Skip to content
Free · no email required

CTEM Maturity
Self-Assessment.

Fifteen questions, scored against Gartner's five-stage CTEM model. No email gate, no PII stored, no sales follow-up unless you ask. Designed for CISOs and security leaders who want a defensible snapshot of where their program actually stands.

~6 minutes · Results in browser · Nothing sent to our servers
01 Scope Defining what to defend, before deciding how.
Q1

Are assets in your environment formally classified by tier and business priority?

Q2

How often does your in-scope asset inventory get updated?

Q3

Which of these are explicitly in scope: AI/LLM endpoints, non-human identities, shadow services?

02 Discover Surfacing every asset, including the ones forgotten.
Q4

Where does asset discovery start?

Q5

When a new subdomain, cloud resource, or API endpoint appears, how soon does security know?

Q6

Do you actively monitor third-party / vendor external exposure?

03 Prioritize Scoring real risk, not raw severity.
Q7

Do you factor EPSS (exploit probability) into prioritization?

Q8

Do you factor CISA KEV (known exploited vulnerabilities) into prioritization?

Q9

Does prioritization account for your local context (asset tier, reachability, business priority)?

04 Validate Proving exploitability before paging on-call.
Q10

Do you validate exploitability before findings reach on-call rotation?

Q11

Does every Validated finding carry replication evidence?

Q12

Do findings have a documented state machine (Validated / Validating / Theoretical / Suppressed or equivalent)?

05 Mobilize Routing the right fix to the right owner.
Q13

Are tickets auto-created in Jira / ServiceNow / Slack with evidence + owner + SLA pre-filled?

Q14

When a fix ships and the ticket closes, does re-validation fire automatically?

Q15

Do you have documented suppression governance with reason + expiry + audit trail?

0 of 15 questions answered
Methodology

How the score is computed.

Each question scores 0-3 points. Five stages × three questions × three maximum points = 45 total. The stage groupings mirror Gartner's 5-stage CTEM model (scope · discover · prioritize · validate · mobilize). Maturity tiers:

  • 0–15Early — foundational work ahead
  • 16–30Maturing — partial loop, real gaps
  • 31–40Operating — full loop with room to optimize
  • 41–45World-class — running the program at category-leader level

Your answers are scored entirely in your browser — nothing is posted to our servers and nothing is stored. Refresh the page or close the tab and the results vanish. Take it again any time.