The Question
Gartner named Continuous Threat Exposure Management a top security and risk management trend in 2022, updated its guidance in 2023, and by 2024 the term had been adopted by virtually every major security vendor as a product positioning label. The result: "CTEM" now appears on marketing pages for vulnerability scanners, EASM tools, breach and attack simulation platforms, patch management products, and risk quantification solutions — often with little relation to the five-stage operational framework Gartner actually defined.
The enterprise security leader evaluating CTEM tooling in 2026 faces a category in which the label has been decoupled from the content. Products that address one of the five stages present themselves as CTEM solutions. Products that address none of the stages but involve exposure in some sense have adopted the terminology. The buyer trying to understand what they are actually purchasing — and whether it addresses the operational program they are trying to build — needs to work from the framework, not from vendor positioning.
Gartner's five-stage CTEM model is not aspirational. It is a description of what a mature exposure management program does operationally. Most enterprises implement Stage 2 (Discovery) in isolation and call it CTEM. The value of the framework is that it makes explicit what is missing: Scoping aligns effort with threat reality; Prioritization makes discovery actionable; Validation confirms exploitability; Mobilization gets findings closed.
Organizations that implement discovery and prioritization without validation are spending remediation effort on vulnerabilities they haven't confirmed are exploitable — and organizations that validate without mobilization produce findings that never get fixed.
Why This Matters Now
In March 2024, a joint advisory from CISA, the FBI, and the Multi-State Information Sharing and Analysis Center described a campaign by threat actors targeting edge network devices across critical infrastructure sectors. The advisory documented a consistent attack sequence: initial reconnaissance of internet-facing appliances, exploitation of known vulnerabilities in VPN and firewall products, establishment of persistent access, and lateral movement to internal systems.
What the advisory made explicit — and what is often underappreciated in the discussion of CTEM implementation — is that every stage in the attacker's chain has a corresponding defensive gap in the five CTEM stages. Reconnaissance success means Scoping and Discovery failed: the attacker found appliances that were not in the defender's continuous monitoring scope. Exploitation of known vulnerabilities means Prioritization failed: the CVEs used were known and patchable, but not elevated to immediate remediation. Persistent access establishment means Validation failed: the organization did not confirm whether the exploitation attempt would succeed before the attacker confirmed it for them. Lateral movement success means Mobilization failed: even where findings were identified, remediation was not completed before the attacker moved.
This is not a hypothetical failure chain. It is documented across the most significant breaches of 2024 and 2025 — Ivanti Connect Secure exploitation, Fortinet SSL VPN attacks, and the continuing exploitation of edge device vulnerabilities in healthcare and government. The CTEM framework exists precisely because piecemeal implementation of security tooling without operational discipline across all five stages leaves exploitable gaps at each transition point.
The 2025 Gartner Security and Risk Management Summit reinforced the implementation reality: only 12 percent of organizations surveyed had operationalized all five CTEM stages. The majority had implemented Stage 2 and partially Stage 3.
What the CURVE™ Data Shows
The 2026 Stackcurve CTEM CURVE™ Report evaluated vendors across all five CTEM stages, scoring each platform on stage-specific capability and cross-stage integration. The analysis covered 22 vendors across eight product categories that collectively address the CTEM framework.
No single vendor delivers best-in-class capability across all five stages. The market has architecturally segmented: discovery and prioritization are primarily served by vulnerability management platforms (Tenable, Qualys, Rapid7) and EASM tools (Xpanse, Mandiant ASM, CyCognito); validation is served by breach and attack simulation and automated penetration testing platforms (Pentera, Cymulate, AttackIQ, SafeBreach); mobilization is primarily served by ITSM integration layers and dedicated remediation workflow platforms (Nucleus Security, ServiceNow VR).
Organizations attempting to build a full five-stage CTEM program from a single vendor platform find that the platforms claiming full CTEM coverage consistently underperform at Stage 4 (Validation) or Stage 5 (Mobilization). Tenable One and Qualys Enterprise TruRisk Platform are the most complete single-vendor offerings, but both rely on partner integrations for validation depth and ServiceNow or Jira for mobilization — neither delivers these stages natively.
Pentera leads on automated validation in the CURVE™ scoring — its agent-based automated penetration testing approach runs continuously against prioritized exposures and provides exploitation confirmation or refutation at a speed and scale that manual red team exercises cannot match. Cymulate leads on scenario breadth, covering phishing simulation, lateral movement, data exfiltration, and cloud security posture in addition to vulnerability exploitation.
The full vendor rankings are in the 2026 Stackcurve CTEM CURVE™ Report — free to download.
The Gap Most Buyers Miss
Stage 1 — Scoping: The Strategic Stage Most Organizations Skip
Scoping defines which assets, attack surfaces, and threat scenarios are in scope for the current CTEM cycle. It is the stage most organizations skip because it requires decisions that feel strategic rather than operational — and because "scan everything" appears more thorough than "scan the right things first."
The reason scoping matters: CTEM is described as continuous, but continuous does not mean simultaneous. An enterprise with 200,000 assets cannot maintain the same depth of analysis across all of them at the same time. Scoping defines the rotation: which asset categories receive the deepest CTEM analysis this quarter, based on the current threat landscape, recent incidents in the sector, and the organization's specific crown jewel map.
Effective scoping uses threat intelligence as its primary input. If the current threat intelligence picture shows sustained targeting of edge devices in the organization's industry — as it did throughout 2024 — the scoping decision is to prioritize internet-facing infrastructure in the current CTEM cycle. Scoping done well means the CTEM program is threat-driven, not inventory-driven.
Stage 2 — Discovery: The Stage Everyone Thinks They Have
Discovery is the continuous enumeration of all assets in scope and their associated vulnerabilities, misconfigurations, and exposures. It is the stage most commonly identified as "what we already do" — and the stage most commonly implemented incompletely.
Complete discovery for a modern enterprise requires coverage across at least four domains: internal network assets (Tenable, Qualys, Rapid7 for vulnerability enumeration; Claroty, Armis, or Dragos for OT/IoT assets that agent-based scanners miss), external attack surface (Xpanse, CyCognito, Censys for externally exposed infrastructure discovered from the attacker's perspective), cloud infrastructure (Wiz, Orca, or Prisma Cloud for cloud-native resource discovery and CSPM), and identity security posture (Semperis, Silverfort, or Tenable Identity Exposure for Active Directory and identity-plane exposures).
The organizations that claim complete discovery but have not addressed cloud and identity coverage have the two fastest-growing attack surface segments unmonitored. The 2024 and 2025 breach patterns confirm that cloud misconfiguration and identity-based attack paths — not traditional CVE exploitation — are the dominant initial access and lateral movement vectors in financially motivated attacks.
Stage 3 — Prioritization: The Stage That Determines ROI
Prioritization is where CTEM delivers its most direct operational value, and the stage in most detail in adjacent advisory briefs. In the context of the five-stage sequence, the key point is that Prioritization cannot be done correctly without Scoping and Discovery as inputs. Organizations that attempt prioritization without complete discovery are prioritizing within an incomplete picture. Organizations that attempt prioritization without scoping context are prioritizing without knowing which business assets matter most.
The output of Prioritization is not a ranked list of all vulnerabilities — it is a short list of exposures that warrant immediate remediation action, with explicit justification based on exploitability, asset criticality, exposure context, and attack path position. A prioritization output longer than the team can act on in the next two weeks is not a priority list; it is a ranked backlog.
Stage 4 — Validation: The Stage That Separates Assumption from Evidence
Validation answers a question that Prioritization cannot: is this prioritized exposure actually exploitable in our specific environment, given our network segmentation, compensating controls, patch state, and detection capability?
The practical reality: many high-priority vulnerabilities are rendered unexploitable by compensating controls — network segmentation that prevents the attacker from reaching the target, authentication requirements that prevent pre-authentication exploitation, EDR coverage that detects and blocks known exploit patterns. Discovering this before patching means the remediation resource can be redirected to exposures that validation has confirmed as genuinely reachable.
Validation methods by maturity:
Automated breach and attack simulation (BAS) runs predefined attack scenarios against the live environment, confirming whether an attacker using known tools and techniques would be detected and blocked or would succeed. Pentera's continuous automated penetration testing runs 24/7 against the environment, escalating attack complexity until it finds a working path or exhausts the option space. Cymulate provides scenario-based BAS across the full kill chain. AttackIQ maps scenarios to MITRE ATT&CK framework techniques, enabling validation aligned with specific adversary TTPs.
Manual red team exercises provide higher-fidelity validation for the most critical exposures — the ones where the consequence of a missed exploitable path is highest. Red team exercises should be informed by CTEM discovery and prioritization outputs; undirected red team engagements are less efficient than red teams tasked against the specific attack paths the CTEM program has identified as high-priority.
Purple team operations — collaborative exercises where the red team and blue team work together, with the red team confirming exploitation and the blue team confirming detection — validate both the exposure and the detection capability simultaneously, producing the most complete validation picture.
Stage 5 — Mobilization: The Stage That Determines Whether CTEM Produces Outcomes
Mobilization is the operationalization stage — connecting CTEM findings to the teams and systems that execute remediation. It is the stage most often treated as an afterthought, because it lives at the boundary between the security team and the IT operations team, and most CTEM programs are owned entirely by one or the other.
The mobilization failure pattern: the security team produces a validated, prioritized list of exposures. The list enters the IT operations ticketing queue. IT operations is managing a separate priority stack — maintenance windows, planned upgrades, production stability requirements. CTEM findings that require emergency patching compete with scheduled work. Without a shared SLA, an escalation path, and executive sponsorship, CTEM findings are regularly deprioritized by IT operations, not because IT operations is negligent but because the process has not been designed to handle the competing demands.
Effective mobilization requires: automated ticket generation from CTEM findings into the ITSM system (ServiceNow, Jira), SLA definitions with escalation triggers, a defined remediation ownership model (who owns each asset category), and a feedback loop that tracks closure rates and reports them to security leadership and, where appropriate, executive and board stakeholders.
Questions Your Buying Team Should Be Asking
1. Does your CTEM scoping process use current threat intelligence as its primary input, and how often is the scope adjusted to reflect changes in the threat landscape?
This tests whether the CTEM program is threat-driven or inventory-driven. A threat-intelligence-informed scoping process that adjusts when adversary targeting patterns shift — as Ivanti appliances became a priority target in early 2024 — concentrates CTEM effort on the attack surfaces currently under active threat. A static scoping model that runs the same cycle quarterly regardless of threat context is not responsive to how attacks actually evolve.
2. Does your discovery process cover all four attack surface domains — internal network, external surface, cloud infrastructure, and identity — with continuous coverage, or does it have gaps in any of these?
The four-domain check. Organizations with strong internal scanning but no EASM are blind to externally exposed infrastructure. Organizations with strong perimeter coverage but no cloud CSPM are blind to cloud misconfiguration. Organizations with no identity security posture tooling are blind to Active Directory attack paths. The question surfaces where the discovery blind spots are before an attacker finds them.
3. Can your security team produce, on demand, the current list of CTEM-priority exposures — with justification — that represent the most urgent remediation actions this week?
This is an operational test. A functioning CTEM program can produce this list. An organization with security tooling but no operational CTEM program produces a CVSS-sorted vulnerability report. The distinction between the two answers defines whether the organization has a program or a tool deployment.
4. What was the last finding that breach and attack simulation or red team validation confirmed was exploitable in your environment, and what was the remediation timeline?
This question has two parts. The first confirms whether validation is actually happening. The second confirms whether validation findings are connected to a remediation workflow with a measurable outcome. If the organization cannot point to a specific recent validated finding with a documented closure date, either validation is not running or mobilization is not working.
5. Who has executive accountability for CTEM program outcomes — including the remediation SLA compliance rate — and how is that metric reported to the board or audit committee?
Mobilization fails without executive accountability. The CISO can own the CTEM analysis. The CIO or COO must co-own the remediation outcomes, because remediation is an IT operations function. Without shared executive accountability, CTEM findings compete with every other IT operations priority and lose. The existence of a named executive owner and a board-level reporting mechanism is the organizational signal that mobilization has been designed to succeed.
The Stackcurve Take
The five CTEM stages are a sequence, not a menu. Organizations that implement only the stages that map to their existing tooling are not building a CTEM program — they are running existing tools under a new label. The value of the framework is that it defines what the complete program looks like and identifies where the gaps are.
The implementation reality for most enterprises: Stage 2 (Discovery) is partially in place through existing VM tooling. Stage 3 (Prioritization) is partially in place if the VM platform's context modules are activated. Stages 1, 4, and 5 are the most commonly absent, and they are also the stages that determine whether the program produces risk reduction outcomes or analytical outputs that do not change attacker success probability.
The recommended sequencing for organizations starting from a Stage 2 baseline: invest in Scoping first — it is a process change, not a technology purchase, and it immediately improves the ROI of every other stage by directing effort correctly. Then invest in Prioritization maturation — activating the context modules in existing platforms. Then invest in Mobilization — designing the security-to-IT-operations handoff process before adding validation capability, because validation without mobilization produces findings that don't get closed.
Validation (Stage 4) is the highest-cost stage to implement correctly, and the one most dependent on the stages that precede it. Organizations that purchase Pentera or Cymulate before they have stable discovery and prioritization outputs will run automated penetration testing against an incomplete picture and generate a list of validated findings they lack the prioritization context to act on.
The 2026 Stackcurve CTEM CURVE™ Report maps 22 vendors to the five CTEM stages, with detailed scoring on each stage's capability and cross-stage integration, and provides a sequenced implementation roadmap calibrated to different starting maturity levels. Download it free →
Stackcurve Advisory Briefs are independent research. No vendor pays for placement, tier assignment, or editorial influence. The CURVE™ methodology is disclosed in full at stackcurve.net/research/methodology.