Getting Started
Trust CenterTourStatusPageSupport
Start typing to search…

What is an Opinion?

An Opinion (referred to as a Verdict in the API) is a human-applied classification associated with an object in Stairwell. Opinions represent authoritative security decisions that complement automated analysis and provide durable context for investigations, classification, and reporting.

Opinions are commonly used to:

  • Reinforce or retrain Mal-Eval analysis
  • Apply explicit human judgment to objects
  • Support classification, tracking, and audibility over time

Opinions can be updated at any time. All changes are recorded and can be reviewed in the object’s History tab.

Opinion Values

Each object can have one of the following opinion values:

NO_OPINION

No explicit human verdict has been applied. The object is evaluated solely by automated analysis.

TRUSTED

The object has been reviewed and explicitly determined to be benign and acceptable for use.

GRAYWARE

The object is not clearly malicious but may be undesirable or risky depending on context (for example, adware, dual-use tools, or policy-violating software).

VULNERABLE

Identifies objects that contain security weaknesses such as exploitable bugs, insecure configurations, or outdated libraries.

Objects marked as Vulnerable are not inherently malicious, but they may increase risk if exploited by a threat actor. This opinion is intended to help organizations:

  • Differentiate vulnerable software from malware
  • Track exposure across environments
  • Support patching and remediation workflows
  • Meet compliance or reporting requirements related to software hygiene

Note: Assigning the VULNERABLE opinion does not affect the Mal-Eval score, as the presence of a vulnerability does not imply malicious intent.

MALICIOUS

The object has been explicitly determined to be malicious and represents a confirmed threat.

Opinion Hierarchy and Scope

Opinions support a hierarchical model that allows both global intelligence and environment-specific overrides.

  • Stairwell Threat Research may assign a global default opinion to an object.
  • Customers can override the opinion within their own environment(s) to reflect local context or policy.

Example

If Stairwell assigns an object the global opinion GRAYWARE, a customer can override that opinion to MALICIOUS in their environment.

  • The overridden opinion becomes the effective verdict only within that environment
  • The global opinion remains unchanged and continues to apply elsewhere

This ensures customers retain full control over verdicts without impacting global intelligence or other tenants.

Key Characteristics

  • Human-driven: Opinions represent deliberate analyst decisions
  • Mutable: Opinions can be changed as new information becomes available
  • Auditable: All opinion changes are tracked in object history
  • Environment-scoped: Customer overrides do not affect global opinions

Updated 2 days ago

What’s Next