This article explains how the Cye Exposure Management Platform calculates exposure and exposure reduction — the dollar-based values behind finding prioritization.

Exposure is the financial risk a finding represents. The formula is simple — Exposure = Probability × Cost of Breach — but behind it sits a dynamic model powered by the platform's attack graphs and maturity data.

Exposure is calculated from two inputs:

Exposure = Probability × Cost of Breach

For example, if the probability of breach is 0.9 and the Cost of Breach is $10M: Exposure = 0.9 × $10M = $9M.

The exposure reduction value estimates how much risk is removed if a specific finding is fixed. Each finding is assessed independently, without requiring other findings to be fixed.

Exposure reduction is used to prioritize findings, estimate the ROI of mitigation, and build optimized mitigation plans. If the platform can't calculate a value, the field is set to None. For the per-finding value, where to see it, and special cases, see Finding Exposure Reduction.

The Common Graph aggregates attack-route data from across all Cye customers into a unified model. This lets the platform:

Unlike a purely organizational graph, the Common Graph means exposure is calculated for all findings — including those not currently on an active attack route — giving complete visibility across your vulnerability landscape.

The platform folds maturity scoring into the exposure calculation, tailoring results to your organization's actual security posture. For example, a path with a breach probability of 0.44 without maturity data may be calculated at 0.47 with it — producing more accurate exposure and prioritization values.

Exposure values rank findings by impact, though a finding's position on the attack route also shapes the order. For the full ranking logic — the Critical to Block → Exposure Reduction → Severity precedence and how the recommended fix order updates — see Finding Prioritization.