Skip to main content
Question

Clarification on GCTI Priority vs Confidence vs Severity in Mandiant Active Breach Feed

  • February 15, 2026
  • 1 reply
  • 41 views
desertfalcon

 I’m trying to better understand the distinction between the following mandiant active breach threat intelligence fields:

  • GCTI Priority

  • Confidence

  • Severity

From what I understand:

  • Confidence appears to reflect how certain Mandiant is about the intelligence or attribution.

  • Severity seems to describe the impact level of the activity.

  • GCTI Priority may represent recommended operational urgency.

However, I’m seeing cases where:

  • GCTI Priority = Unspecified

  • Severity = None

I’m trying to understand:

  1. What is the precise functional difference between GCTI Priority and Severity?

  2. In what scenarios would GCTI Priority be marked as Unspecified?

  3. Why would Severity be set to None — does that mean informational only, contextual intel, or something else?

  4. Should detections with “Unspecified” priority be treated as lower operational risk, or is that field independent of risk scoring?

Any clarification on how these three attributes are intended to be interpreted in operational workflows would be greatly appreciated.

Thank you.

1 reply

kentphelps
Community Manager
Forum|alt.badge.img+12
  • kentphelpsCommunity Manager
  • Community Manager
  • February 24, 2026

If GCTI Priority is marked as Unspecified then there is no evidence of a current "active" campaign.
 

If Severity is set to None then it is often "Benign but Noteworthy" indicators. For example, a legitimate tool (like PowerShell or a specific cloud sync utility) that is being leveraged by an attacker.

These docs: Applied Threat Intelligence (ATI) overview and the GTI Indicator Score documentation explain the logic behind these fields.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.