Overview
This article explains how Hyver calculates exposure reduction for each finding — helping you prioritize remediation based on how much a fix can reduce your organization’s cyber risk.
Hyver provides dollar-based exposure reduction values, giving security teams a clear understanding of mitigation impact and return on investment.
What is exposure reduction?
Exposure reduction quantifies the estimated decrease in risk (measured in dollar value) if a specific finding is fixed.
This value helps determine:
Which findings should be prioritized
How much a fix could lower your organization's overall exposure
Every finding of type Vulnerability can be assigned an exposure reduction value.
Exposure v1 vs. Exposure v2
Feature | Exposure v1 | Exposure v2 |
Which findings are measured | Only findings on successful attack routes | All findings, whether on a route or not |
Required setup | None | Requires Likelihood v2 + Cost of Breach v2 |
Accuracy | Route-dependent | More complete and accurate |
Hyver recommends enabling Exposure v2 for full visibility and risk-based prioritization.
How exposure reduction is calculated
Hyver simulates each finding individually in its “fixed” state to estimate how much it would reduce exposure.
The value is shown as a single dollar figure, not a range:
The calculation includes factors like:
Position in the attack graph
Business asset exposure
Cost of Breach
Likelihood of exploitation
If Cost of Breach (CoB) is missing, users with permission will see a link to update it.
If CoB exists but there’s no graph or data, the exposure value is set to None:
Conditions that trigger recalculation
Exposure reduction values are recalculated when changes occur in:
The graph (add/update/delete nodes or edges)
New or updated findings
Remediation assets added/removed from attack routes
Likelihood version switch
Cost of Breach updates
Finding status changes (e.g., Fixed → Reopened)
Business asset settings or risk model updates
Any changes are tracked in the History tab for auditing:
Special cases
A finding marked Fixed retains its exposure reduction value at time of fixing.
If it’s reopened, a new value is recalculated.
Findings marked Not Relevant are assigned a value of None.
If a finding has no exposure impact, it will still not show $0 — it will be set to None, indicating it can’t be quantified, not that it has no risk.
Where to find exposure reduction data
On the Findings page, use filters to view findings by exposure reduction range:
In the right-hand pane, the dollar-based exposure reduction is displayed for each finding.
In mitigation plans, the total exposure reduction reflects the combined value of included findings.
The higher the value, the greater the expected impact of remediation.
Switching exposure model settings
Admins can switch between Likelihood v1/v2 and Cost of Breach v1/v2:
Go to Settings > Likelihood to change the version
Go to Settings > Cost of Breach to switch versions
All changes will be reflected across Hyver dashboards and calculations
Wrap-up / Next Steps
Exposure reduction helps you prioritize security fixes that make the biggest impact. With Exposure v2, every finding contributes to the bigger picture — giving you data-backed insights for smarter planning.