Overview
In the Cye Exposure Management Platform, findings linked to NIST subcategories directly contribute to maturity scoring. This article explains how severity, status, and type of finding affect the calculated maturity level — and what happens when findings are fixed, reopened, or updated.
How Findings Affect Maturity Scores
In Cye Platform, findings do not only impact maturity once they are "Fixed." Instead, the platform tracks remediation progress in real time, allowing your maturity score to improve gradually as work progresses.
Progress-Based Scoring
The maturity contribution of a finding is directly linked to its progress percentage (0% to 100%):
Incremental Improvement: As you remediate assets or manually update the progress of a finding, its maturity score increases. You see a positive impact on your dashboard long before the finding is fully closed.
Severity Influence: For findings in progress, the maturity value is weighted by severity. High-severity findings require more progress to reach higher maturity levels compared to low-severity ones.
Target Maturity: Once a finding reaches 100% progress, it is assigned a maturity level of 3 by default (unless a manual override is applied).
Note: Only findings of type Vulnerability are considered in maturity calculations.
Pre-open or Not Relevant findings are excluded from scoring.
Subcategory Maturity Logic
To provide a balanced and fair view of your security posture, Cye Platform applies the following logic:
Averaging Impact: The maturity of a subcategory is calculated by taking the average of the maturity values of all linked findings. This ensures every bit of remediation effort contributes to the total score.
Multi-Category Mapping: If a finding is mapped to multiple subcategories, its progress affects the score of all of them simultaneously.
Exclusions: Findings marked as Not Relevant or those in a Pre-open status are excluded from maturity scoring.
Note: Your user permissions determine which findings are visible to you in the Linked Findings section. However, all linked findings are included in the maturity calculation regardless of their visibility to a specific user.
Managing Finding Impact
You can modify how a finding influences your score through the following actions:
Update progress: Maturity improves incrementally as remediation advances.
Fix a finding: Reaches $100\%$ progress, defaulting to maturity level 3.
Manual adjustments: Manually override progress or the final maturity level to reflect specific implementation details.
Remove from scoring: Delete, unmap, or mark a finding as Not Relevant to exclude it from the subcategory average.
Track changes: All updates trigger an immediate recalculation of maturity scores and are tracked in the History tab.
Creating or Linking Findings
Findings must be correctly associated with a subcategory to be included in the maturity calculation.
Linking Methods: Findings can be linked to subcategories during the initial creation process or later via the Findings page.
Engagement Context: Findings created directly within a Maturity Assessment are automatically included in that assessment’s scope.
Permissions: You can delete findings generated by the platform only if you have Finding & Graph Initiator permissions.
Wrap-up / Next Steps
Findings provide measurable input into your maturity model. By understanding how they're factored, you can better manage your score and create a more accurate reflection of your cybersecurity posture.