ML Model Intelligence

Classical ML ensemble for alert triage -- full transparency into model decisions, training, and performance

Training Pipeline

Continuous learning loop -- analyst feedback drives model improvement

Alert IngestionSIEM events

Feature Extraction17 features

ML Prediction3-model ensemble

Analyst ReviewHuman-in-loop

Feedback37/100 buffered

Retrain0 cycles

Alerts are ingested from connected SIEMs, feature-engineered into 17 numeric dimensions, scored by a 3-model ensemble (RandomForest classifier, IsolationForest anomaly detector, GradientBoosting threat scorer), reviewed by analysts whose feedback accumulates in the training buffer. Auto-retrain triggers at 100 samples.

Training Data Status

Training Buffer37 / 100

37%

63 more analyst reviews needed for next retrain cycle

Total Retrains

Last Retrain

Not yet

Data Quality

Feature Completeness

98%

Label Balance

74%

Temporal Coverage

91%

Model Comparison

Model	Algorithm	Version	Metric	Samples	Status
Alert Classifier Disposition predictor	Random Forest	1.0.0-bootstrap	92.7%accuracy	2,000	Bootstrap
Anomaly Detector Outlier identification	Isolation Forest	1.0.0-bootstrap	10%contamination Unsupervised model	2,000	Bootstrap
Threat Scorer Risk quantification	Gradient Boosting	1.0.0-bootstrap	0.910R2 score	2,000	Bootstrap

Feature Importances

Random Forest feature weights -- hover for descriptions

1.severity_scoreTOP

14.2%

2.mitre_tactic_riskTOP

12.8%

3.ioc_risk_scoreTOP

9.8%

4.siem_confidence

8.9%

5.payload_entropy

8.5%

6.ioc_count_norm

7.2%

7.title_length_norm

4.5%

8.asset_count_norm

4.2%

9.hour_cos

4.1%

10.hour_sin

3.8%

11.rule_confidence

3.8%

12.correlation_count_norm

3.5%

13.outside_business_hours

3.5%

14.is_weekend

3.4%

15.dow_cos

3.1%

16.dow_sin

2.9%

17.repeat_alert

1.8%

Prediction Distribution

100%Total

Auto-Resolved

68.2%

Escalated

18.4%

Auto-Responded

13.4%

Distribution Trend (7 days)

7d agoToday

Performance History

Last 10 retrain events -- color indicates outcome

Timestamp	Samples	Classifier Accuracy	Scorer R2	Version	Status
Feb 15 10:11 AM	100	87.2%	0.780	1.0.1	Retrained
Feb 17 10:11 AM	150	88.1%+0.9%	0.800	1.0.2	Retrained
Feb 19 10:11 AM	200	87.5%-0.6%	0.800	1.0.2	Rejected
Feb 21 10:11 AM	250	89.1%+1.6%	0.820	1.0.3	Retrained
Feb 22 10:11 AM	300	89.8%+0.7%	0.840	1.0.4	Retrained
Feb 24 10:11 AM	350	90.8%+1.0%	0.850	1.0.5	Retrained
Feb 25 10:11 AM	400	91.2%+0.4%	0.870	1.0.6	Retrained
Feb 26 10:11 AM	450	91.9%+0.7%	0.880	1.0.7	Retrained
Feb 27 10:11 AM	475	91.9%=	0.880	1.0.7	Maintained
Feb 28 10:11 AM	500	92.7%+0.8%	0.910	1.0.8	Retrained

Accuracy Trend

Classifier Accuracy

Scorer R2

87%

Feb 15

88%

Feb 17

88%

Feb 19

89%

Feb 21

90%

Feb 22

91%

Feb 24

91%

Feb 25

92%

Feb 26

92%

Feb 27

93%

Feb 28

ML Transparency Commitment

ThreatOps provides full visibility into how our ML models make decisions. Every prediction includes explainable feature weights, confidence scores, and reasoning chains. Models are continuously improved through analyst feedback loops, and all training events are audited. No black-box AI -- you see exactly what the models see.