Every scenario above is one lever moving a system relative to the same boundary: an attack is rational exactly when effective cost < expected gain. This view shows raw cost vs. gain and how far this system sits from that line.
The static equilibrium above is a snapshot. Real attackers learn from outcomes. This simulates an attacker updating their belief about your defense strength after each probe — showing whether the threat escalates or fades with repeated play.
The Threshold Law makes a falsifiable prediction: real exploit rates should jump
sharply near Θ, not rise smoothly. validate.js
tests this against two live public datasets — FIRST.org's EPSS scores and CISA's
Known Exploited Vulnerabilities catalog — no API key required. Run it with
node validate.js on any machine with internet.
Its analysis logic is independently verified offline by selftest.js
against synthetic ground truth before ever touching real data.
A different question: the attack already succeeded — should the victim pay? This applies the same threshold logic one step later, with one new mechanism: ransom paid this round funds the attacker's capability next round. That's what makes paying individually rational but collectively self-defeating — the real argument behind proposals to ban ransomware payments outright.