How we quantify exposure.

Exposure is expected compromise impact.

A vulnerability scanner hands you a column of severity scores. Adding them up is meaningless, because most high-severity findings sit on assets an attacker cannot easily reach, and a low-severity finding on a domain controller can end your week. The number that matters is not how many findings you have. It is the impact you should expect if an attacker gets a foothold, given how your environment is actually wired.

We call it expected compromise impact. It is computed over the live identity-and-asset graph, not a flat inventory, because reachability is a property of the graph, not of any single asset.

Three inputs.

1. 1. Reachability. From a given foothold, which assets and identities can an attacker actually reach, and how easily? We compute this as a propagation over the graph (a personalized-PageRank-style walk biased by real activity), so a quiet asset two hops from a compromised identity gets a non-zero, distance-decayed weight. This is the “blast radius,” expressed as a continuous reach weight per asset rather than a binary in/out.
2. 2. Asset value. What is each reachable asset worth if it is compromised? This is the input you own. We start from asset criticality the platform already infers (data sensitivity, role, internet exposure, regulatory class) and calibrate it with your finance and risk teams. Garbage valuations produce a garbage number, so we make this input explicit and yours to set.
3. 3. Likelihood. How probable is a foothold in the first place, and a successful hop along each edge? Edge transmission probabilities come from edge type and observed activity; foothold likelihood is informed by exposure, known-exploited status, and threat-intel correlation.

The shape of the number.

Exposure is the expected value across the reachable set: for every asset an attacker could reach, its value weighted by how reachable it is and how likely the path. Summed, then expressed as a single figure.

exposure  =  Σ   value(asset) × reach(asset) × likelihood(path)
            assets reachable from a foothold

The same machinery answers the operational question and the board question. The SOC analyst sees which paths drive the number; the board sees the number. It is also cohort-relative: we express it as a percentile against comparable organizations, so “is this bad?” has an answer that is not just our adjectives.

What it is not.

• Not a sum of CVSS scores. Severity without reachability over-counts what cannot be reached and under-counts the chokepoints.
• Not a compliance score. It does not measure whether controls map to a framework. It measures what an attacker can reach. That distinction has its own page.
• Not a precise prediction. It is an expected impact under explicit assumptions, and it moves when your graph moves, even if no control changed.

Why you can check it.

The figures on this site (for example, the roughly $697M quantified at one enterprise) come from real engagements. The methodology is versioned, so any two runs on the same inputs reconcile, and we share the full method and the per-asset inputs behind a number under NDA. A number you cannot interrogate is a marketing figure. This one you can take apart with us, line by line, and bring to your board and your cyber-insurer with the assumptions attached.