Spectra Assure Free Trial
Get your 14-day free trial of Spectra Assure
Get Free TrialMore about Spectra Assure Free TrialCTEM advances vulnerability management
Gartner's Continuous Threat Exposure Management model represents an evolution from CVSS. Here’s what you need to know.
Legacy approaches to vulnerability management (VM) are failing to keep organizations secure. However, a new approach, called Continuous Threat Exposure Management (CTEM), could help security teams better cope with their vulnerability headaches.
Current processes have flooded VM teams with alerts and left them with fragmented tools and lengthy and inefficient patch cycles, threat exposure management company Zafran said in its recently released “A Practical Guide: Evolving from VM to CTEM.”
Traditional scanners label thousands of vulnerabilities as critical but do not provide the context to determine which of them are actually exploitable, the guide notes. As a result, security teams waste cycles chasing ghosts. Unsurprisingly, vulnerability exploitation is now the leading initial access vector in attacks, Zafran said. The need to improve how organizations understand and manage risk has never been greater. CTEM aims to be the answer.
In his Resilient Cyber blog, Chris Hughes wrote that CTEM “optimizes risk prioritization and remediation [and is] tied to business outcomes and impact.”
Chris HughesUnlike traditional VM, which is often periodic, reactive, and manual, CTEM focuses on being continuous, proactive, and automated. It also utilizes attack simulation and threat validation to understand real-world risks, rather than relying on static CVEs that lack environmental context.
Here’s what you need to know about CTEM and why it represents an evolution of vulnerability management rather than a silver bullet.
See webinar: Exposing supply chain security weaknesses
CTEM’s aim: Allow teams to focus on what matters
CTEM is a framework created by Gartner in an attempt to shift organizations from patching based on CVSS scores to an approach that better evaluates risks and focuses responses on the threats that really matter and thus better protect an organization’s critical assets, said John Bambenek, president of Bambenek Consulting.
John BambenekBy focusing on vulnerabilities and exposures that lead to critical assets, limited security spend can be focused on holes that actually matter and can lead to breaches.
Bambenek said VM traditionally has set out mostly to handle known vulnerabilities as they are announced or discovered by red-teaming tools, with no regard for the actual usefulness the vulnerability would have to an attacker. Evaluation is needed, and SIEM is an existing tool that can play a part in CTEM. “SIEM is a component required for the proper execution of CTEM so that attack and threat data can be integrated into defensive decisions," he said.
Trey Ford, chief strategy and trust officer at Bugcrowd, said that executive teams have advanced from wondering why someone would attack them to being aware that adversaries can monetize attacks on any kind of company.
Trey FordCTEM is ultimately an attacker-centric restructure of classical asset-centric vulnerability management, answering the business questions of ‘hat do we have, what is accessible, what is vulnerable, what needs to be patched or hardened next to make the attacker’s work more difficult, expensive, and dangerous?’
CTEM brings structure and intelligence to vulnerability management by continuously discovering assets, simulating exposures, and prioritizing fixes based on real-world risk, said Rosario Mastrogiacomo, chief strategy officer at Sphere Technology Solutions, a data governance software and services company.
Rosario MastrogiacomoRather than waiting for periodic scans or audits, CTEM enforces a feedback loop — assess, validate, prioritize, and mobilize — where exposures are tied to specific business impact. This contextual, continuous approach improves decision making and ensures the most critical issues are addressed first.
How CTEM works
The guide identifies five stages in CTEM: scoping, discovery, prioritization, validation, and mobilization. The first stage, scoping, includes asset discovery and attack surface management:
Attack surface management is exactly what it sounds like: understanding what’s available. If you can’t find the castle walls, you can’t dig a moat. Defending assets means knowing what is inside and connected to our infrastructure.
The guide notes that asset discovery should be the first step in the exposure management lifecycle, the foundation that CTEM relies on. “Without accurate and comprehensive visibility into your assets,” says the guide, “all downstream processes (i.e., scanning & detection, prioritization, exposure hunting, and communication & workflow) will be significantly impacted.”
During the discovery stage of CTEM, assets are scanned for vulnerabilities. “Vulnerability scanning is the lens through which we gain visibility into the security posture of our assets,” the guide says. “But in today’s fast-moving threat landscape, where attackers weaponize new vulnerabilities within hours, slow, incomplete, or shallow scanning processes are no longer acceptable.”
The next CTEM stage is prioritization. “The detection of vulnerabilities and exposures is just the beginning of a successful exposure management program,” the guide says. “The real value lies in what happens next: assessing and prioritizing those findings to drive timely, risk-informed action. A program that generates thousands of vulnerability alerts but lacks the ability to prioritize effectively risks wasting time, overwhelming teams, and missing critical threats.”
The guide stresses that exposure risk is not universal, but instead highly specific to each organization’s assets, environment, threat profile, and risk appetite. “The same vulnerability may pose an urgent risk in one environment but be largely irrelevant in another. That’s why prioritization must be rooted in organizational context, not just CVSS scores or scanner output,” the guide says.
Validation and mobilization are key
The validation stage of CTEM includes exposure hunting, which is the proactive identification of any exposures that typical alerting systems may have missed, Hughes wrote in his post on CTEM.
Chris HughesAdditionally, organizations often have tens to hundreds of security tools, leading to a disjointed lack of a comprehensive approach to risk visibility. Exposure hunting involves proactively identifying and addressing neglected critical risks that could harm the organization before they materialize.
Ford said he would challenge teams to use everything at their disposal, including the diverse ingenuity of global researchers, in their validation testing. “Creating safety for understanding vulnerabilities, why they come back up, and how to make the business increasingly resilient is the path to success here,” he said.
The mobilization stage of CTEM is all about communication and workflow. Solid communication is critical to the success of vulnerability and exposure management programs, the guide notes. “It’s also one of the biggest challenges,” it adds.
CTEM guideWhile cybersecurity teams are responsible for discovering and prioritizing vulnerabilities, the actual remediation work typically falls to others: IT operations, application owners, business units, and infrastructure teams. Bridging that divide requires communication that is clear, timely, and actionable.
The “last mile” of the process — communicating exposures to the right people and driving remediation — is the most time-consuming and manual part of the program, the guide says. “That’s why improving communication and workflow maturity is so critical. The more efficiently teams can assign, route, and resolve issues, the more time they can spend on higher-value activities like exposure hunting, proactive defense, and strategic planning,” it says.
Hughes said that mobilization has become so problematic and critical for effective CTEM that an entire operational category, often referred to as remediation operations, or RemOps, has begun to grow as organizations look to optimize their communications and workflows for effective risk mitigation.
The challenges ahead for CTEM
Getting a CTEM program up and running can be challenging for organizations. Sumed Bardeh, head of product at the AI security firm Simbian, said three of the biggest are context, permissions, and safe change management.
Sumed BardeThe scanners used in a CTEM program for discovery have limited context about the organization, resulting in a high number of false positives, such as ‘A port is open on an endpoint.’ Maybe it is supposed to be and can be ignored. Maybe it’s not supposed to be but there’s nothing of value on that endpoint, so it can be ignored.
Bardeh said the teams in charge of the CTEM road map often do not have permissions to the assets they must protect and almost never have the permissions to resolve vulnerabilities. “Delays in getting this not only impact security but also result in a lot of wasted back-and-forth,” he said.
Bardeh also pointed out that every response action in security, including in a CTEM program, can have side effects on other parts of the business. “It is nearly impossible for the security team to know whether a change is safe,” he said. “We often hear of horror stories of how a security analyst ‘did the right thing’ by closing a port on a firewall and it brought down a business-critical app.”
Visibility issues could also be challenging for CTEM programs, said Abhay Bhargav, CEO of AppSecEngineer.
Abhay BhargavWith the expanding footprint of companies across cloud, on-prem, hybrid and now AI environments, there’s a lot of things that are likely to get missed.
Information overload could be another issue, Bhargav added.
Abhay BhargavWhen running continuous programs of any sort, you need to be equipped to deal with the massive barrage of telemetry that is coming your way in terms of results, vulnerability info, and more. This cannot be dealt with manually, and even using automation may need to be optimized correctly for it to work properly.
He also said the human element in CTEM is underestimated. “Setting expectations and aligning people is a major challenge,” Bhargav said.
Roger Grimes, CISO advisor at KnowBe4, said most of the challenges will be with policies and humans. He said all CTEM programs should first focus on finding and promoting any vulnerability on the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerability Catalog list.
Roger Grimes[Less] than 1% of vulnerabilities are ever targeted by a real-world attacker against a real-world target, and all CTEM programs and patch management programs should focus on those first and best.
There is no silver bullet in VM
Sphere Technology’s Mastrogiacomo cautioned that CTEM alone is not going to solve everything. “It’s only as effective as the organization’s ability to act on its findings. Without clear ownership of assets and identities, even the most sophisticated CTEM system can generate noise without meaningful outcomes,” he said.
Mastrogiacomo said CTEM must be paired with robust detection and response capabilities. “No exposure management program can prevent every breach. Its true value lies in reducing the blast radius when one inevitably occurs,” he said.
The rise of CTEM marks a necessary evolution toward risk-based, operationally integrated security practices, Mastrogiacomo said. “But success depends on more than just technology. Organizations must mature their identity and access governance, improve cross-functional accountability, and shift from reactive patching to proactive risk reduction.”
Rosario MastrogiacomoCTEM is a journey, not a product, and its efficacy is measured by the organization’s agility in response to exposure, not the volume of vulnerabilities discovered.