Calculate Return on Mitigation (RoM) With Hai

Return on Mitigation (RoM) changes that. By calculating the cost savings of fixing vulnerabilities before they are exploited, RoM shifts security from being seen as a cost center to a business driver. It provides a measurable way to demonstrate how security investments prevent financial losses from breaches, regulatory fines, and reputational damage. 

With our HackerOne AI Copilot Hai, customers can now quickly and accurately assess the financial impact of vulnerabilities, justify investments, and align security efforts with business priorities.

Calculate RoM with Hai

Hai Plays is a powerful capability within Hai that allows you to provide custom instructions and teach Hai your organization's domain knowledge. This means you can tailor Hai’s responses to align with your security policies, workflows, and unique challenges. 

Hai Plays automatically calculates Return on Mitigation (RoM) based on your vulnerability reports and organizational context. RoM is determined by subtracting the cost of investment from total mitigated losses, dividing the result by the investment cost, and multiplying by 100—giving you a clear, data-driven measure of mitigation effectiveness.

Instead of manual calculations and guesswork, Hai provides an automated way to calculate RoM. Using industry data and the Exploitation Likelihood Score (ELS) we developed as part of the RoM research, Hai instantly determines the cost savings of resolving a vulnerability report. This gives you a clear, data-driven way to measure the financial impact of their efforts.

Below, we’ll walk through how this works in the platform and how you can effectively track and communicate cost savings.

Quantify Security Impact Instantly with Hai RoM

Quickly determine the RoM for every resolved report with the click of a button. After resolving a report, Hai calculates the cost savings from fixing the vulnerability, providing an immediate, data-driven view of your security program’s financial impact.

Additionally, you can configure automation to post the RoM amount on every resolved report, with an internal comment highlighting the mitigation's financial value. This ensures that your team stays aligned on the ongoing financial impact of your security efforts.

Share Executive Summaries and Automate RoM Reporting

With a single prompt, you can email the RoM executive summary directly from the HackerOne platform to your desired email addresses. This will help you keep leadership and key stakeholders informed about security investments and their financial returns.

You can also set up RoM recaps on a schedule that fits your team’s needs, to deliver regular updates to executives, finance, and security teams at a personalized cadence, ensuring ongoing visibility into the financial value of security efforts.

Make Your Exploitation Likelihood Score (ELS) Defensible

Hai RoM now allows you to debate and adjust the ELS assigned to vulnerabilities if you believe the provided range doesn’t accurately reflect the risk. If an ELS seems off, you can request additional justification to ensure its defensibility in executive presentations.

For further context, Hai also provides historical insights showing how often a specific vulnerability type has appeared in your program or additional factors around the asset criticality, industry benchmarks, or assigned CVSS. This allows you to reinforce the risk assessment with real-world data.

What’s Next: Bringing RoM Insights to Leadership

We’re making it even easier to showcase the financial impact of security efforts. Soon, you’ll be able to generate program-level reports in-platform, highlighting cost savings and risk reduction and helping executives see the value of mitigation at a glance.

Looking ahead, some of the updates you can expect will include in-platform executive dashboards and exports designed to equip security leaders with the data they need to advocate for continued investment in security. Stay tuned as we continue to make it easier to connect security outcomes with business priorities.

HackerOne’s Advantage: A Measurable Approach to Security

Many security solutions focus on detection and remediation, but few help organizations quantify the business impact of security decisions. With HackerOne’s RoM calculations powered by Hai, security teams gain a clear financial justification for security investments, making it easier to demonstrate value and drive informed decision-making.

By integrating RoM into a security strategy, teams can prioritize mitigation efforts, justify budgets, and provide executives with the necessary financial insights.

For more information, visit our product documentation.