How to Calculate a Shadow Price: Turning Model Thresholds into Operational Strategy
While shadow pricing is a powerful strategic concept, it becomes even more useful when applied directly to internal data. This post outlines a simple, concrete method for calculating the shadow price of remediation capacity using EPSS thresholds and remediation logs.
Let’s assume your organization is currently operating with an EPSS threshold of 0.4, which means you prioritize remediation for all vulnerabilities with an EPSS score of 0.4 or higher. Based on this policy, your teams are remediating about 400 vulnerabilities per month, essentially operating at full capacity. Internal metrics estimate that this leaves your environment with a residual risk score of 20.
Now suppose you consider lowering the EPSS threshold to 0.3. This change would increase the number of vulnerabilities above the threshold to 500. However, the projected residual risk would fall to 12.0. That’s an improvement of 8.0 units in risk reduction, requiring 100 more remediations.
To calculate the shadow price, divide the change in risk by the change in effort:
Risk reduction: 20 minus 12 equals 8 units
Additional remediations: 500 minus 400 equals 100
Shadow price: 8.0 divided by 100 equals 0.08 risk units reduced per remediation
If your organization assigns a financial value to each unit of residual risk then you can also express the shadow price in economic terms. Each additional remediation eliminates $800 in expected loss (0.08 multiplied by $10,000).
Now, compare that to the cost of creating one more remediation slot. If adding that capacity costs less than $800 per unit, the return is positive. If it costs more, it might be more efficient to hold the current threshold or reallocate resources.
This simple model transforms decision-making. Instead of setting EPSS thresholds arbitrarily or defensively, security and IT leaders can treat them as control parameters or adjustable levers in a real-time risk-reduction system. The shadow price tells you where the inflection point lies and when it makes sense to push harder versus hold steady.
Over time, this method becomes even more powerful as organizations collect better data. They can map how the shadow price changes under different threat conditions, staffing levels, or remediation tools. This enables adaptive thresholding based on real-world dynamics.
Shadow pricing does not require complex math or specialized software. It requires only curiosity, telemetry, and a willingness to measure trade-offs. By embedding this thinking into everyday security operations, teams can make smarter, faster, and more accountable decisions - not just about what to fix, but why it matters, and what each action is worth.
