probability of malice in absolute terms: 
Confidence = Risk_Prob        if Prediction = "Malicious"
Confidence = 1 − Risk_Prob   if Prediction = "Normal"
Both Malicious and Normal predictions can carry high or low confidence:
  • A Malicious employee with Risk_Prob = 0.92 has Confidence = 0.92 — the model is highly certain.
  • A Normal employee with Risk_Prob = 0.08 has Confidence = 0.92 — the model is equally certain they are safe.
  • A Normal employee with Risk_Prob = 0.38 has Confidence = 0.62 — the model is only moderately sure, even though the threshold was not crossed.
Sort your results by Confidence ascending to surface the employees the model is least certain about. These records benefit most from manual review, as they sit close to the decision boundary.

The probability threshold

The model package includes a best_threshold value determined during training. This threshold was tuned to balance precision and recall on the validation set — it is not always 0.5. The Risk Probability Distribution histogram on the CSV analysis page draws a vertical dashed line at this threshold. Employees to the right of the line are classified Malicious. If you observe many employees clustered just to either side of the threshold, those records warrant particular attention because small changes in input data could flip their classification.

SHAP values

SHAP (SHapley Additive exPlanations) values quantify how much each feature contributed to a specific prediction relative to the model’s average baseline prediction.
  • Positive SHAP value — this feature’s value for this employee pushed the prediction toward Malicious.
  • Negative SHAP value — this feature’s value pushed the prediction toward Normal.
  • Magnitude — the larger the absolute SHAP value, the more influential that feature was for this specific record.
SHAP values sum to the difference between the model’s output for this employee and the average model output across the dataset. This makes them additive and directly interpretable.

Global vs per-instance explanations

ThreatDetect provides two levels of SHAP explanation: Global SHAP summary (CSV analysis page) — computed over a random sample of up to 100 records from the batch. The beeswarm plot shows how each feature’s values correlate with risk direction across many employees. Use this to understand systemic patterns: which features consistently push people toward Malicious at the organisational level. Per-instance SHAP (single employee) — computed for one specific record. The bar chart shows the top 10 features by SHAP value for that person, coloured red (toward Malicious) or green (toward Normal). Use this to explain why a specific individual was flagged, and which behavioral data points are driving their score.
Per-instance SHAP values reflect this employee’s deviation from the model’s average, not their deviation from other employees. A feature with a positive SHAP value means this employee’s value for that feature is higher-risk than the model’s average baseline — not necessarily higher than other employees in your dataset.

Using confidence alongside risk probability

Risk_Prob and Confidence carry different information and are most useful together:
  • High Risk_Prob, high Confidence — strong Malicious signal, model is certain. Prioritise for review.
  • Low Risk_Prob, high Confidence — strong Normal signal, model is certain. Lower review priority.
  • Risk_Prob near threshold, low Confidence — borderline case regardless of which class was assigned. Combine with Anomaly_Score and SHAP to decide whether to escalate.

False positives and human review

ThreatDetect predictions are probabilistic risk indicators, not confirmed evidence of malicious intent. The model can and does produce false positives — employees flagged as Malicious who do not pose a real threat — as well as false negatives. Never use a ThreatDetect result as the sole basis for a personnel decision. All flagged employees should undergo human review informed by corroborating evidence, organisational context, and established HR and security procedures.
The combination of Risk_Prob, Anomaly_Score, Confidence, and SHAP explanations is designed to help security teams prioritise their review workload — not to replace investigative judgement.

Build docs developers (and LLMs) love

Get started for freeTalk to us