Knogin
[Developers]

Temporal Decay Intelligence Scoring

An entity that was involved in three incidents six months ago presents a very different threat picture than one involved in three incidents last week. Without recency weighting, a flat count of historical events treats b

Back to All Modules
Category: IntelligenceLast Updated: Apr 14, 2026
intelligence

Overview#

An entity that was involved in three incidents six months ago presents a very different threat picture than one involved in three incidents last week. Without recency weighting, a flat count of historical events treats both entities identically, causing analysts to waste time on dormant subjects and miss the significance of recent bursts of activity. Temporal decay scoring solves this by weighting recent activity more heavily than older activity, so that entities with increasing recent engagement surface at the top of the analyst's attention and those with no recent activity gracefully fade toward dormant status.

The Temporal Decay Intelligence Scoring module computes recency-weighted activity scores for every entity profile using two published academic statistical methods: the Exponentially Weighted Moving Average (EWMA) and the Hawkes self-exciting point process intensity function. Each entity is assigned a continuous score in the range [0, 1] and classified into one of four trend categories, Rising, Stable, Declining, or Dormant, which appear as coloured badges on entity detail views and can be used to filter and rank entities across the platform.

Last Reviewed: 2026-04-14 Last Updated: 2026-04-14

Key Features#

  • EWMA Decay Scoring: Scores are computed using the Exponentially Weighted Moving Average formula described by Hunter (1986). Each historical event contributes a weight proportional to exp(-ln(2)/half_life * days_ago), giving events from the past half-life period half the weight of current events and events from twice the half-life period one quarter the weight. The default half-life is 30 days, and operators can configure alternative half-lives from 7 days (high-tempo operational environments) to 180 days (strategic tracking) when triggering a recompute via the GraphQL API.

  • Hawkes Process Intensity: For entities where temporal clustering is significant, a burst of related activity followed by silence, the Hawkes self-exciting process conditional intensity provides a more sensitive indicator than EWMA alone. The intensity function λ(t) = μ + Σ α·exp(-β·(t-tᵢ)) captures the self-exciting nature of intelligence activity: one event raises the probability of further related events. This method is particularly useful for tracking entities involved in coordinated or cascading incident patterns.

  • Four-Tier Trend Classification: Every computed score is classified into one of four activity trend tiers. Rising (score ≥ 0.70) indicates increasing recent engagement and warrants elevated analyst attention. Stable (0.30–0.69) indicates sustained activity at a consistent level. Declining (0.10–0.29) indicates fading engagement. Dormant (below 0.10) indicates an entity with no significant recent activity. Classifications are displayed as coloured badges, green for Rising, blue for Stable, amber for Declining, grey for Dormant, on entity profile views.

  • Automated Six-Hour Recomputation: A background scheduler job recomputes temporal scores for all active entity profiles in all organisations every six hours. The job uses distributed locking to prevent duplicate execution across multiple instances and gracefully degrades if the scoring tables are temporarily unavailable. Organisations with no active entities are skipped automatically.

  • On-Demand Score Computation: The computeEntityTemporalScore GraphQL mutation allows an analyst or automated workflow to trigger an immediate recompute for a specific entity with custom parameters. Half-life and decay method (EWMA or Hawkes) are selectable per call. Computed scores are persisted to a dedicated temporal scores table and immediately visible in the entity profile badge.

  • Multi-Tenant Isolation: Every database query, score storage operation, and GraphQL resolver enforces organization_id scoping. It is structurally impossible for one organisation's temporal scores to be visible to or affected by another organisation's entity data. This meets European Defence Fund data sovereignty requirements.

Use Cases#

  • Analyst Prioritisation: Sort or filter entity profiles by temporal score to focus investigative effort on entities showing Rising or Stable activity, deprioritising Dormant entities during triage.
  • Alert Correlation Weighting: Weight alert correlation results by the temporal scores of the involved entities, boosting the significance of correlations that include recently active subjects.
  • Investigation Health Monitoring: Track temporal score trends across the entities in an active investigation to identify when subjects are increasing or decreasing their activity footprint.
  • Automated Watchlist Management: Trigger automated notifications or watchlist escalations when an entity transitions from Dormant or Declining to Stable or Rising.
  • Pattern-of-Life Analysis: Use the Hawkes Process intensity scores to detect entities exhibiting burst-then-silence temporal patterns consistent with coordinated activity.

Integration#

  • Entity Profiles: The The temporal score badge component component renders on every entity detail view, showing the current score and trend classification.
  • GraphQL API: entityTemporalScore(entityId) query and computeEntityTemporalScore(entityId, halfLifeDays, decayFunction) mutation are available in the Advanced Analytics domain.
  • Advanced Analytics Dashboard: Temporal scores can be incorporated into custom dashboards as metric sources.
  • Alert Platform: Temporal scores are accessible for use in alert flow rules and monitor conditions.
  • Background Scheduler: Integrated with the platform-wide APScheduler service for automatic six-hourly refresh.

Open Standards#

  • ISO 8601: International standard for representing dates, times, and durations; all decay interval calculations and event timestamps use ISO 8601 formatting throughout the scoring pipeline.
  • STIX 2.1 (OASIS): Structured Threat Information eXpression; the entity profiles being scored follow STIX 2.1 object conventions for threat actors, indicators, and observed data, ensuring interoperability with external intelligence feeds.
  • TAXII 2.1 (OASIS): Trusted Automated eXchange of Intelligence Information; the transport protocol used when ingesting external event streams whose timestamps feed the decay computation.
  • W3C PROV-DM: W3C Provenance Data Model; the activity and entity provenance concepts in PROV-DM underpin how historical event records are associated with entity profiles before being passed to the EWMA and Hawkes scoring functions.

Ready to Build?

Get started with our APIs or contact our integration team for support.