Tools / Risk Cost Estimator
A category that decides whether your enterprise deals close, whether your next round prices well,
and whether one headline rewrites your company.

Put a number on the CVEs and license issues already in your code.

Around 60% of breaches involve a known vulnerability that already had a patch, and roughly a third of identified vulnerabilities sit unpatched for more than six months (Verizon DBIR 2025, NVD). Enter the findings from a scan or a vendor report and this estimator models the remediation effort and the cost exposure they represent today, before any of them turns into an incident.
Open the Estimator
How the Math Works
Patch already existed
~60%

average cost of a US data breach, at an all time high. The figure that lands on your P&L, your press, and your customer list at the same time.

Verizon DBIR 2025
Left unpatched 180+ days
32 %

Of identified vulnerabilities remained unpatched for more than six months, the window attackers depend on.

NVD / NIST
Zero days exploited in 2025
90

Exploited in the wild, up from 78 the prior year, an increasing share aimed at enterprise infrastructure.

Google Project Zero
Per supply chain incident
$4.91M

Cost of a third party compromise, the second costliest breach vector.

IBM 2025
The Estimator

Enter your findings. See the exposure update in real time.

Set your open vulnerabilities by severity, your license conflicts, and your revenue at stake. The model returns a single annualized exposure figure built from five cost drivers, and the savings a TripleScan baseline is modeled to recover. Adjust any input and the figures recalculate instantly. This is a planning estimate, not a quote.

Your open findings
Pull these counts from a TripleScan report, an existing scanner, or a vendor security questionnaire.
Critical CVEs
CVSS 9.0 to 10.0. Highest priority, longest tail of risk.
High CVEs
CVSS 7.0 to 8.9. Material exposure, prioritized for the next cycle.
Medium CVEs
CVSS 4.0 to 6.9. Tracked and batched into routine maintenance.
License conflicts
Copyleft, commercial, or unknown licenses in your dependency tree.
Your revenue at stake
Findings are the cause. Revenue is the consequence. Add your numbers to model what a breach would put at risk.
Current annual recurring revenue
Your committed ARR across the existing customer base.
$
ARR in your deal pipeline
Total value of open opportunities you expect to close.
$
If a breach happened, how much current ARR would you lose?
Churn and contract loss from existing customers in the year after an incident.
32%
0% lost 100% lost
If a breach happened, how would it hit your sales pipeline?
Deals lost or stalled as security review becomes a blocker after an incident.
40%
0% reduction 100% reduction
Annualized exposure
Your estimated cost of unaddressed software risk over the next 12 months.
$0
Range: $0 to $0
Where the cost comes from
Potential labor
0 engineering hours at $150/hr
$0
Critical and high severity exposure
0% breach likelihood across 0 critical and high findings
$0
License remediation and legal review
0 issues at 6 eng hours plus $750 legal review each
$0
Stalled enterprise deal cost
0% of pipeline delayed after an incident
$0
Lost ARR
0% of current ARR churned after an incident
$0
Estimated savings with TripleScan
$0
See How TripleScan Closes the Gap
Illustrative planning estimate built on published research. The breach exposure line is an expected loss, breach likelihood applied to a single incident cost, taken as the greater of the IBM 2025 supply chain average or half of your ARR, not a figure multiplied per finding. Revenue lines are driven by your own scenario assumptions. A TripleScan baseline replaces every assumption here with findings from your real code.
Share these results
Copy a link that reopens this calculator with your exact inputs.
01
Effort scales with severity

Critical and high findings often touch core dependencies, require regression testing, and carry coordination overhead. Medium findings batch into routine maintenance, so the model assigns more hours to higher severity work.

Critical 16h · High 8h · Medium 3h · License 6h
Blended remediation effort per finding
02
A blended engineering rate

Hours convert to dollars at a fully loaded blended rate for the senior engineering and security time that real remediation requires. The displayed figure is the midpoint of a range that runs roughly 30% below and above.

$150 / hour fully loaded · ±30% range
Adjustable for your internal cost basis
03
Grounded in published data

Severity weighting reflects that most critical security debt originates in third party code and that the average flaw now takes well over half a year to fix. License effort reflects the legal and engineering work to replace or relicense a conflicting dependency.

NVD · CISA · Verizon · IBM
Source data for the model assumptions
The Research Behind The Numbers
  • 48,185
    New CVEs were published in 2025, roughly 131 per day and the highest annual total on record. FIRST forecasts a median near 59,400 for 2026. The volume of findings a codebase inherits keeps climbing, which is why a per finding model matters.
    NVD via FIRST 2026 Vulnerability Forecast · nvd.nist.gov
  • 32%
    Of identified vulnerabilities remained unpatched for more than 180 days, and most critical security debt originates in third party code rather than software a team writes itself. Long patch lag means hours accumulate on findings that sit open for months, which is what the per finding effort model captures.
    NVD remediation data, NIST · Verizon DBIR 2025
  • ~60%
    Of breaches involved a known vulnerability where a patch was already available, and vulnerability exploitation rose 34% to become the second most common breach vector at 20% of breaches. The findings in your backlog are the ones attackers reach for first.
    Verizon Data Breach Investigations Report 2025 · verizon.com/dbir
  • 90
    Zero day vulnerabilities were exploited in the wild in 2025, up from 78 the prior year, with a growing share targeting enterprise infrastructure. Many known vulnerabilities are exploited within days of disclosure, which is why a backlog of open critical and high findings carries real urgency.
    CISA Known Exploited Vulnerabilities Catalog · Google Project Zero / GTIG 2025
  • $4.91M
    Average cost of a supply chain compromise, the second costliest breach vector, taking 267 days to identify and contain, the longest of any vector. This is the published figure the breach exposure line uses as its floor, and it is why the cost of fixing now sits far below the cost of a breach later.
    IBM Cost of a Data Breach Report 2025
  • 28%
    Of CVEs received full NVD enrichment in 2025, leaving a large share of published vulnerabilities without complete CVSS scoring. Severity triage takes real engineering judgment, which the per finding hours account for rather than assuming every CVE arrives neatly scored.
    NVD enrichment data, NIST · nvd.nist.gov
  • 30%
    Of breaches involved a third party in 2025, roughly double the prior year and one of the most significant structural shifts in the threat landscape. Supply chain breaches also reached far more downstream organizations than in prior years. The revenue at risk model reflects this shift.
    Verizon DBIR 2025 · Identity Theft Resource Center 2025
Full Source List
[01]National Vulnerability Database (NVD), NIST. CVE volume, CVSS scoring, and enrichment data. nvd.nist.gov
[02]CVE Program, MITRE. Vulnerability identifiers. cve.org
[03]CISA Known Exploited Vulnerabilities Catalog. cisa.gov
[04]Verizon Data Breach Investigations Report 2025. verizon.com/dbir
[05]IBM Cost of a Data Breach Report 2025.
[06]FIRST 2026 Vulnerability Forecast. first.org
[07]Google Project Zero and Threat Intelligence Group, zero day exploitation 2025.
[08]Identity Theft Resource Center (ITRC) 2025.
This estimator produces an illustrative planning figure built on the public research cited above. It models internal remediation labor, not the cost of a breach, regulatory penalty, or downstream liability, which run materially higher. The revenue at risk figures are driven by your own scenario assumptions. Actual cost depends on your codebase, team rate, and exploitability. A TripleScan baseline replaces every assumption here with findings from your real code, scored against the NVD and the CISA KEV catalog.
The Centerpiece

The questions you cannot answer yet.

These are not technical questions. They are the questions you get asked at a customer escalation call, a board meeting, an investor update, or a fundraise diligence room. Read each one and ask yourself honestly whether you could answer it today, with numbers, not from memory and not by saying you will follow up.

Step 01

Free · 60 Seconds

Get your external Tech Risk Score.

A 0 to 100 score that grades your software supply chain posture from the outside, the same view a security review committee or insurance underwriter would see. Most companies score below 50 the first time. No code access required.

Read the Engineering guide →
No signup required

Step 02

14 Day Trial

Run TripleScan on your real codebase.

Replace the estimate above with your actual numbers. TripleScan returns your real CVE count, severity distribution, license posture, and SBOM in under an hour. Average customer onboarding finds 50 critical and high vulnerabilities they did not know they had.

Start free trial →
No signup required

Step 03

Compare And Quantify

Plug your real numbers into this calculator.

Once TripleScan reports back, return to this page and replace the placeholder values with your actual CVE count, license issue count, and average enterprise deal size. The result is a defensible exposure figure you can take into a budget conversation.

Jump back to calculator ↑
Shareable result link

Step 04

Make The Case Internally

Bring it to the right stakeholders.

Software supply chain risk lands differently in every seat at the table. We have built role specific playbooks so you can frame this conversation in the language your board, CEO, CFO, General Counsel, or CRO already speaks.

Board

CEO

CFO

General Counsel

CRO

Find your role playbook →
Why The Numbers Look This Way

Three forces collided in 2026. Your exposure scaled with them.

The estimate above is not a worst case scenario. It is the natural result of CVE volume, exploit speed, and AI generated code converging at the same time. Here is what shifted, and why the cost of doing nothing keeps climbing.

59K

CVEs forecast for 2026

Up from 48,185 in 2025. FIRST puts the realistic upper bound near 100,000 in a high year. The NVD has acknowledged it can no longer fully enrich every CVE it receives, with only 28% reaching full analysis in 2025.

FIRST 2026 Vulnerability Forecast · NVD / NIST

5 days

Median time to exploit

The median time from disclosure to active exploitation is now under five days. 32.1% of exploited vulnerabilities are abused on or before their disclosure date, effectively making them zero days.

CISA KEV Catalog · Industry research, 2026

$4.91M

Average supply chain breach

Third party involvement in breaches doubled year over year to 30% of all incidents. Resolution takes 267 days, the longest of any attack vector. ITRC tracked 1,251 entities affected by supply chain breaches in 2025, nearly double the 2024 count.

IBM Cost of a Data Breach 2025 · Verizon DBIR · ITRC

The 2026 Accelerant

AI is now writing the code and the vulnerabilities.

Academic research finds that roughly 48% of AI generated code suggestions contain exploitable vulnerabilities, while Gartner forecasts that 60% of all new code will be AI generated by the end of this year. One enterprise generating code with AI assistants is now producing more than 10,000 new security findings per month, alongside a 3 to 4x jump in development velocity. The same productivity gain is the same risk multiplier.

The CVE backlog is not growing because researchers got better. It is growing because attackers and developers are both shipping faster than humans can review. Manual triage at this volume is not behind, it is structurally impossible.

48%

A read only token to GitHub, GitLab, or Bitbucket. No agents in production, no changes to CI, no engineering project to staff.

28%

Of AI suggested dependency upgrades point to versions that do not exist

10K

New security findings per month at one AI heavy enterprise

$670K

Added to average breach cost when shadow AI is involved

Turning Complexity into Clarity

Replace the estimate with your real number.

Stop relying on point-in-time audits and guesswork. A TripleScan baseline turns the figures above into a sourced inventory of every CVE and license issue in your code, with a fix path for each.

Run a Baseline Scan
Explore TripleScan
Join our community
Get Security Updates and Best Practices.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Product
External AuditsTripleScanEnterprise DashboardPatent
Solutions
Banking
Cyber Insurance
Fintech
Health Systems
Healthcare Technology
Legal
Mergers & Acquisitions
Private Equity
SaaS
Softare Development Agencies
Resources
External Score by RoleExecutive Risk GuideRevenue Impact CalculatorInsights
Company
AboutLeadershipCareersContact Us
Media
Scale With Confidence.
©2026 Copyright TripleKey
Logo icon