Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Security Management Glossary

CTEM - Continuous Threat Exposure Management

Continuous Threat Exposure Management (CTEM) is a program defined by Gartner in 2022 for the continuous, prioritized reduction of the attack surface. CTEM consists of five phases: scoping, discovery, prioritization, validation, and mobilization. It combines vulnerability management, threat intelligence, attack surface management, and breach and attack simulation into an integrated approach.

Continuous Threat Exposure Management (CTEM) addresses a fundamental problem: organizations have thousands of vulnerabilities, limited resources for remediation, and no systematic method for prioritization. CTEM is the framework for performing this prioritization in a data-driven and continuous manner—based on actual attacker behavior, not just CVSS scores.

CTEM vs. Traditional Vulnerability Management

Problem with traditional vulnerability management:

Traditional:
  → Quarterly Nessus scan
  → Output: 5,000+ findings
  → Prioritization: by CVSS score (10.0 first!)
  → Problem: CVSS 10.0 vulnerability in an isolated system vs.
              CVSS 6.5 vulnerability that attackers are actively exploiting today!
  → EPSS (Exploit Prediction Scoring System) shows: only 4% of all CVEs are
    ever actively exploited—which 4%?
  → Result: Team works through CVSS hit list, but worst risks remain unaddressed

CTEM Approach:
  → Continuous (not quarterly!)
  → Prioritization: What can an attacker actually exploit today?
  → Validation: Attack simulation confirms whether the vulnerability is truly exploitable
  → Mobilization: Remediation with the right team, the right priority, and measurable results
  → Result: Attack surface continuously and measurably reduced

The 5 CTEM Phases

CTEM Framework (Gartner):

Phase 1: Scoping (What is in scope?)
  → Which assets are being assessed?
  → Priority: what is attractive to attackers?
  → Input: Threat Intelligence (which attackers are targeting us?)
  → Decision: Internet-facing systems first, then internal assets
  → Result: Assessment scope defined and approved by management

Phase 2: Discovery (What do we have?)
  → Asset Discovery: all systems, including unknown ones (Shadow IT!)
  → External attack surface: what is accessible from the Internet?
  → Internal attack surface: lateral movement paths, AD vulnerabilities
  → Tool stack: ASM (Attack Surface Management), vulnerability scanner
  → Common surprise: systems nobody knew about (Shadow IT!)

Phase 3: Prioritization (What is most urgent?)
  → NOT just CVSS! Context-based prioritization:
    1. Exploitability: Are there active exploits? (High EPSS?)
    2. Accessibility: Can an attacker reach the vulnerability from the internet?
    3. Business Impact: What happens if this vulnerability is exploited?
    4. Bypassing controls: Does EDR fail to detect this?
  → Attack Path Analysis: Which vulnerability leads to critical assets?
  → Result: Top 20 prioritized vulnerabilities with clear justification

Phase 4: Validation (Is it really exploitable?)
  → Attack Simulation: Breach and Attack Simulation (BAS)
  → Penetration Testing: Manual verification for complex scenarios
  → Purple Team: Combined attack and defense testing
  → Question: Can our EDR detect the exploit? Does the firewall block it?
  → Result: Confirmed exploitable vulnerabilities + detection gaps

Phase 5: Mobilization (Who fixes it and how?)
  → Correct remediation instructions to the right team (not just "patch ASAP")
  → SLA tracking: critical within 48 hours, high within 2 weeks, medium within 30 days
  → Measure: Was the vulnerability fixed? (Re-scan after patch)
  → Reporting to management: Trend visible (exposure is reduced!)
  → Result: Vulnerabilities closed with proof

Tool ecosystem for CTEM

Tools per CTEM phase:

Discovery:
  External attack surface:
    → Censys (passive internet scan, shows what is publicly visible)
    → Shodan (IoT, servers, services on the internet)
    → IONIX (formerly Cyberpion): automated ASM
    → Wiz CNAPP: Cloud asset discovery + risk analysis

  Internal attack surface:
    → BloodHound: AD attack paths (Domain Admin reachable in X hops?)
    → Qualys CSAM: complete asset inventory
    → Tenable.io: vulnerability discovery + asset tracking

Prioritization:
  → Tenable One: risk-based prioritization
  → Qualys TruRisk: context-based risk score
  → Rapid7 InsightVM: Exposure Analytics
  → EPSS Integration: nvd.nist.gov/vuln/search (View EPSS score)

Validation:
  → Cymulate, SafeBreach, AttackIQ (BAS platforms)
  → Pentera: Automated penetration testing
  → Atomic Red Team (Open Source): Manual simulation of individual techniques

Mobilization:
  → ServiceNow Vulnerability Response: Workflow + Ticketing
  → Jira + Vuln-Import: For engineering teams
  → SOAR (Splunk, Sentinel): Automatic ticket creation for critical findings

CTEM Metrics:
  → Mean Time to Remediate (MTTR): How quickly are vulnerabilities resolved?
  → Exposure Score: Upward or downward trend?
  → Coverage: % of assets in the CTEM program
  → Validation Score: % of techniques detected
  → Executive Dashboard: 3 KPIs that management understands

AWARE7 Services on This Topic

Penetrationstest ISO 27001 Beratung
Back to Glossary Book a free consultation