Advanced Persistent Threats (APT), attack campaigns performed by competent and resourceful actors, are a serious security risk and tools suited to their detection are needed. These attack campaigns do leave traces in the system, and it is possible to reconstruct part of the attack campaign from these traces. In this article, we describe a stochastic model for the evolution of an APT. It is based on hidden Markov models (HMM) and is accompanied by a score. The aim of this model is to validate whether the evolution of the partially reconstructed attack campaigns are indeed consistent with the evolution of an APT. Since APTs are the work of competent attackers, we can assume that not every step of the APT will leave traces. This fact must be taken into account when computing the fit with the model, which is why we introduce a new score. This score is based on the log-likelihood of the observations in the model, but also accounts for potentially missing observations. In addition, it also allows comparing attack campaigns of varying length. We validate and illustrate both the model and the score using synthetic and real-life data.