Tool_04 // Asset triage
Attack Surface Priority Matrix.
Prioritize exposed systems with a weighted exploitability model and sequence remediation by risk reduced per engineering hour.
Portfolio annual risk
$471,472
Based on ARO x SLE using $137/h,10h severe downtime ($1,370 per event), data multiplier 1.17x, threat multiplier 1.00x.
Critical / High assets
1 / 2
Top asset concentration
29%
Sprint risk reduction
$224,831
| Rank | Asset | Score | Priority | Annual risk | Hours | Risk / hour | Sprint action |
|---|---|---|---|---|---|---|---|
| #1 | Employee VPN Portal | 3.96 | High | $136,907 | 21h | $6,519 | Remediate now |
| #2 | Production API Gateway | 4.76 | Critical | $214,391 | 34h | $6,306 | Remediate now |
| #3 | Legacy Admin Console | 3.94 | High | $120,174 | 42h | $2,861 | Queue next sprint |
Remaining sprint capacity: 35h. Prioritize by annual risk reduction per engineering hour to maximize measurable risk burn-down.
Benchmark assumptions
Annual risk uses an ARO x SLE approach calibrated for modern internet-facing enterprise assets, then weighted by exploitability and control weakness to support remediation sequencing.
Formula used per asset: Annual Risk = Annualized Rate of Occurrence x Single Loss Expectancy x Exploitability Modifier.