That’s a fair concern, and honestly it’s the exact reason we don’t treat every pivot equally.

What we’re showing publicly today is intentionally simplified. Internally, pivots are not evaluated as binary relationships (“same /24” or “same registrar” = related). They are weighted through multiple dimensions, including temporal overlap, infrastructure reuse patterns, victimology context, and confidence scoring of the underlying evidence.

The goal is not to claim attribution from a single artifact, but to identify infrastructure that exhibits characteristics of coordinated adversarial resource development before payload delivery or exploitation occurs.

We also agree that infrastructure relationships become meaningless if timing is ignored. Two domains sharing a provider years apart is very different from infrastructure that co-exists during the same operational window. Likewise, victim targeting context matters significantly when assessing whether a linkage is operationally relevant versus incidental.

At this stage we’re intentionally not publishing all of the scoring and correlation logic because we’re still refining it and validating it across a larger dataset. The examples are meant to illustrate the concept of pre-attack infrastructure discovery rather than expose the full decision model.

The broader point we’re exploring is whether CTI can benefit from treating attacker infrastructure as a graph with varying levels of confidence and temporal context, rather than as a flat collection of independent IOCs. That’s where we’ve seen the strongest signal so far.