Skip to main content

Return on Mitigation

Organizations: See the financial impact of your HackerOne programs

Updated this week

This feature is in Beta testing

Overview

The Return on Mitigation dashboard helps you demonstrate the financial value of your HackerOne program by quantifying the estimated risk avoided through remediation efforts and comparing it to the actual program investment. With easy-to-understand visuals and exportable summaries, you can show leadership teams how your offensive security investments deliver measurable impact.

To learn more about the features and functionality available on all dashboards, see the Dashboards documentation.

To find the Return on Mitigation dashboard, click Analytics in the left navigation, then click Return on Mitigation.

Summary

The Summary section at the top of the Return on Mitigation dashboard provides a high-level snapshot of your program’s performance. It highlights four key metrics to help you quickly understand your program's financial value.

  • Your RoM - A high-level multiplier indicating the value protected for every dollar spent, simplifying the demonstration of your HackerOne program’s ROI. A 3x RoM means $3 in avoided losses for every $1 spent, a compelling message for execs and boards.

  • Estimated Mitigated Losses - The dollar value of risk your program has avoided by addressing exploitable vulnerabilities, compared year-on-year. This quantifies your impact, justifying budgets, showing security ROI, and aligning with finance and leadership expectations.

  • Worst-Case Mitigated Losses - A conservative estimate of maximum losses avoided if vulnerabilities were exploited in worst-case scenarios. Provides stakeholders a deeper view of potential impact and strengthens your narrative with a fuller risk range.

  • Amount Spent - Total investment in your program, including platform fees and rewards for the selected period. This provides context for your spending, allowing direct comparison to risk avoided and enhancing budgeting and investment discussions.

Amount Invested vs. Estimated Losses Avoided

Shows the amount invested vs. your estimated losses avoided, benchmarked against all HackerOne customers (the median of all HackerOne customer RoM results). On this chart, you can:

  • Explore - This enables you to take a deep dive into your data to see what areas you need to focus on to improve your program.

  • Show the data in table format - switch between the graph and table views.

  • More—Export the data from the chart and view it in full-screen mode.

Top Weaknesses By Total Losses Avoided

Shows the Top CWE weaknesses seen by total estimated losses avoided across all relevant reports to your program during a selected time period. On this chart, you can:

  • Explore - This enables you to take a deep dive into your data to see what areas you need to focus on to improve your program.

  • Show the data in table format - switch between the graph and table views.

  • More—Export the data from the chart and view it in full-screen mode.

Highest Impact Reports

The Highest impact reports show an impact summary of the top three reports to your program based on estimated losses avoided. You can select to visit the report or ask Hai for additional insights.

Breakdown of Estimated Losses Avoided

The breakdown of estimated losses provides an overview of how the RoM calculation has identified your losses, either based on defaults or on your tailored inputs provided in the RoM setup across the CIA triad of:

  • Confidentiality - Assesses how vulnerable data is to unauthorised access due to existing weaknesses. When confidentiality is breached, sensitive information risks exposure to unauthorised individuals.

  • Integrity - Assesses the reliability and accuracy of data and evaluates the likelihood of data manipulation or modification by a malicious actor. A breach of integrity could result in important data being altered, added, or removed, which might lead to the storage or presentation of inaccurate information.

  • Availability - Assesses how a vulnerability affects the system's or its data's accessibility, particularly during events like system crashes or DDOS attacks. A loss of availability implies that users might not be able to access the system or its services when required.

Where:

  • Average SLE - The Average Single Loss Expectancy is the estimated monetary loss when a threat event occurs.

  • Average ARO - Average Annual Occurrence Rate is he average number of times in a given year that an individual vulnerability is expected to be exploited.

  • Averagelosses avoided/vuln - The average US dollar value of losses avoided per vulnerability.

  • Total losses avoided - The total US dollar value of all losses avoided against all vulnerabilities within the timeframe.

Breakdown of Amount Invested

The breakdown of the amount invested displays your total HackerOne investment divided into your HackerOne platform fee, including subscription fees and other applicable services like Triage and Security Advisory Services (SAS), etc. aggregated over the selected time frame, alongside the Hacker rewards, including retests that have been paid out during this period. This does not include remediation costs outside of the platform.

How to Tailor Your Return On Mitigation Calculation

While the Return on Mitigation calculation utilises your report and payment information as well as default values to calculate your Return on Mitigation, Org Admin Users can update the Industry (NAICS Industry), Revenue size, SLE (Single Loss Expectancy), and ARO (Annual Occurrence Rate) defaults via the Return on Mitigation set up. This can be completed at the :

  • Organizational level

  • Asset level

  • Grouped asset level - using our custom asset tags, to set up and view RoM results at a grouped asset level, for example, by business unit, asset type, etc.

Tailor Your RoM Calculation At the Organizational Level

To update the RoM calculation defaults, an Org Admin User can click on the settings icon on the RoM dashboard. This will take you to the Return On Mitigation screen below:

You can update your industry and revenue size using the dropdown menus, which will refresh the SLE (Single Loss Expectancy) baseline for each incident type, which is based on IBM’s Cost of a Breach report. The SLE represents the estimated monetary loss if a threat event happens.

You can further personalise the SLE values, which can be set against each of the CIA Triad incident types, setting values for both high and low impact incidents using the value sliders, where:

  • Confidentiality = Measures the risk of unauthorized access to sensitive data due to a vulnerability. If compromised, data may be exposed to unauthorized parties.

    • High impact = The attacker gains full access to the system, including highly sensitive data like encryption keys.

    • Low impact = The attacker has limited access to information and cannot control the information they can access.

  • Integrity = Measures the risk of data being tampered with, altered, or deleted by an attacker, potentially leading to inaccurate or untrustworthy information.

    • High impact = The attacker can modify all data on the system, resulting in a total loss of integrity.

    • Low impact = A limited amount of data may be altered, but the system experiences no significant impact.

  • Availability = Measures how a vulnerability affects access to systems or data, such as through crashes or DDoS attacks. A loss of availability means users may be unable to access services when needed.

    • High impact = The system or data becomes completely unavailable to authorized users.

    • Low impact = Access may be intermittently limited or system performance degraded.

Additionally, you can personalise the ARO (Annual Occurrence Rate) values for each element of the CIA Triad using the dropdown options. ARO represents the expected frequency of a threat event. It is based on the Verizon Data Breach Investigations (DBIR) Report, CVSS score of the vulnerability report and scaled according to HackerOne industry benchmarks. You can also override this value by updating your revenue size and adjusting the ARO for each incident type.

If you wish to return to the default SLE and ARO values, select Reset defaults.

Once you have made all of the required changes, click Save. You can then navigate to the Return On Mitigation dashboard by clicking Go back to dashboard button at the top right of the page to view the updated dashboard.

Tailor Your RoM Calculation At Asset/Grouped Asset Level

To update the RoM calculation defaults, an Org Admin User can click on the settings icon on the RoM dashboard. This will take you to the Return On Mitigation screen. At the bottom of the setup screen, you can Add customization to set RoM setup values at the asset or grouped asset level:

Next, you can select the assets you wish to include in the customisation group from your Asset Inventory or CVE Discovery. You can use the search and filter functions to help identify assets that you wish to select to include in the customization group. The filter options allow you to filter by:

  • Engagement

  • Asset

  • Report Severity

  • Imported

  • Weakness

  • Custom Inbox

Once you have selected all desired assets for the customization group, click Next.

You can update your industry and revenue size using the dropdown menus, which will refresh the SLE (Single Loss Expectancy) baseline for each incident type, which is based on IBM’s Cost of a Breach report. The SLE represents the estimated monetary loss if a threat event happens.

You can further personalise the SLE values, which can be set against each of the CIA Triad incident types, setting values for both high and low impact incidents using the value sliders, where:

  • Confidentiality = Measures the risk of unauthorized access to sensitive data due to a vulnerability. If compromised, data may be exposed to unauthorized parties.

    • High impact = The attacker gains full access to the system, including highly sensitive data like encryption keys.

    • Low impact = The attacker has limited access to information and cannot control the information they can access.

  • Integrity = Measures the risk of data being tampered with, altered, or deleted by an attacker, potentially leading to inaccurate or untrustworthy information.

    • High impact = The attacker can modify all data on the system, resulting in a total loss of integrity.

    • Low impact = A limited amount of data may be altered, but the system experiences no significant impact.

  • Availability = Measures how a vulnerability affects access to systems or data, such as through crashes or DDoS attacks. A loss of availability means users may be unable to access services when needed.

    • High impact = The system or data becomes completely unavailable to authorized users.

    • Low impact = Access may be intermittently limited or system performance degraded.

Additionally, you can personalise the ARO (Annual Occurrence Rate) values for each element of the CIA Triad using the dropdown options. ARO represents the expected frequency of a threat event. It is based on the Verizon Data Breach Investigations (DBIR) Report, CVSS score of the vulnerability report and scaled according to HackerOne industry benchmarks. You can also override this value by updating your revenue size and adjusting the ARO for each incident type.

If you wish to return to the default SLE and ARO values, select Reset defaults.

Add the name of your asset customization; this must be a unique name.

Once you have made all of the required changes, select Save. You can then navigate to the Return On Mitigation dashboard by clicking Go back to dashboard button at the top right of the page to view the updated dashboard.

At the bottom of the settings page, you can add more asset customization groups and edit or delete existing ones.

Frequently Asked Questions

How is my RoM calculated?

At a high level, RoM is calculated using the following calculation:

Where:

  • Estimated losses avoided/year = SLE * ARO * vulnerabilities found

  • Amount invested = Platform fees + Cost of rewards

With the following calculation definitions:

  • Estimated losses avoided/year: cost to the organization if vulnerabilities remain unmediated for the next year

  • Single loss expectancy (SLE) = The estimated monetary loss when a threat event occurs. The baseline comes from IBM’s Cost of a Breach report. You can modify this value by updating your industry and adjusting the percentage of the baseline SLE for each incident type.

  • Annual rate of occurrence (ARO) = Annual rate of occurrence (ARO) = The rate at which you expect to experience a threat event. The baseline comes from the Verizon Data Breach Investigations (DBIR) Report, and is scaled to the CVSS score of the individual vulnerability report and HackerOne industry benchmarks. You can override this value by updating your revenue size and changing the ARO for each incident type.

  • Platform fees = Includes HackerOne subscription fees and other applicable services like Triage, Security Advisory Services (SAS), etc. Each subscription fee is adjusted to reflect the portion of time covered by your selected date range and is allocated evenly across the date range.

  • Hacker rewards = Includes valid, paid, non-duplicate submissions. Based on actual payments made (not reports submitted) within the date range.

  • Confidentiality = Measures the risk of unauthorized access to sensitive data due to a vulnerability. If compromised, data may be exposed to unauthorized parties.

    • High impact = The attacker gains full access to the system, including highly sensitive data like encryption keys.

    • Low impact = The attacker has limited access to information and cannot control the information they can access.

  • Integrity = Measures the risk of data being tampered with, altered, or deleted by an attacker, potentially leading to inaccurate or untrustworthy information.

    • High impact = The attacker can modify all data on the system, resulting in a total loss of integrity.

    • Low impact = A limited amount of data may be altered, but the system experiences no significant impact.

  • Availability = Measures how a vulnerability affects access to systems or data, such as through crashes or DDoS attacks. A loss of availability means users may be unable to access services when needed.

    • High impact = The system or data becomes completely unavailable to authorized users.

    • Low impact = Access may be intermittently limited or system performance degraded.

Do I need to input data to get RoM?

No — the dashboard works out of the box with default assumptions. However, we recommend tailoring the setup for more accurate results.

Can I use RoM for compliance reporting?

Yes — especially the exportable PDF reports and worst-case mitigation estimates.

Will RoM be included in other dashboards?

Yes — RoM will be part of the broader Executive Dashboards over time.

The RoM Set Up settings icon is not active for me. Why is it not active?

Only Org Admin users can complete the RoM Set Up, and the settings icon will only be active for them.

Related Articles
Detailed Platform Standards
CVSS 3.0
Hai - AI Copilot
Automations Overview
Calculating Return on Mitigation (RoM) with Hai
Did this answer your question?