Implement and Improve a Continuous Threat Exposure Management (CTEM) Program

The Red Report 2023

The Top 10 MITRE ATT&CK Techniques Used by Adversaries



Traditional vulnerability self-assessment programs are having difficulties catching up with the ever-expanding business needs and aggregated attack surfaces. These tool-centric programs produce a lengthy list of generic remediations that are far from actionable. Moreover, fixing every vulnerability and protecting every asset within an organization is not feasible. Consequently, enterprises cannot reduce their risk exposure through self-assessment of risks due to unrealistic, siloed, and tool-centric approaches, as stated by Gartner®.

How can you keep up with constantly changing business needs, more complicated and dispersed technological environments and growing attack surfaces? In this blog, we discuss the Continuous Threat Exposure Management (CTEM) process published by Gartner that answers this question.  We also explain how a CTEM program helps organizations continuously monitor, assess and reduce their level of security risks through improvement plans and actionable security posture remediation.

 Download Gartner® Report: Top Trends in Cybersecurity 2023


What is Continuous Threat Management (CTEM)?

Continuous Threat Exposure Management (CTEM) is a five-step program for achieving long-term and sustainable cyber resilience. A CTEM cycle includes the stages of scoping, discovery, prioritizing, validation, and mobilization. Thus, Continuous Threat Exposure Management is not a vendor-specific technology or a tool but a continuous process published by Gartner.

Rather than following outdated risk-based vulnerability management (RBVM) processes or infeasible fix-everything and preventative-only approaches, CTEM proposes to organizations a pragmatic and practical systematic approach to prioritizing possible threats and corresponding remediations on their rapidly growing attack surface. 

Running a CTEM program enables an organization to continuously and consistently assess how exposed, accessible, and exploitable their physical and digital assets are and prioritize remediations that correlate with standard processes for risk acceptance and operational viability. 

Watch and Learn: The shortcomings of point solutions and how the future of security validation will be the game changer for your business.



Why is CTEM Important to Stay Ahead of Threats?

In this section, we will briefly discuss why organizations need to follow the CTEM approach to stay ahead of threats on their ever-expanding attack surface. 

  • Even though it is a commonly believed false fact, zero-day vulnerabilities are not the primary cause of a breach. Hence, instead of panicking over these sophisticated and less likely-to-be-exploited vulnerabilities, organizations must approach unknown threats with a risk reduction strategy and prioritize their focus on publicly known vulnerabilities and identified security control gaps.
  • Technology-centric attack surfaces and vulnerability self-assessment projects often output lengthy and non-actionable reports with long lists of highly generic remediation actions. As this approach serves no value, organizations must evolve from traditional vulnerability management programs struggling with the complexity and aggregated volume of ever-expanding attack surfaces.

The Five Steps of the CTEM Program

Five stages must be accomplished in a CTEM cycle, regardless of the level of maturity. These phases are: scoping, discovery, prioritizing, validation, and mobilization (Figure 1).

Figure 1. Gartner's Continuous Threat Management (CTEM) Program

1. Scoping

A vulnerability management project needs a well-decided initial exposure scope to start with. And in contrast to the traditional "CVEs" approach, a CTEM program takes an adversarial approach into consideration. 

In the "Scoping" step, security teams have to collaborate with their counterparts and decide on the business objectives and the possible high-critical impacts that require collaborative attention and effort. 

What to consider while scoping? As the number of off-site job opportunities is increasing and the remote workforce is pushing organizations to host their data on SaaS, we highly recommend organizations focus on their external attack surface and SaaS security posture.

2. Discovery

In this step, organizations must identify the hidden vulnerabilities or any weak points within their infrastructure, including the misconfiguration of assets and security controls.

3. Prioritization

Having a comprehensive list of vulnerabilities from the second step does not increase your security posture. Not every asset in your organization requires the same level of security and attention. After all, you cannot protect every piece of yours in a chess game. 

In this step, you must prioritize the threats that adversaries are most likely to exploit against your organization. While prioritizing, you need to avoid traditional approaches and consider the prevalence of exploits, possible attack paths to your crown jewels, available detection rules and mitigation options, and how business-critical the potential impact will be on your organization.

4. Validation

This is where you launch a controlled simulation or adversary emulation in production environments. This step does not rely only on manual assessment activities like penetration testing and red teaming but should include automated technical assessments like Breach and Attack Simulation (BAS), Security Control Validation, and Attack Path Validation. In a sense, the validation scope should not be limited to relevant threat vectors but the possibility of pivoting and lateral movement attacks.

5. Mobilization

In the first step, we stressed collaboration as an integral part of a CTEM program. The main objective of this stage, on the other hand, is to make sure that the collaborating teams operationalize the CTEM findings in an almost non-friction way. This practice is achieved through "defining communication standards" and "documented cross-team approval workflows," as stated by Gartner.


In this section, we will give some recommendations for security and risk management leaders.

  • You need to ensure that your exposure management program gives an actionable output for not only a particular group of people but multiple parts of the security and IT organizations. This requires you not to limit yourself to inventorying and processing telemetry from multiple disparate vulnerability assessment tools but to design a program for managing a more comprehensive set of exposures. 
  • Make sure your exposure management program is in a repeatable cyclic format following the five-step approach of scoping, discovery, prioritization, validation, and mobilization.
  • To ensure that the necessary cross-team collaboration becomes the norm, you need to integrate a CTEM plan with organizational-level remediation and incident workflows that do not only focus on security-specific automated technical fixes.

How Does Picus Help You Implement a CTEM Program?

In this section, we will discuss how Picus' security validation process is fully aligned with the CTEM program. Picus' security validation approach includes four steps: Discover, Validate, Prioritize, and Optimize (Figure 2).

Figure 2. Picus' Security Validation Approach

Each of these steps corresponds to one or more stages of the Continuous Threat Exposure Management (CTEM) program (Table 1).

Table 1. Alignment of CTEM and Picus

 Let's explore how Picus facilitates the execution of each step of the CTEM cycle.

1. Scoping

In the first step of Gartner's CTEM cycle, infrastructure segments to be included in the process are identified. Security teams need to explore what matters to their business counterparts in order to define and then refine the CTEM initiative's scope. When exploring the optimal pilot program scope for CTEM, external attack surface and SaaS security posture are viable options.

By discovering, analyzing, documenting, and quantifying the cyber resilience of an organization, Picus is perfectly suited to carry out the technical aspect of the scoping stage. Picus determines your entire attack surface - externally, internally, and in the cloud.

Moreover, when it comes time to refine the scope once the first cycle is complete, the metrics Picus offers are also quite helpful. For example, the Picus platform provides network segment, security control, threat type, threat tactic/technique-based quantified risk, and cyber resilience metrics. Utilizing these metrics, the rescoping process is more likely to align with the organization's strategic cybersecurity goals.

2. Discovery

Once the scope has been determined, it is necessary to begin a process of exposure discovery, which extends beyond vulnerabilities and includes misconfiguration of security controls and assets and bad responses to a phishing test.

Picus simulates a wide variety of attack scenarios to facilitate exposure discovery, including end-to-end adversary and malware attack playbooks, MITRE ATT&CK TTPs, vulnerability exploitation, web application, data exfiltration, and spearphishing attacks to evaluate the resilience of security controls.

3. Prioritization

In this step, you need to prioritize threats, weak points, and remediation efforts to increase cyber resilience. While prioritizing, you must consider the business criticality of assets, the likelihood of exploitation of discovered weak points, and the availability of compensating security controls. 

Picus platform prioritizes gaps in your security infrastructure, such as unprevented/undetected attacks, logging gaps, detection gaps, and missing, broken, and noisy detection rules. Picus allows security teams to create threat profiles to prioritize threats targeting their organization. Picus platform also helps you identify and prioritize mitigation activities and improvement points to maximize their impact. 

4. Validation

Once the threats, weak points, and remediation efforts are prioritized according to their criticalness and likelihood of exploitation, it is time to launch a controlled attack simulation or adversary emulation in a production environment. The validation step should not depend on only manual and traditional security assessment solutions like red teaming and internal penetration testing but include automated and continuous technical assessments like Breach and Attack Simulation (BAS), Security Control Validation, and Attack Path Validation. In other words, organizations should not limit the scope of the validation to commonly leveraged and relevant threat vectors but consider the possibility of pivoting and lateral movement between the internal nodes.

The Complete Security Validation Platform of Picus provides the most comprehensive security validation in the industry.  Picus validates the cyber security posture of your organization and supplies actionable insights to boost cyber resilience. 

Figure 3. The Complete Security Control Validation Platform of Picus

Picus platform consists of three products to validate security effectiveness across your organization's whole attack surface, as seen in the above figure.

  • Security Control Validation validates and improves the efficacy of your existing security controls to prevent and detect the most recent cyber attacks.

  • Attack Path Validation validates the attack paths inside your network that could enable attackers to compromise critical assets.

  • Detection Rule Validation validates detection rules and optimizes threat detection and response by pinpointing problems with the performance and hygiene of your detection rules.

5. Mobilization

In the first step, we stressed collaboration as an integral part of a CTEM program. On the other hand, the main objective of this stage is to ensure that the collaborating teams operationalize the CTEM findings in an almost non-friction way.

Picus platform helps you continuously optimize your CTEM program to improve cyber resilience and reduce business risks.


Organizations can benefit from a CTEM program since it enables them to constantly monitor, evaluate, and reduce their security risks through implementing improvement points and remediation of their security posture. The Complete Security Validation Platform from Picus helps you to implement and improve a Continuous Threat Exposure Management (CTEM) program with its Discover, Validate, Prioritize, and Optimize approach, which is fully aligned with the CTEM program.