Opinions

An Opinion (referred to as a Verdict in the API) is a human-applied classification associated with an object in Stairwell. Opinions represent authoritative security decisions that complement automated analysis and provide durable context for investigations, classification, and reporting.

What Is an Opinion

Opinions let analysts apply explicit human judgment to any object in Stairwell. Common use cases include:

Reinforcing or correcting Mal-Eval analysis -- Confirm automated findings or override them when the analyst has additional context.
Classifying objects for reporting -- Mark known-good software as trusted to reduce noise, or flag confirmed threats as malicious for downstream workflows.
Tracking decisions over time -- Every opinion change is recorded, creating an audit trail of analyst reasoning.

Opinions can be updated at any time as new information becomes available.

Opinion Values

Each object can carry one of the following opinion values:

Value	Description
NO_OPINION	No explicit human verdict has been applied. The object is evaluated solely by automated analysis.
TRUSTED	The object has been reviewed and explicitly determined to be benign and acceptable for use.
GRAYWARE	The object is not clearly malicious but may be undesirable or risky depending on context -- for example, adware, dual-use tools, or policy-violating software.
VULNERABLE	The object contains security weaknesses such as exploitable bugs, insecure configurations, or outdated libraries. It is not inherently malicious but may increase risk if exploited. Use this value to track exposure, support patching workflows, and meet compliance requirements related to software hygiene.
MALICIOUS	The object has been explicitly determined to be malicious and represents a confirmed threat.

Important: Assigning the VULNERABLE opinion does not affect the Mal-Eval score. The presence of a vulnerability does not imply malicious intent, and Stairwell treats these as separate dimensions of risk.

Opinion Hierarchy

Opinions follow a hierarchical model that balances global intelligence with environment-specific control.

Global opinions are set by Stairwell Threat Research and apply as the default verdict for an object across all customer environments. These reflect broad threat intelligence assessments.

Customer opinions are set by analysts within their own environment and override the global opinion for that environment only. The global opinion remains unchanged and continues to apply everywhere else.

Example: Stairwell Threat Research assigns an object the global opinion GRAYWARE. Your team determines that within your environment this tool violates policy and marks it MALICIOUS. The MALICIOUS verdict applies only within your environment. All other customers continue to see GRAYWARE unless they set their own override.

This model ensures that:

Customers retain full control over verdicts within their environments.
Global intelligence is never degraded by individual customer overrides.
Multi-tenant isolation is preserved -- one customer's opinion never affects another.

Setting an Opinion

Navigate to the object's detail page in Stairwell.
Locate the Opinion field in the object metadata panel.
Select the desired value from the dropdown: NO_OPINION, TRUSTED, GRAYWARE, VULNERABLE, or MALICIOUS.
Confirm the change. The new opinion takes effect immediately within your environment.

Opinions can also be set programmatically via the API:

POST /v1/objects/{SHA256}/opinions

How Opinions Affect Mal-Eval

Opinions interact with Stairwell's automated Mal-Eval scoring system in specific ways:

MALICIOUS and TRUSTED opinions provide strong signal that can influence how Mal-Eval weighs evidence for an object and its variants.
GRAYWARE opinions flag objects for analyst awareness without directly shifting the Mal-Eval score toward malicious.
VULNERABLE opinions have no effect on the Mal-Eval score. Vulnerability is an orthogonal risk dimension -- a file can be vulnerable without being malicious, and Stairwell keeps these assessments separate.
NO_OPINION defers entirely to automated analysis with no human input factored in.

All opinion changes -- who changed it, when, and from what value -- are recorded in the object's History tab, providing a complete audit trail for compliance and review.