Turn suspicious activity into a clear risk score. Compare MFA, geo anomalies, and velocity patterns. Download reports, share findings, and plan mitigations confidently now.
| Scenario | MFA | Device trust | IP | Geo km | Failures | Expected risk | Suggested action |
|---|---|---|---|---|---|---|---|
| Known user, stable device, normal login | Authenticator app | 85 | Good | 12 | 1 | Low | Allow and monitor |
| New device, VPN, moderate anomalies | SMS | 55 | Unknown | 650 | 6 | High | Step-up verification, restrict changes |
| Confirmed breach, Tor, impossible travel | None | 30 | Bad | 3200 | 18 | Critical | Block/lock and investigate |
This calculator converts each signal into a normalized subscore from 0 to 100. The final score is a weighted sum:
RiskScore = Σ (Weightᵢ × Subscoreᵢ) + PolicyShift
This calculator consolidates common takeover signals from authentication, device, network, and behavior telemetry. Typical inputs come from identity providers, MFA logs, device fingerprinting, IP reputation feeds, and fraud analytics. Geo distance and minutes since last login approximate velocity, useful for impossible travel detection. Failed logins capture credential stuffing pressure. Privilege and action sensitivity let the same login be scored differently for payouts versus browsing. Include session cookies and age where available.
Default weights total 100% and reflect practical attack economics: weak authentication and poor credential hygiene drive most compromises, while device and network signals refine confidence. Use custom weights when your environment differs, for example mobile-only traffic or strict device binding. Calibrate by comparing scores to confirmed incidents, then adjust weights to improve separation between benign and abusive sessions. Keep changes small and documented.
Scores map to four bands that align with response playbooks. Balanced mode uses low up to 24, moderate to 49, high to 74, and critical above 74. Strict mode shifts thresholds downward, increasing challenges for the same signals, while permissive mode raises them. Treat the score as a probability proxy, not a guarantee, and review outcomes to reduce false positives over time.
Low risk supports frictionless access with monitoring and session integrity checks. Moderate risk should trigger step-up verification, additional rate limits, and temporary blocks on sensitive changes. High risk warrants strong challenges, device verification, and alerts to security operations. Critical risk suggests blocking or locking the account, forcing resets, and invalidating active tokens. Use the top drivers list to pick controls that address the strongest signals quickly.
The exported CSV and PDF support audit trails, incident tickets, and trend reporting across regions or products. Store the score, subscores, and final decision alongside the event identifier to enable later review. Run monthly tuning sessions that compare distributions for legitimate users and confirmed takeovers. Document threshold changes, test for unfair impacts, and limit data retention. Over time, combine this score with supervised models and human review for higher assurance for transparency.
It is a normalized 0–100 indicator of takeover likelihood based on the provided signals. Higher scores mean stronger evidence of compromise or higher potential impact, and usually require more verification or containment.
Missing or weak MFA, confirmed credential exposure, bad IP reputation, impossible travel velocity, and many failed logins are common drivers. High privilege combined with sensitive actions can also elevate risk rapidly.
Pick strict when fraud cost is high or compliance requires strong assurance. Choose permissive for low-impact areas where friction is expensive. Balanced is a good default while you collect outcomes and tune thresholds.
Yes, if you calibrate with historical events. Keep weights nonnegative, adjust incrementally, and review false positives and misses. The calculator automatically normalizes weights to 100%, so you can focus on relative importance.
Exports contain your inputs, each factor’s subscore, the applied weights, contributions, and recommended controls. Use them for incident tickets, audit evidence, or sharing with stakeholders without exposing raw telemetry.
Strengthen MFA, require verified devices, block anonymizers, add rate limits and bot defenses, and freeze recovery changes during investigation. Invalidate sessions after resets and review privileged access paths to prevent repeat takeovers.
Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.