A Practical Checklist to CTEM

Posted by: Batya Steinherz
Getting your Trinity Audio player ready...

There’s a lot of hype around Gartner’s Continuous Threat Exposure Management (CTEM). But CTEM isn’t a specific technology or a category of solutions. Instead, it’s a continuous 5-stage program or framework intended to help organizations monitor, evaluate, and reduce their level of exploitability and validate that their analysis and remediation processes are optimal.

Use this practical checklist to keep yourself and your team on track to continue to meet the stages of CTEM.


STAGE 1 Scoping

This first stage encompasses understanding your attack surfaces and what is more important and what is less important to your business. The scope will naturally expand and shift as your program becomes more established.

When considering your attack surface, don’t forget to include your:

☐  External attack surfaces
☐  SaaS tools
☐  Newly acquired environments (via M&A/mergers)
☐  Third parties
☐  Open source repositories
☐  Information exposed on the darkweb


STAGE 2 – Discovery

This step digs in to uncover assets and their level of risk. When considering risk, it is CRUCIAL to note that risk extends beyond vulnerabilities

Make sure you account for: 

☐  Misconfigurations
☐  W
eak credentials
☐  O
verly permissive identities
☐  Vulnerabilities


STAGE 3 – Prioritization

You’ll never be able to fix EVERYTHING – and you don’t need to. This step is all about identifying the most impactful issues – i.e., the ones with the greatest business impact and the greatest likelihood, or lack thereof, leading to critical assets – and creating a plan to fix those issues first.

Start by identifying your quick wins. These are the issues that can be fixed fast and will have the greatest impact:

☐  Low-complexity attack techniques
☐  Risky users
☐  Areas where multiple attack paths converge (choke points)
☐  Exposed cloud storage containing sensitive info


STAGE 4 – Validation

This stage looks at how attacks can occur and the likelihood of their occurrence. This step will leverage a variety of tools, with the goal of assessing if the assertions of the steps above are accurate and validated.
Tools/methodologies to use:

☐  Pentesting
☐  Attack path modeling and analysis
☐  Breach and attack simulation
☐  Security controls monitoring


STAGE 5 – Mobilization

This stage, which in a sense serves as the facilitating factor for the entire framework, is where you make sure everyone is on the same page and understands their role and responsibilities within the context of the program. 

Make sure that:

☐  You have clearly defined your processes so they are easily understood
These processes have been communicated to anyone relevant
Everyone is aware of the risks and knows their role
☐  There is a feedback loop via which people can ask questions and get answers


There’s lots more to take into account when building your CTEM program. We recommend reading Gartner’s full report and then building a strategic plan to operationalize your adoption. But hopefully with this handy and efficient list, you’ll have a view of the most important highlights and get headed in the right direction.


How do you prioritize vulnerabilities within the identified assets?

Prioritizing vulnerabilities within identified assets is a crucial aspect of managing cybersecurity risks effectively. The process usually involves assessing the potential impact of a vulnerability being exploited, as well as the likelihood of such exploitation. Critical factors include the severity of the potential impact, which could range from data loss to system downtime or compromise of sensitive information. The Common Vulnerability Scoring System (CVSS) scores can be helpful in assessing severity. The likelihood assessment considers existing controls, the complexity of exploitation, and known threats or exploits in the wild. Organizations must also consider the criticality of the affected asset to the business operations, where vulnerabilities in high-value assets are prioritized higher.

What specific metrics or KPIs should organizations track to measure the effectiveness of their CTEM program?

For measuring the effectiveness of a Cybersecurity Threat and Exposure Management (CTEM) program, organizations should track a range of Key Performance Indicators (KPIs) that can include:

– Time to detect: The average time it takes to identify a potential security incident from the time it occurs.
– Time to respond: The average time it takes to respond to a detected threat, which includes containment and mitigation efforts.
– Time to remediate: How quickly vulnerabilities are patched or mitigated after they are identified.
– Exposure time: The amount of time critical systems or data are exposed to potential threats without adequate protection.
– The number of incidents detected by the CTEM program versus those detected through other means, which can help gauge the program’s effectiveness in proactive threat identification.
– The ratio of false positives to true positives, aiming to optimize the accuracy of threat detection mechanisms.

How should organizations integrate CTEM with their existing cybersecurity and risk management frameworks?

Integrating CTEM with existing cybersecurity and risk management frameworks is essential for a holistic and effective security posture. This integration should begin with a clear understanding of the organization’s risk appetite and the critical assets that require protection. From there, CTEM processes can be aligned with the broader organizational risk management framework, ensuring that cybersecurity threats are adequately considered in the overall risk assessment and management process. Additionally, CTEM activities should be aligned with existing cybersecurity frameworks such as NIST’s Cybersecurity Framework or ISO 27001, which can provide a structured approach to managing cybersecurity risk.

Further integration involves aligning the incident response and management processes of the CTEM program with the broader organizational business continuity and disaster recovery planning. This ensures that in the event of a significant cybersecurity incident, the response is coordinated across the organization, minimizing impact and recovery time.

To achieve this integration effectively, it’s important to foster communication and collaboration across departments. Cybersecurity is not solely an IT issue but a business one, and engaging stakeholders from various departments in cybersecurity planning and response activities ensures a more resilient organization.

Batya Steinherz

Find and fix the exposures that put your critical assets at risk with ultra-efficient remediation.

See what attackers see, so you can stop them from doing what attackers do.