Technical Specification & Implementation Guide
A quantitative framework for measuring financial exposure from unpatched vulnerabilities, combining threat intelligence signals with business context to produce actionable risk metrics for enterprise security operations.
The likelihood score represents probability-weighted exploitability using a blended EPSS approach:
| Factor | Symbol | V2 Weight | Description |
|---|---|---|---|
| Blended EPSS | fepss | 0.55 | 0.7×probability + 0.3×percentile |
| Exploit Maturity | fmat | 0.20 | Maturity of known exploits |
| Time Exposure | ftime | 0.15 | Exponential: 1 - e-d/60 |
| CVSS Score | fcvss | 0.10 | Normalized: CVSS/10 |
V2 rationale: EPSS already incorporates CVSS features, so CVSS weight reduced to avoid double-counting.
| Days Public | V1 (Linear) | V2 (Exponential) |
|---|---|---|
| 30 days | 8% | 39% |
| 60 days | 16% | 63% |
| 120 days | 33% | 86% |
| 180 days | 49% | 95% |
Exponential curve reflects reality: risk grows rapidly early, then saturates.
Adjusts risk based on active exploitation signals. V2 separates KEV sources and removes public exploit (already in maturity):
| Signal | Symbol | Coefficient | Condition |
|---|---|---|---|
| CISA KEV | Icisa | +50% | In CISA KEV catalog (government validated) |
| VulnCheck KEV | Ivc | +30% | In VulnCheck exploited feed (operational intel) |
| Threat Actors | nta | +10% × n | Actor count (max 5) |
| Ransomware | Irw | +40% | Associated with ransomware campaigns |
| Botnet | Ibot | +20% | Associated with botnet activity |
V2 removes public/commercial exploit from M (already captured in exploit maturity factor).
M is capped at 3.0 to prevent extreme outliers: \( M = \min(M_{calculated}, 3.0) \)
| Industry | Avg Breach Cost (Cb) |
|---|---|
| Healthcare | $10,930,000 |
| Finance | $4,500,000 |
| Critical Infrastructure | $5,200,000 |
| Technology | $4,240,000 |
| Retail | $3,280,000 |
Source: IBM Cost of a Data Breach Report 2024. Default ρ = 0.30 (30%)
| Condition | SLA Hours | Days |
|---|---|---|
| CISA KEV or VulnCheck KEV | 72 | 3 days |
| Blended EPSS ≥ 0.70 New | 96 | 4 days |
| CVSS ≥ 9.0 (Critical) | 96 | 4 days |
| CVSS ≥ 7.0 (High) | 168 | 7 days |
| Medium/Low | 336 | 14 days |
V2 adds EPSS-based critical SLA: high exploitation probability triggers faster response even without high CVSS.
Step 1: Blended EPSS Score
Step 2: Time Exposure (Exponential)
Step 3: Likelihood Score
Step 4: Exposure Multiplier
Step 5: Potential Loss
Step 6: Burn Rate (SLA = 72 hours for KEV)
| Component | V1 | V2 |
|---|---|---|
| EPSS Weight | 40% | 55% (blended) |
| CVSS Weight | 30% | 10% |
| Time Curve | Linear (d/365) | Exponential |
| KEV Signal | Single binary | Separate CISA/VC |
| Public Exploit in M | +30% | Removed |
| Multiplier Cap | None | 3.0 max |
| EPSS in SLA | No | Yes (≥0.7) |