A raw threat indicator — an IP address, a file hash, a domain — means almost nothing on its own. Its value comes from context: who else has seen it, what it's associated with, how it relates to other activity in your environment. That context is enrichment, and enrichment is expensive. Enriching every indicator fully and immediately means doing a lot of costly work, much of it on indicators that turn out not to matter.

The grant US12132746B2, "Incremental enrichment of threat data" (issued October 29, 2024, assigned to Sophos Limited), addresses the economics of context. Its CPC classifications span the intrusion-detection classes H04L 63/1408, H04L 63/1416, H04L 63/1425, H04L 63/1433, and H04L 63/1441, the malware class G06F 21/567, and the sandboxing class G06F 21/53 — a system that builds threat context progressively.

“A threat management facility receives data from a variety of sources such as compute instances within an enterprise network, cloud service providers supporting the enterprise network, and third-party data providers such as geolocation services.”— U.S. Patent No. 12,132,746 source

The mechanism worth understanding is incremental work. Instead of fully enriching every indicator at once, the system adds context in stages as new information arrives and as an indicator proves worth deeper investigation. An indicator that stays quiet gets minimal enrichment; one that recurs or correlates with other activity gets progressively more, sharpening the picture exactly where attention is warranted. The enrichment effort tracks the indicator's apparent importance.

For defenders, the practical takeaway is that this scales context. Full upfront enrichment of every indicator doesn't survive contact with real volume — there are too many indicators and too little time. Incremental enrichment lets a system maintain rich context on the indicators that matter while spending almost nothing on the vast majority that don't, which is the only way enrichment works at the scale modern environments generate.

The judgment the system has to make is which indicators deserve more enrichment and when, since enriching the wrong ones wastes the savings and under-enriching the right ones loses the signal. The patent's contribution is in making that incremental decision well, reflecting a mature view of threat intelligence: context is valuable, context is expensive, and the art is in spending the budget where it pays off.