The Question
Every enterprise CISO who has spoken to a CTEM vendor in the last two years has been shown a maturity model. The vendor's model consistently places the prospect somewhere in the middle — advanced enough to understand the problem, not yet advanced enough to have solved it, which is precisely where the vendor's product sits. The model is a sales tool dressed as a diagnostic.
What enterprises actually need is an honest maturity framework — one that describes where organizations genuinely are, not where vendors want them to believe they are, and that makes clear what the most impactful next step looks like at each level without requiring a full platform replacement.
The most common self-assessment error in enterprise exposure management: organizations that have deployed vulnerability scanning at scale and pass compliance audits consistently rate themselves at Level 3 or 4 on maturity models that place "has vulnerability scanning" at Level 1. The deployment of tooling is not the same as the operational capability the tooling is supposed to produce. An organization running Tenable across 80 percent of its environment but prioritizing exclusively on CVSS score and patching fewer than 10 percent of critical findings per quarter is a Level 2 program that has Level 4 tooling.
The CTEM maturity model is useful not as a destination but as a map — enterprises that know where they are can define a realistic path forward, and the enterprises that believe they are further along than they are build programs on a foundation they don't have.
Why This Matters Now
In February 2024, Change Healthcare — a subsidiary of UnitedHealth Group processing roughly 40 percent of U.S. medical claims — suffered a ransomware attack that took its systems offline for weeks and disrupted prescription processing across thousands of pharmacies nationwide. The attackers used compromised credentials to access a Citrix portal that lacked multi-factor authentication, moved laterally through the environment, and deployed ALPHV/BlackCat ransomware.
The subsequent congressional testimony and regulatory investigations surfaced a consistent theme: Change Healthcare had security tooling. It had vulnerability scanning. It had a security operations center. What it did not have was an exposure management program that mapped the Citrix portal — an externally accessible authentication gateway with no MFA — as a critical exposure requiring priority remediation. The exposure was not unknown. It was underprioritized in a backlog of thousands of open findings.
This pattern repeats in the post-incident analysis of major 2024–2025 breaches. The MGM Resorts breach involved vishing against an IT help desk leading to identity-based lateral movement. The Snowflake customer breach wave involved credential exposure that scanning tools could not detect. The Ivanti zero-days affected organizations that knew their appliances were deployed but had not mapped them as high-priority attack surface entries.
In each case, the failure was not the absence of security tooling. It was the absence of a program that connected tooling outputs to attacker-perspective risk — the defining characteristic of mature exposure management. Organizations that overestimate their maturity invest in tooling when they need process. The result is a growing gap between security spend and security outcomes.
What the CURVE™ Data Shows
The 2026 Stackcurve CTEM CURVE™ Report surveyed 340 enterprise security leaders on their exposure management programs and cross-referenced self-assessed maturity against four objective capability indicators: external attack surface visibility, exploitability-weighted prioritization, validation coverage, and remediation SLA compliance.
The gap between self-assessed and objectively measured maturity is consistent: 61 percent of respondents self-assessed at Level 3 or above. Against objective indicators, 58 percent measured at Level 1 or Level 2.
Vendor deployment patterns by maturity level confirm the finding. Tenable and Qualys are the most widely deployed platforms across all maturity levels — but their advanced modules (Tenable Lumin, Qualys TruRisk with business criticality weighting) are activated and operationally used primarily at Level 3 and above. The majority of deployments at Level 1–2 use these platforms for scan coverage only, leaving the prioritization and business context capabilities unused.
Palo Alto Xpanse and Mandiant Attack Surface Management appear disproportionately in Level 3–4 organizations, consistent with external attack surface management being a Level 3 capability addition rather than a baseline. XM Cyber and Pentera appear almost exclusively at Level 4–5, confirming that attack path validation requires a prioritization and discovery foundation before it delivers ROI.
The full vendor rankings are in the 2026 Stackcurve CTEM CURVE™ Report — free to download.
The Gap Most Buyers Miss
Level 1 — Reactive: The Compliance-Driven Program
The Level 1 organization runs vulnerability scans because a compliance framework requires it. PCI DSS requires quarterly external vulnerability scanning. SOC 2 Type II requires evidence of a vulnerability management process. The security team provides this evidence. Scanning is triggered by audit cycles and security incidents, not by continuous program requirements. Patching decisions are driven by critical CVEs appearing in the news and findings from the most recent audit. There is no continuous discovery. The asset inventory reflects what IT has provisioned through formal channels, not what actually exists on the network. Most enterprises are here, particularly in the sub-2,000 employee segment and in industries where compliance frameworks are the primary security driver.
Level 2 — Systematic Scanning: The Tool-Deployed Program
The Level 2 organization has committed to regular vulnerability scanning. Tenable or Qualys is deployed across the managed environment. Scan cycles run weekly or monthly. A vulnerability database exists. Prioritization is CVSS-based, typically with a threshold — CVSS 7.0 or 9.0 — that defines what gets patched. The asset inventory covers managed assets reasonably well but misses cloud-native resources, SaaS application attack surfaces, and assets introduced through acquisition or shadow IT. External attack surface visibility is absent or manual. Threat intelligence is not integrated into prioritization. The remediation backlog is large and growing. Most mid-market and large enterprises that have invested in security tooling are at this level.
Level 3 — Context-Aware Prioritization: The Meaningful Step
The transition from Level 2 to Level 3 is the single most impactful maturity step for most enterprises because it changes the output from a list of vulnerabilities to a list of exposures worth addressing. At Level 3, CVSS scores are augmented with asset criticality — a vulnerability on the payment processing system is weighted differently than the same vulnerability on a test server. CISA KEV and EPSS data are integrated into prioritization. External attack surface management is beginning, either through a dedicated EASM tool (Xpanse, CyCognito, Censys, Runzero) or through structured manual processes. Threat intelligence identifies active campaigns targeting vulnerabilities in the environment. The remediation backlog shrinks meaningfully because deprioritized vulnerabilities — high CVSS scores in unexposed, non-critical systems — are explicitly triaged rather than carried indefinitely.
Level 4 — Attack Path Validation: The CTEM Program
At Level 4, the organization has connected its discovery and prioritization outputs to a validation mechanism that confirms exploitability in the actual environment. Breach and attack simulation tools — Pentera for automated network penetration testing, Cymulate for multi-vector BAS, AttackIQ for framework-aligned scenario testing — run against prioritized exposures to confirm whether they represent viable attack paths. Red team findings are integrated into the prioritization model. The security team can answer the question: "We know this CVE is present — but can an attacker actually reach the domain controller through it given our current segmentation?" This level requires a foundation of continuous discovery and context-aware prioritization; organizations that attempt to run BAS tooling without this foundation generate findings they cannot operationalize.
Level 5 — Continuous CTEM: The Full Program
Level 5 represents the full Gartner CTEM model operationalized: continuous scoping aligned with threat intelligence, automated discovery across all attack surface segments, attacker-perspective prioritization incorporating exploitability and business impact, automated validation of high-priority exposures, and closed-loop remediation tracking with defined SLAs. Tooling at this level typically includes a CTEM platform or orchestration layer — Tenable One, Qualys Enterprise TruRisk Platform, or a composable stack with distinct tools for each CTEM stage. A small minority of enterprises — primarily large financial services organizations, hyperscalers, and defense contractors — operate at this level.
Questions Your Buying Team Should Be Asking
1. What objective criteria does your team use to assess your current CTEM maturity level, and when was that assessment last validated by an external party?
Internal maturity assessments are unreliable because they are conducted by the team whose program is being assessed, using criteria that may be self-serving. A third-party assessment against objective capability indicators — not tool deployment but operational outcomes — gives the leadership team an honest baseline. If the last external assessment was more than 18 months ago or has never happened, the self-assessed maturity level should be treated as an estimate.
2. What percentage of your open vulnerability backlog has been explicitly triaged as "low priority given environment context" versus sitting unresolved because the team lacks capacity?
Level 2 organizations have large backlogs because they cannot distinguish between vulnerabilities that should be deprioritized (high CVSS but not exploitable in the environment) and vulnerabilities that are de facto deprioritized (important but not getting fixed due to capacity). Level 3 programs explicitly triage the first category, which gives the security team a defensible position on why certain high-CVSS findings are not being patched, and surfaces the truly important work.
3. Does your prioritization model incorporate CISA KEV as a mandatory first-tier filter, and do new KEV additions trigger an automated workflow?
This is a binary capability check. Organizations that answer yes to both have a meaningful process improvement over CVSS-only. Organizations that answer no to either are making prioritization decisions without the most operationally validated input available — the federal government's enumeration of what attackers are actually exploiting.
4. Can your security team demonstrate, with tool evidence, that a specific high-priority finding in your environment is not exploitable given your compensating controls?
This question tests whether the organization has validation capability or relies entirely on theoretical exploitability. The ability to demonstrate that a compensating control — network segmentation, authentication requirement, endpoint detection — actually prevents exploitation requires validation tooling or structured red team process. Without it, the security team is either patching everything (not feasible) or accepting risk on unvalidated assumptions.
5. What is the average time from a CTEM finding to a closed remediation ticket, and how does that metric trend quarter-over-quarter?
Maturity is ultimately measured by outcomes, and the operationally meaningful outcome is whether exposures get closed. An organization with sophisticated analysis that produces findings no one acts on is not a mature CTEM program — it is a sophisticated alert generator with a broken remediation workflow. If this metric is not tracked, the program has no feedback loop on its own effectiveness.
The Stackcurve Take
The most important insight from Stackcurve's CTEM maturity research is not about which maturity level enterprises should target — it is about where the most concentrated improvement opportunity sits for the largest number of organizations. That opportunity is the Level 2 to Level 3 transition: adding context-aware prioritization to existing vulnerability scanning deployments.
Most enterprises already have the scanning infrastructure. Tenable, Qualys, and Rapid7 deployments are widespread. The platforms have the capability to deliver context-aware prioritization — Tenable Lumin, Qualys TruRisk, Rapid7 InsightVM's real risk score. What is typically missing is the operational activation of these capabilities: connecting asset criticality data to the scoring model, integrating CISA KEV, enabling EPSS-weighted prioritization.
This is a configuration and process change, not a platform replacement. It is the highest-ROI investment available to the majority of enterprises currently operating at Level 2. It is also the prerequisite for every higher-maturity capability — attack path analysis and validation produce misleading results without a sound prioritization foundation.
The 2026 Stackcurve CTEM CURVE™ Report covers exposure management maturity diagnostics, vendor scoring by maturity level, and detailed guidance on the Level 2 to Level 3 transition. Download it free →
Stackcurve Advisory Briefs are independent research. No vendor pays for placement, tier assignment, or editorial influence. The CURVE™ methodology is disclosed in full at stackcurve.net/research/methodology.