Every scoring, ranking, and analysis signal in Kindling — where it comes from, what consumes it, and whether Stick sees it.
20 signals — expand each for producer, consumers, and cache details
Base score of 50, adjusted by these factors before Stick is invoked
| Factor | Range | Source Signal |
|---|---|---|
| Finding Priority (P1/P2/P3) | ±20 to +30 | Finding metadata |
| Detection FP Rate | -25 to +20 | Detection FP Rates |
| Workflow Sentiment | -20 to +15 | Workflow Sentiment |
| Neglect Pattern | -15 to 0 | Neglect Pattern |
| MSP Cohort TP Rate | -15 to +20 | MSP Cohort |
| Authorization (org/MSP/global) | -30 to 0 | Authorized Patterns |
| Evidence Remediation | -15 to 0 | Evidence Remediation |
| Related Findings | -5 to +20 | Finding analysis |
| Filter Recommendation Match | -20 to 0 | Filter Recommendations |
| Detection Rules | -20 to +10 | Detection Rules |
| Evidence Extremity (IOC keywords) | 0 to +15 | Evidence analysis |
20 sections injected into every Stick review + 15 investigation tools on-demand
Gaps identified and resolved during signal flow audit
get_org_anomalies was implemented as an MCP tool but was not declared in Stick's investigation tool list. Stick can now query per-org anomalies (volume spikes, new detection types, behavioral shifts) during finding analysis.
Precomputed entity-level attack chains were only available inside the security monitor endpoint. A new get_attack_chains MCP tool was created so Stick can check if the current finding's entity is part of a broader multi-detection attack pattern.
analyze_trends is a macro-level view (24h+) used by the Chat interface. Per-org anomalies (which IS available to Stick) covers the relevant per-finding use case.
Detection-level rules (is_benign, rules_multiplier) feed into scoring but aren't exposed to Stick or the frontend. Their effects are visible through the risk_multiplier in detection stats and the scoring factors.
Three-phase data flow from ingestion to user-facing output