Continuous Threat Exposure Management (CTEM) Emphasizes Prioritization and Validation

First reported

25.09.2025 14:49

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Continuous Threat Exposure Management (CTEM) is a framework that prioritizes and validates security exposures based on real business impact. It addresses the limitations of traditional vulnerability management, which often leads to chasing irrelevant alerts and ignoring critical threats. CTEM focuses on the handful of exposures that truly matter and validates them against specific environments to prove defense effectiveness. CTEM is designed to handle the increasing volume of vulnerabilities and non-technical exposures, such as misconfigured SaaS apps and human errors. It uses Adversarial Exposure Validation (AEV) technologies, including Breach and Attack Simulation (BAS) and Automated Penetration Testing, to provide continuous validation and an attacker's perspective at scale.

Timeline

25.09.2025 14:49 1 articles · 4d ago

CTEM Framework Introduced to Prioritize and Validate Security Exposures
Gartner introduced the Continuous Threat Exposure Management (CTEM) framework, emphasizing prioritization and validation of security exposures. This approach addresses the limitations of traditional vulnerability management, which often leads to chasing irrelevant alerts and ignoring critical threats. CTEM focuses on the handful of exposures that truly matter and validates them against specific environments to prove defense effectiveness. The framework is designed to handle the increasing volume of vulnerabilities and non-technical exposures, such as misconfigured SaaS apps and human errors. It uses Adversarial Exposure Validation (AEV) technologies, including Breach and Attack Simulation (BAS) and Automated Penetration Testing, to provide continuous validation and an attacker's perspective at scale.
Show sources

CTEM's Core: Prioritization and Validation — thehackernews.com — 25.09.2025 14:49
Open in new tab

Information Snippets

Over 40,000 Common Vulnerabilities and Exposures (CVEs) are reported annually.
First reported: 25.09.2025 14:49

1 source, 1 article
Show sources
- CTEM's Core: Prioritization and Validation — thehackernews.com — 25.09.2025 14:49
Approximately 61% of CVEs are labeled as 'critical' by scoring systems like CVSS and EPSS.
First reported: 25.09.2025 14:49

1 source, 1 article
Show sources
- CTEM's Core: Prioritization and Validation — thehackernews.com — 25.09.2025 14:49
Only around 10% of real-world vulnerabilities are truly critical when existing security controls are factored in.
First reported: 25.09.2025 14:49

1 source, 1 article
Show sources
- CTEM's Core: Prioritization and Validation — thehackernews.com — 25.09.2025 14:49
By 2028, more than half of exposures are predicted to stem from non-technical weaknesses.
First reported: 25.09.2025 14:49

1 source, 1 article
Show sources
- CTEM's Core: Prioritization and Validation — thehackernews.com — 25.09.2025 14:49
Adversarial Exposure Validation (AEV) technologies include Breach and Attack Simulation (BAS) and Automated Penetration Testing.
First reported: 25.09.2025 14:49

1 source, 1 article
Show sources
- CTEM's Core: Prioritization and Validation — thehackernews.com — 25.09.2025 14:49
BAS continuously simulates adversarial techniques to verify security controls.
First reported: 25.09.2025 14:49

1 source, 1 article
Show sources
- CTEM's Core: Prioritization and Validation — thehackernews.com — 25.09.2025 14:49
Automated Penetration Testing exposes and exploits complex attack paths.
First reported: 25.09.2025 14:49

1 source, 1 article
Show sources
- CTEM's Core: Prioritization and Validation — thehackernews.com — 25.09.2025 14:49

Similar Happenings

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat.

Open in new tab

SIEM Detection Failures Highlighted in Picus Blue Report 2025

The Picus Blue Report 2025, based on over 160 million attack simulations, reveals that organizations detect only 1 out of 7 simulated attacks. This indicates significant gaps in threat detection and response capabilities, primarily due to log collection failures, misconfigured detection rules, and performance issues. These failures leave networks vulnerable to compromise, escalation of privileges, and data exfiltration. The report identifies key issues such as log source coalescing, unavailable log sources, and inefficient filtering as major contributors to SIEM rule failures. Continuous validation of SIEM rules is essential to maintain effectiveness against evolving threats. The report also shows that prevention dropped from 69% to 62% in one year, and that 54% of attacker behaviors generated no logs, making entire attack chains unfold with zero visibility. Only 14% of attacker behaviors triggered alerts, and data exfiltration was stopped just 3% of the time, leaving a critical stage effectively unprotected. The report highlights the need for Breach and Attack Simulation (BAS) to validate security defenses continuously.