Overview
This article explains how Hyver calculates exposure and exposure reduction, and how those values influence finding prioritization.
The formula is simple: Exposure = Likelihood × Cost of Breach, but behind it is a dynamic model powered by Hyver’s common graph and maturity data.
Basic exposure calculation
Exposure is calculated using two key inputs:
Likelihood – The probability that a threat actor can breach a business-critical asset (BCA)
Cost of Breach (CoB) – The financial impact if that breach occurs
Formula:
Exposure = Probability × Cost of Breach
For example:
If the probability of breach is 0.9 and the CoB is $10M, then:
Exposure = 0.9 × 10M = $9M
Exposure reduction
The exposure reduction value estimates how much risk is reduced if a specific finding is fixed:
Each finding is assessed independently — without requiring other findings to be fixed.
Exposure reduction is used to:
Prioritize findings
Estimate ROI of mitigation efforts
Build optimized mitigation plans
If Hyver can’t calculate an exposure value, the field is set to None.
Prioritization based on exposure
Hyver uses exposure values to rank findings by impact.
However, route positioning also plays a role.
Example:
F1 has the highest exposure and is prioritized first.
F3 may be prioritized second — even if F2 has a higher exposure — because of its location in the attack path.
Once F1 is fixed, F3 becomes the next most strategic fix:
Findings that appear on multiple attack routes are marked Critical to Block, which boosts their priority:
Exposure v1 vs. Exposure v2
Feature | Exposure v1 | Exposure v2 |
Coverage | Only findings on attack routes | All findings, even if not on a route |
Maturity included? | ❌ No | ✅ Yes |
Graph dependency | Requires mitigation graph | Uses common graph for better accuracy |
Input model | Likelihood v1 + CoB v1 | Likelihood v2 + CoB v2 |
Default for new customers? | ❌ No | ✅ Yes |
Exposure v2 provides the most accurate and comprehensive risk modeling in Hyver.
What is the Common Graph?
The Common Graph aggregates attack route data from across all Hyver customers into a unified model.
This allows Hyver to:
Normalize real-world graph data
Simulate likely attack paths for your environment
Calculate probabilities more accurately based on global insights
Maturity impact in Exposure v2
Exposure v2 includes maturity scoring in the calculation.
Example:
Without maturity, a finding’s breach probability is
0.44With maturity data, the same path is calculated at
0.47This results in more accurate exposure and prioritization values:
Enabling Exposure v2
To use Exposure v2 (recommended):
Enable Likelihood v2:
Go to Settings > Likelihood
Select Likelihood v2
Enable Cost of Breach v2:
Go to Settings > Cost of Breach
Select Cost of Breach v2
These settings are only switchable for customers who originally used v1.
New customers are automatically enrolled in v2 and cannot switch to v1.
Wrap-up / Next Steps
Exposure quantification helps you prioritize mitigation based on business impact — not just technical severity. Enabling Exposure v2 gives you full visibility into risk, optimized for your environment and maturity level.