Threshold Configuration
Overview
Risk thresholds determine how the Ascend platform responds to actions based on their risk scores. Properly configured thresholds balance security (blocking risky actions) with operational efficiency (allowing legitimate work to proceed). This guide covers threshold configuration at the organization, agent, and policy levels.
Key Capabilities
- Organization-Level Thresholds: Default thresholds for all agents
- Agent-Level Overrides: Customize thresholds per agent
- Policy-Level Controls: Fine-grained threshold rules
- Dynamic Thresholds: Adjust based on time, context, or patterns
- Threshold Analytics: Monitor threshold effectiveness
Threshold Types
Core Thresholds
| Threshold | Default | Description |
|---|---|---|
auto_approve_below | 30 | Actions below this score are auto-approved |
require_approval_above | 30 | Actions above this score require human review |
require_mfa_above | 70 | Actions above this score require MFA verification |
max_risk_threshold | 80 | Actions above this score are blocked (pending approval) |
critical_threshold | 90 | Actions above this score require executive approval |
Threshold Zones
┌─────────────────────────────────────────────────────────────────────────────┐
│ RISK THRESHOLD ZONES │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ Score Range Zone Action Approval Level │
│ ─────────── ──── ────── ────────────── │
│ │
│ 0 ┌─────────────────────────────────────────┐ │
│ │ │ │
│ │ AUTO-APPROVE ZONE │ L0 (None) │
│ │ (Immediate execution) │ │
│ 29 │ │ │
│ ─ ─ ─ ─ ─ ─└─────────────────────────────────────────┘─ ─ ─ ─ ─ ─ ─ ─ ─ │
│ 30 ┌─────────────────────────────────────────┐ │
│ │ │ │
│ │ PEER REVIEW ZONE │ L1 (Peer) │
│ │ (Quick review) │ │
│ 49 │ │ │
│ ─ ─ ─ ─ ─ ─└─────────────────────────────────────────┘─ ─ ─ ─ ─ ─ ─ ─ ─ │
│ 50 ┌─────────────────────────────────────────┐ │
│ │ │ │
│ │ MANAGER REVIEW ZONE │ L2 (Manager) │
│ │ (Standard approval) │ │
│ 69 │ │ │
│ ─ ─ ─ ─ ─ ─└─────────────────────────────────────────┘─ ─ ─ ─ ─ ─ ─ ─ ─ │
│ 70 ┌─────────────────────────────────────────┐ │
│ MFA │ HIGH-RISK ZONE │ │
│ Required │ (MFA + Senior Approval) │ L3-L4 (Senior) │
│ │ │ │
│ 89 │ │ │
│ ─ ─ ─ ─ ─ ─└─────────────────────────────────────────┘─ ─ ─ ─ ─ ─ ─ ─ ─ │
│ 90 ┌─────────────────────────────────────────┐ │
│ CRITICAL │ CRITICAL ZONE │ │
│ THRESHOLD │ (Executive approval required) │ L5 (Exec) │
│ │ (Action blocked by default) │ │
│ 100 │ │ │
│ └─────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Configuration Levels
Organization-Level Thresholds
Set default thresholds for the entire organization:
from ascend import AscendClient
client = AscendClient(api_key="your-api-key")
# Configure organization-wide thresholds
client.organization.update_risk_thresholds(
auto_approve_below=25, # More conservative
require_approval_above=25,
require_mfa_above=65, # Lower MFA threshold
max_risk_threshold=75, # Lower maximum
critical_threshold=85 # Lower critical
)
Agent-Level Thresholds
Override thresholds for specific agents:
from ascend import AscendClient
client = AscendClient(api_key="your-api-key")
# Configure thresholds for a specific agent
client.agents.update_thresholds(
agent_id="finance-invoice-processor",
default_risk_score=40, # Base risk for this agent
max_risk_threshold=70, # Stricter maximum
auto_approve_below=20, # More conservative
requires_mfa_above=60 # Lower MFA threshold
)
# Configure stricter thresholds for autonomous agents
client.agents.update_thresholds(
agent_id="autonomous-data-classifier",
autonomous_max_risk_threshold=55, # Much stricter
autonomous_auto_approve_below=15, # Very conservative
autonomous_require_dual_approval=True # Require two approvers
)
Policy-Level Thresholds
Define thresholds within policies:
from ascend import AscendClient
client = AscendClient(api_key="your-api-key")
# Create policy with specific threshold
policy = client.policies.create(
policy_name="production-strict-threshold",
description="Strict thresholds for production operations",
# Match criteria
resource_patterns=["production.*"],
conditions={"environment": "production"},
# Threshold-based trigger
risk_threshold=40, # Policy applies when risk >= 40
# Action
action="REQUIRE_APPROVAL",
action_params={
"approval_level": 3,
"require_mfa": True
}
)
Usage Examples
View Current Thresholds
curl -X GET https://api.ascend.security/api/organization/risk-thresholds \
-H "Authorization: Bearer YOUR_API_KEY"
# Response:
# {
# "organization_id": 123,
# "thresholds": {
# "auto_approve_below": 30,
# "require_approval_above": 30,
# "require_mfa_above": 70,
# "max_risk_threshold": 80,
# "critical_threshold": 90
# },
# "updated_at": "2026-01-15T10:00:00Z",
# "updated_by": "admin@company.com"
# }
Update Organization Thresholds
curl -X PUT https://api.ascend.security/api/organization/risk-thresholds \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"auto_approve_below": 25,
"require_approval_above": 25,
"require_mfa_above": 65,
"max_risk_threshold": 75,
"critical_threshold": 85
}'
Configure Agent-Specific Thresholds
curl -X PUT https://api.ascend.security/api/registry/agents/my-agent/thresholds \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"default_risk_score": 45,
"max_risk_threshold": 70,
"auto_approve_below": 20,
"requires_mfa_above": 60
}'
Get Threshold Effectiveness Report
curl -X GET "https://api.ascend.security/api/analytics/threshold-effectiveness?days=30" \
-H "Authorization: Bearer YOUR_API_KEY"
# Response:
# {
# "time_range_days": 30,
# "total_evaluations": 45234,
# "auto_approved": {
# "count": 28456,
# "percentage": 62.9,
# "avg_score": 18.5
# },
# "required_approval": {
# "count": 14523,
# "percentage": 32.1,
# "avg_score": 52.3,
# "approved": 13987,
# "denied": 536
# },
# "blocked": {
# "count": 2255,
# "percentage": 5.0,
# "avg_score": 87.2
# },
# "recommendations": [
# "Consider lowering auto_approve_below to 25 based on approval patterns",
# "99.2% of actions scoring 25-30 were eventually approved"
# ]
# }
Simulate Threshold Changes
from ascend import AscendClient
client = AscendClient(api_key="your-api-key")
# Simulate impact of threshold changes
simulation = client.risk.simulate_threshold_changes(
proposed_thresholds={
"auto_approve_below": 35, # Raise from 30
"require_mfa_above": 60 # Lower from 70
},
historical_days=14
)
print(f"Threshold Change Simulation:")
print(f"\nAuto-Approve Changes:")
print(f" Current: {simulation.current_auto_approve_count}")
print(f" Proposed: {simulation.proposed_auto_approve_count}")
print(f" Change: +{simulation.auto_approve_change} ({simulation.auto_approve_change_percent}%)")
print(f"\nMFA Requirement Changes:")
print(f" Current: {simulation.current_mfa_count}")
print(f" Proposed: {simulation.proposed_mfa_count}")
print(f" Change: +{simulation.mfa_change} ({simulation.mfa_change_percent}%)")
print(f"\nRisk Assessment:")
print(f" Actions that would have been auto-approved but were later denied: {simulation.risk_actions}")
Threshold Profiles
Pre-Defined Profiles
| Profile | auto_approve | mfa_threshold | max_threshold | Use Case |
|---|---|---|---|---|
| High Security | 20 | 60 | 70 | Financial, Healthcare |
| Standard | 30 | 70 | 80 | General Enterprise |
| Development | 40 | 80 | 90 | Dev/Test environments |
| Autonomous Agent | 15 | 50 | 60 | Autonomous operations |
Apply Profile
from ascend import AscendClient
client = AscendClient(api_key="your-api-key")
# Apply a pre-defined profile
client.organization.apply_threshold_profile("high_security")
# Or for a specific agent
client.agents.apply_threshold_profile(
agent_id="healthcare-agent",
profile="high_security"
)
Dynamic Thresholds
Time-Based Thresholds
from ascend import AscendClient
client = AscendClient(api_key="your-api-key")
# Configure stricter thresholds for after-hours
client.organization.set_dynamic_thresholds({
"time_based": [
{
"name": "after_hours_strict",
"schedule": {
"hours": "18:00-06:00",
"days": ["monday", "tuesday", "wednesday", "thursday", "friday"]
},
"thresholds": {
"auto_approve_below": 15,
"require_mfa_above": 50,
"max_risk_threshold": 65
}
},
{
"name": "weekend_strict",
"schedule": {
"days": ["saturday", "sunday"]
},
"thresholds": {
"auto_approve_below": 10,
"require_mfa_above": 40,
"max_risk_threshold": 60
}
}
]
})
Context-Based Thresholds
from ascend import AscendClient
client = AscendClient(api_key="your-api-key")
# Configure thresholds based on context
client.organization.set_dynamic_thresholds({
"context_based": [
{
"name": "external_access_strict",
"condition": "context.access_source == 'external'",
"thresholds": {
"auto_approve_below": 10,
"require_mfa_above": 30,
"max_risk_threshold": 50
}
},
{
"name": "vpn_access",
"condition": "context.access_source == 'vpn'",
"thresholds": {
"auto_approve_below": 25,
"require_mfa_above": 60
}
}
]
})
Best Practices
Threshold Tuning Process
┌─────────────────────────────────────────────────────────────────────────────┐
│ THRESHOLD TUNING WORKFLOW │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ 1. BASELINE │
│ └─ Start with standard profile │
│ └─ Operate for 2-4 weeks │
│ └─ Collect metrics │
│ │
│ 2. ANALYZE │
│ └─ Review approval patterns │
│ └─ Identify false positives (high score, always approved) │
│ └─ Identify false negatives (low score, later caused issues) │
│ └─ Check threshold effectiveness report │
│ │
│ 3. SIMULATE │
│ └─ Propose threshold changes │
│ └─ Run simulation against historical data │
│ └─ Evaluate impact │
│ │
│ 4. TEST │
│ └─ Apply changes to non-critical agents first │
│ └─ Monitor for 1-2 weeks │
│ └─ Gather feedback │
│ │
│ 5. DEPLOY │
│ └─ Roll out to all agents │
│ └─ Continue monitoring │
│ └─ Iterate as needed │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Threshold Guidelines by Industry
| Industry | auto_approve | mfa_threshold | max_threshold | Notes |
|---|---|---|---|---|
| Financial Services | 15-20 | 55-65 | 70-75 | Highest security |
| Healthcare | 20-25 | 60-70 | 75-80 | HIPAA compliance |
| Government | 15-25 | 55-65 | 70-80 | FedRAMP/NIST |
| Technology | 25-35 | 70-80 | 80-85 | Balanced |
| Retail | 25-30 | 65-75 | 75-80 | PCI focus |
| Manufacturing | 30-35 | 70-80 | 80-85 | Operational focus |
Common Mistakes
| Mistake | Impact | Solution |
|---|---|---|
| Thresholds too low | Too many approval requests | Gradually raise after analysis |
| Thresholds too high | Risky actions auto-approved | Lower based on incident review |
| Same threshold everywhere | Doesn't match risk profiles | Use agent-level overrides |
| No dynamic thresholds | Doesn't adapt to context | Implement time/context rules |
| Ignoring analytics | Missed optimization | Review reports weekly |
Monitoring Recommendations
- Daily: Check blocked action counts
- Weekly: Review threshold effectiveness report
- Monthly: Analyze false positive/negative rates
- Quarterly: Full threshold audit and tuning
Related
- Risk Scoring Overview - Scoring fundamentals
- Score Calculation - How scores are calculated
- Security Frameworks - Framework alignment
- Approval Workflows - Approval configuration
Compliance
Threshold configuration supports compliance with:
- SOC 2 CC6.1: Configurable access controls
- PCI-DSS 7.1: Access by job function
- NIST 800-53 AC-2: Account management
- HIPAA 164.312(a): Access control configuration
- ISO 27001 A.9.1: Access control policy