Overview
The Cye Exposure Management Platform's maturity calculation is designed to provide a realistic and transparent view of the organization's security posture. Unlike traditional models that only reward a "Fixed" status, the Cye Exposure Management Platform calculates maturity based on remediation progress. This means the score improves gradually as work is performed, reflecting partial efforts and providing a more accurate representation of risk reduction.
How Progress is Calculated
The way Progress (%) is determined depends on whether the finding has remediation assets and whether Automatic or Manual calculation is selected.
Automatic Progress Calculation
Automatic Progress Calculation
By default, the Cye platform calculates progress automatically based on the following:
Findings with Remediation Assets: Progress depends on the status of the underlying assets. For example, if a finding has 4 assets and 3 are marked as "Fixed," the progress is 75%.
Excluding Assets: If an asset is marked as "Not Relevant," it is excluded from the calculation, effectively counting as "Fixed" for the purpose of the progress percentage.
Findings without Remediation Assets: Progress is derived directly from the finding's status — moving from 0% (At-risk) to 100% when the status is changed to Fixed.
Manual Progress Override
Manual Progress Override
Progress can be defined manually at any time to reflect specific remediation efforts:
Editing Progress: The progress percentage can be directly edited.
Persistence: The system will use this user-defined value for maturity calculations until it is manually updated again or reset to automatic.
Impact on Maturity and Subcategories (NIST CSF)
Once progress is determined (either automatically or manually), it directly influences the finding's maturity contribution:
Incremental Improvement: As progress increases, the maturity score improves gradually — without waiting for a "Fixed" status to see a positive impact on the dashboard.
Target Maturity: When a finding reaches 100% progress, it is assigned a maturity level of 3, unless a manual maturity override is applied.
Severity Influence: For findings still in progress, the maturity value is weighted by severity — higher-severity issues require more progress to reach safer maturity levels.
Subcategory Maturity Scores
To provide a fair and accurate view of the security posture, the Cye platform calculates the maturity of a Subcategory by taking the average of the maturity values of all findings linked to it.
This averaging approach ensures that:
Every bit of progress on any finding contributes to the overall category score.
The dashboard provides a balanced view of the total remediation effort across the entire platform.
Managing Progress and Maturity (Finding Page)
Progress and maturity can be managed either for a single finding or in bulk.
Individual Editing
Individual Editing
From the right pane of each specific Finding, full control is available over the calculation logic:
Set Progress Manually: Directly edit the progress percentage. Once changed, the icon will switch from A (Automatic) to M (Manual).
Reset to Automatic: Return to system-calculated progress at any time by selecting "Reset to automatic."
Maturity Level Override: While the system calculates maturity automatically, after a finding is marked as fixed, a specific maturity level (e.g., Level 3) can be manually selected instead of leaving it on "Automatic".
Multi-Select Editing (Bulk Actions)
Multi-Select Editing (Bulk Actions)
When multiple findings need to be updated at once, use the multi-select feature:
Bulk Progress Update: Set a consistent progress value across all selected findings.
Bulk Reset: Revert multiple findings back to automatic calculation simultaneously.
Mixed States: If the selection includes some findings set to "Manual" and others to "Automatic," the UI will indicate a "Mixed" state to ensure awareness of the different calculation types before applying changes.
Wrap-up
By tracking remediation in real time, the Cye Exposure Management Platform ensures the maturity score accurately reflects the organization's ongoing remediation effort. This provides a transparent and up-to-date view of the security posture at every stage of the process.