This article explains how the Cye Exposure Management Platform calculates exposure reduction for each finding — the dollar value showing how much fixing it would lower your organization's cyber risk.
Overview
Exposure reduction gives every finding a dollar-based value representing how much your organization's risk would drop if that finding were fixed. It turns prioritization into an impact-based decision rather than a severity-only one.
What is exposure reduction?
Exposure reduction quantifies the estimated decrease in risk, in dollars, if a specific finding is fixed — calculated independently for each finding, regardless of other fixes. This value helps you determine:
Which findings to prioritize
How much a fix could lower your organization's overall exposure
Every finding of type Vulnerability can be assigned an exposure reduction value, whether or not it currently appears on an active attack route.
How exposure reduction is calculated
The platform simulates each finding individually in its "fixed" state to estimate how much it would reduce exposure, then shows the result as a single dollar figure — not a range.
The calculation accounts for:
Position in the attack graph
Business asset exposure
Cost of Breach
Likelihood of exploitation
If Cost of Breach is missing, users with permission see a link to add it. If Cost of Breach exists but there is no graph or supporting data, the exposure value is set to None.
For the underlying formula (Exposure = Probability × Cost of Breach), the Common Graph, and how maturity affects exposure, see How the Exposure Calculation Works.
What triggers a recalculation
Exposure reduction values refresh whenever any of the following change:
The graph (nodes or edges added, updated, or deleted)
New or updated findings
Remediation assets added to or removed from attack routes
Likelihood
Cost of Breach
Finding status (e.g., Fixed → Reopened)
Business asset settings or risk-model updates
All changes are recorded in the History tab for auditing.
Special cases
A finding marked Fixed keeps the exposure reduction value it had at the time of fixing.
If it is Reopened, a new value is recalculated.
Findings marked Not Relevant are set to None.
A finding with no exposure impact shows None, not $0 — meaning it can't be quantified, not that it carries no risk.
Where to find exposure reduction data
On the Findings page, filter by exposure reduction range.
In the right pane, the dollar-based exposure reduction is shown for each finding.
In mitigation plans, the total reflects the combined value of all included findings.
The higher the value, the greater the expected impact of remediating that finding.
Wrap-up / Next Steps
On the Findings page, filter by exposure reduction to surface the highest-impact fixes.
Add Cost of Breach for assets showing None to get accurate values.
See Finding Prioritization for how exposure reduction combines with Critical to Block and Severity to set the recommended fix order.