Technical Documentation
February 2026

Risk Burn Rate
Algorithm

Technical Specification & Implementation Guide

A quantitative framework for measuring financial exposure from unpatched vulnerabilities, combining threat intelligence signals with business context to produce actionable risk metrics for enterprise security operations.

Executive Summary

Key Takeaways

V2 Improvements
Primary Output
$/hour
Risk accumulation rate
Data Sources
500+
Source channels
Input Signals
8+
Threat intel factors

Calculation Flow

λ
Likelihood
Score
M
Exposure
Multiplier
L
Potential
Loss
B
Burn
Rate

1. Likelihood Score (λ) V2

The likelihood score represents probability-weighted exploitability using a blended EPSS approach:

Likelihood Score
\[ \lambda = 0.55 \cdot f_{epss} + 0.20 \cdot f_{mat} + 0.15 \cdot f_{time} + 0.10 \cdot f_{cvss} \]

Factor Components Updated Weights

FactorSymbolV2 WeightDescription
Blended EPSSfepss0.550.7×probability + 0.3×percentile
Exploit Maturityfmat0.20Maturity of known exploits
Time Exposureftime0.15Exponential: 1 - e-d/60
CVSS Scorefcvss0.10Normalized: CVSS/10

V2 rationale: EPSS already incorporates CVSS features, so CVSS weight reduced to avoid double-counting.

Time Exposure Curve Exponential

Days PublicV1 (Linear)V2 (Exponential)
30 days8%39%
60 days16%63%
120 days33%86%
180 days49%95%

Exponential curve reflects reality: risk grows rapidly early, then saturates.

2. Exposure Multiplier (M) V2

Adjusts risk based on active exploitation signals. V2 separates KEV sources and removes public exploit (already in maturity):

Exposure Multiplier
\[ M = (1 + 0.50 \cdot I_{cisa}) \times (1 + 0.30 \cdot I_{vc}) \times (1 + 0.10 \cdot n_{ta}) \]

Multiplier Components Simplified

SignalSymbolCoefficientCondition
CISA KEVIcisa+50%In CISA KEV catalog (government validated)
VulnCheck KEVIvc+30%In VulnCheck exploited feed (operational intel)
Threat Actorsnta+10% × nActor count (max 5)
RansomwareIrw+40%Associated with ransomware campaigns
BotnetIbot+20%Associated with botnet activity

V2 removes public/commercial exploit from M (already captured in exploit maturity factor).

Multiplier Cap New

M is capped at 3.0 to prevent extreme outliers: \( M = \min(M_{calculated}, 3.0) \)

3. Potential Loss (L)

Potential Loss
\[ L = C_b \cdot \rho \cdot \lambda \cdot M \]

Industry Breach Cost Defaults

IndustryAvg Breach Cost (Cb)
Healthcare$10,930,000
Finance$4,500,000
Critical Infrastructure$5,200,000
Technology$4,240,000
Retail$3,280,000

Source: IBM Cost of a Data Breach Report 2024. Default ρ = 0.30 (30%)

4. SLA Hours (T) & Burn Rate (B) V2

Burn Rate
\[ B = \frac{L}{T} \]

SLA Selection Logic EPSS Threshold Added

ConditionSLA HoursDays
CISA KEV or VulnCheck KEV723 days
Blended EPSS ≥ 0.70 New964 days
CVSS ≥ 9.0 (Critical)964 days
CVSS ≥ 7.0 (High)1687 days
Medium/Low33614 days

V2 adds EPSS-based critical SLA: high exploitation probability triggers faster response even without high CVSS.

Worked Example (V2)

CVE-2024-21762 (Fortinet FortiOS)

Vulnerability Data

CVSS Score9.8
EPSS Probability0.97
EPSS Percentile0.99
Exploit MaturityWeaponized (1.0)
Days Public90
In CISA KEVYes
In VulnCheck KEVYes
Threat Actors3

Business Assumptions

IndustryFinance
Breach Cost$4,500,000
Exposure Ratio30%

V2 Calculation

Step 1: Blended EPSS Score

f_epss = 0.70 × 0.97 + 0.30 × 0.99 = 0.976

Step 2: Time Exposure (Exponential)

f_time = 1 - e^(-90/60) = 1 - 0.223 = 0.777

Step 3: Likelihood Score

λ = (0.55 × 0.976) + (0.20 × 1.0) + (0.15 × 0.777) + (0.10 × 0.98) = 0.851

Step 4: Exposure Multiplier

M = 1.50 × 1.30 × 1.30 = 2.535 → capped at 2.535

Step 5: Potential Loss

L = $4,500,000 × 0.30 × 0.851 × 2.535 = $2,912,600

Step 6: Burn Rate (SLA = 72 hours for KEV)

B = $2,912,600 ÷ 72 = $40,453/hour

V1 vs V2 Comparison

ComponentV1V2
EPSS Weight40%55% (blended)
CVSS Weight30%10%
Time CurveLinear (d/365)Exponential
KEV SignalSingle binarySeparate CISA/VC
Public Exploit in M+30%Removed
Multiplier CapNone3.0 max
EPSS in SLANoYes (≥0.7)

Limitations & Assumptions

Model Simplifications
Customization

References

  1. Forum of Incident Response and Security Teams (FIRST), "Exploit Prediction Scoring System (EPSS)," https://www.first.org/epss
  2. Forum of Incident Response and Security Teams (FIRST), "EPSS probability and percentile bins," https://www.first.org/epss/articles/prob_percentile_bins
  3. M. Jacobs, S. Romanosky, and O. Suciu, "Enhancing vulnerability prioritization with probabilistic exploitation prediction," arXiv preprint arXiv:2302.14172, 2023.
  4. Carnegie Mellon University, Software Engineering Institute, "Modern vulnerability management," https://www.sei.cmu.edu
  5. U.S. Cybersecurity and Infrastructure Security Agency (CISA), "Known Exploited Vulnerabilities (KEV) Catalog," https://www.cisa.gov/known-exploited-vulnerabilities-catalog
  6. Verizon, "2024 Data Breach Investigations Report (DBIR)," Verizon Enterprise, 2024.
  7. Risk-Based Prioritization Working Group, "Introduction to the Exploit Prediction Scoring System (EPSS)," https://riskbasedprioritization.github.io/epss
  8. D. Kościński et al., "Conflicting scores, confusing signals: An empirical study of vulnerability scoring systems," arXiv preprint, 2025.
  9. H. Shimizu and Y. Hashimoto, "A composite vulnerability management framework combining exploit evidence and scoring," arXiv preprint, 2025.
  10. VulnCheck, "Exploited vulnerability and KEV trend analysis," https://vulncheck.com/blog
  11. IBM Security, "Cost of a Data Breach Report 2024," https://www.ibm.com/reports/data-breach