Skip to main content

How the Exposure Calculation Works

Learn how Cye Platform calculates exposure and exposure reduction using probability and breach cost.

Overview

This article explains how Cye Platform calculates exposure and exposure reduction, and how those values influence finding prioritization.
The formula is simple: Exposure = Likelihood × Cost of Breach, but behind it is a dynamic model powered by Cye Platform's attack graphs and maturity data.

Basic exposure calculation

Exposure is calculated using two key inputs:

  • Likelihood – The probability that a threat actor can breach a business-critical asset (BCA)

  • Cost of Breach (CoB) – The financial impact if that breach occurs

Formula:

Exposure = Probability × Cost of Breach

For example:
If the probability of breach is 0.9 and the CoB is $10M, then:
Exposure = 0.9 × 10M = $9M

Exposure reduction

  • The exposure reduction value estimates how much risk is reduced if a specific finding is fixed:

  • Each finding is assessed independently — without requiring other findings to be fixed.

  • Exposure reduction is used to:

    • Prioritize findings

    • Estimate ROI of mitigation efforts

    • Build optimized mitigation plans

If Cye Platform can't calculate an exposure value, the field is set to None.

Prioritization based on exposure

Cye Platform uses exposure values to rank findings by impact.
However, route positioning also plays a role.

Example:

  • F1 has the highest exposure and is prioritized first.

  • F3 may be prioritized second — even if F2 has a higher exposure — because of its location in the attack path.

  • Once F1 is fixed, F3 becomes the next most strategic fix:

Findings that appear on multiple attack routes are marked Critical to Block, which boosts their priority:

What is the Common Graph?

The Common Graph aggregates attack route data from across all Cye Platform customers into a unified model.
This allows Cye Platform to:

  • Normalize real-world graph data

  • Simulate likely attack paths for your environment

  • Calculate probabilities more accurately based on global insights

Unlike a purely organizational graph, the Common Graph ensures exposure is calculated for all findings — including those not currently on an active attack route — giving you complete visibility across your vulnerability landscape.

How maturity affects exposure

Cye Platform incorporates maturity scoring into the exposure calculation, making results more accurate and tailored to your organization's actual security posture.

Example:

  • Without maturity, a finding's breach probability is 0.44

  • With maturity data, the same path is calculated at 0.47

  • This results in more accurate exposure and prioritization values:

Wrap-up / Next Steps

Exposure quantification helps you prioritize mitigation based on business impact — not just technical severity. With full finding coverage, Common Graph data, and maturity-aware scoring, Cye Platform gives you the most accurate view of your organization's risk.

Related Articles
About Cye Exposure Management Platform
Cye Exposure Management Platform User Guide
Finding Exposure Quantification
Quantification of Cyber Risk
Cye Exposure Management Platform Glossary
Did this answer your question?