Wed, Mar 13, 2024

The Value of Continuous Threat Exposure Management in Securing the Evolving Attack Surface

In cybersecurity, current approaches don’t stay current for long. Organizations that fail to adapt accordingly often discover this fact at the cost of their secure network. This is particularly true in the face of complex and increasingly unpatchable attack surfaces and a corresponding reduction in the impact of automated remediation practices. Traditional security approaches are unable to fully address these challenges.

In response, Gartner has proposed a new approach — continuous threat exposure management (CTEM) — to uncover an organization’s networks, systems, and assets on an ongoing cycle to identify vulnerabilities and weaknesses and prioritize remediation plans before cybercriminals can exploit them. Following our introduction to CTEM, we outline how organizations can maximize the benefits of CTEM.

Addressing the Unpatchable Exposure Layer

While attack surfaces always shift, recent social and cultural changes accelerated this trend. The rise of the cloud as a key business resource, the growth of remote and hybrid working, and the increase in social media led to a broadening of organizations’ unpatchable attack exposure. In fact, Gartner predicts that by 2026, unpatchable attack surfaces will increase from less than 10% to more than half of the enterprises’ total exposure, weakening the value of automated remediation practices.

(Source: Gartner Research, Predicts 2023: Enterprises Must Expand from Threat to Exposure Management, December 2022)

Automated and reactive approaches to threat assessment and management cannot provide the full breadth and depth of insight that organizations now require. Despite the threat landscape constantly changing and organizations themselves always evolving, many security programs still focus on point-in-time assessments. Even when scheduled regularly, more traditional security programs have the potential to overlook key vulnerabilities. This is why Gartner highlights a proactive and continuous approach, stating that organizations must progress from simply responding to threats to proactively managing their threat exposure.

The CTEM process aims to consistently monitor, evaluate, and mitigate security risks through strategic improvement plans and actionable security posture remediation.

CTEM puts all kinds of exposure in scope, not just software-based vulnerabilities, and includes practices to validate findings to facilitate difficult remediation decisions. Another key benefit of a CTEM program is that, unlike traditional solutions such as vulnerability management, it considers the “why” and “how” elements of what is discovered, providing more complete security insight.

From Scoping to Mobilization: Advancing Threat Exposure Management

The Five Stages of a CTEM Program

A CTEM program is made up of five key stages:

  • Scoping - This step aims to understand and identify the aspects most important to the individual business.
  • Discovery - The Discovery stage is critical for uncovering assets and their risk profiles. Exposure discovery should include the misconfiguration of assets, security controls, and other weaknesses.
  • Prioritization - Base prioritization on indicators that can provide an accurate picture of impact and likelihood, such as threat severity and availability of security controls.
  • Validation - This stage is the part of the process in which an organization can validate how potential attackers can exploit an identified exposure and the potential response of monitoring and control systems.
  • Mobilization - This stage ensures teams operationalize their findings by reducing obstacles to approval, implementation processes, and mitigation deployments.

Cybersecurity Validation: The Missing Link in the Threat Lifecycle

Organizations now seek to go beyond threat detection and response for their IT, OT, and cloud environments to proactively and continually improve their security posture and reduce exposure. Businesses also recognize that they need to address a lack of visibility of their security service's benefits and a lack of resources to effectively mitigate changing risks.

CTEM, specifically the validation stage, can help address these complex challenges. Validation harnesses the controlled simulation or emulation of attackers’ techniques in production environments, often using manual assessment activities, such as red team exercises, to extend its reach. It also includes verifying the suggested treatments to enhance security and assess their suitability for the organization.

From Pilot to Mature: Maximizing CTEM

While the advantages of establishing a CTEM program are clear, getting started and progressing toward maturity can be challenging. However, one of the advantages of CTEM’s cyclical approach is that it can be constantly updated in light of the uncovered insights. This gives organizations the scope to adjust and adapt to maximize results.

Gartner recommends tackling threat exposure by using emerging areas such as attack surface management and security posture validation and highlights that once organizations start growing in maturity, they can then begin to include assets over which they have less control.

A successful CTEM pilot and ongoing development relies on collaborative working. To define and later refine the scope of the CTEM initiative, security teams must first ensure that they understand what is important to their organization and the types of impacts (such as a required interruption of a production system) likely to be severe enough to require a collaborative remedial effort.

As organizations seek to mature their CTEM program, they also need to improve its weakest components, which are often the prioritization and mobilization steps. The maturity of individual steps might differ and evolve at different speeds.

The Value of Continuous Threat Exposure Management in Securing the Evolving Attack Surface

Getting Started with CTEM

For some organizations, incorporating their CTEM program into their security strategy can be daunting. However, they can get started more easily by applying Kroll’s approach:

  • Identify WHERE (Scoping and Discovery) - Where your highest priority exposures are, using attack surface management and threat intelligence monitoring (surface and dark web)
  • Validate HOW (Prioritization and Validation) - How your attackers will exploit and how effective your controls are, using agile pen testing, red teaming, and, if mature enough, purple teaming exercises
  • Address WHAT (Mobilization) - What controls, policies, and processes should be implemented using virtual CISO (vCISO) services (policy design, remediation plans, security training and awareness, system hardening and configuration, etc.)

If your organization requires specialist help with putting these steps into action, Kroll is ideally positioned to provide support with implementing a new CTEM program or helping to mature an existing one. Our unrivaled expertise ensures that your CTEM program enhances your cyber resilience and maximizes your security investment. Our elite cyber risk practitioners are seasoned at delivering services such as our vCISO offering and our end-to-end retainer client services, penetration testing, breach and attack simulation, and vulnerability assessments to empower businesses to benefit from effective, impactful CTEM programs.

Contact us to learn more.



Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Digital Technology Solutions

Enriching our professional services, our integrated software platform helps clients discover, quantify and manage risk in the corporate and private capital market ecosystem.

Cyber Vulnerability Assessment

Proactively identify vulnerable systems and devices that may be exploited by an attacker or malicious software, often resulting in data loss or breach.


FAST Attack Simulation

Safely perform attacks on your production environment to test your security technology and processes.

Penetration Testing Services

Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.

Red Team Security Services

Red team security services from Kroll go beyond traditional penetration testing, leveraging our frontline threat intelligence and the adversarial mindset used by threat actors to push the limits of your information security controls.


CyberDetectER DarkWeb

Learn, assess, and address your organizations’ risk exposure on the dark web and social media.

Agile Penetration Testing Program

Integrated into your software development lifecycle (SDLC), Kroll’s agile penetration testing program is designed to help teams address security risks in real time and on budget.