CTEM Was Named in 2022. Four Years Later, the Category Has Settled.
When Gartner introduced Continuous Threat Exposure Management in mid-2022, the framework was prescriptive but the market was diffuse. Vendors approached the five-stage program from whatever direction they were already moving in: scanners from below, ASM tools from the side, cloud platforms from above. The early CTEM landscape looked like a category-of-categories.
By 2026, the dust has mostly settled. The platforms competing on CTEM positioning fall into four camps, and a fifth seat — the one Gartner actually described — is still open. For security buyers running a 2026 procurement, knowing which camp a vendor sits in matters more than the marketing surface.
This is the field map.
Camp One: EASM-Led
The first camp came at CTEM from the discovery side. Vendors like CyCognito and Censys built deep capabilities around external asset discovery — certificate transparency monitoring, passive DNS analysis, internet-wide scan correlation — and extended into prioritization and reporting from there.
These platforms are strong on stages one and two of the Gartner framework. They are unmatched at finding the assets your CMDB does not know about. Where they tend to be weaker is stage four: validation. The dispatch model is usually “discover everything, prioritize the discoveries, send a queue to the human.” The probe that closes the loop is either roadmap or partnership.
For buyers whose primary problem is “we do not know what we own,” EASM-led platforms are a strong fit. For buyers whose primary problem is “we have a queue we cannot drain,” they extend the queue rather than shorten it.
Camp Two: BAS-Led
The second camp came from the opposite direction. Pentera and Horizon3.ai built deep adversarial validation engines — automated penetration testing, exploit chains, controlled production probing — and grew outward into discovery and prioritization.
These platforms are strong on stage four. They can answer the “is this exploitable from here, right now?” question with evidence. Where they tend to be weaker is breadth. The asset graph that feeds the validation engine is usually smaller than what an EASM-led platform produces; the surfaces covered are narrower; the integration with identity, AI/LLM, and cloud control planes is less mature.
For buyers whose primary problem is “our pen tests are quarterly and the world is daily,” BAS-led platforms convert the cadence. For buyers who need the validation depth across the full attack surface — not just the part the BAS engine can reach — they are typically half of a stack rather than the full one.
Camp Three: VM-Evolved
The third camp is the established vulnerability management category extending its product surface upward into CTEM language. Tenable, Qualys, and Rapid7 are the leaders here. The asset graph is mature, the scanner integrations are stable, the compliance reporting is enterprise-ready.
These platforms are strong on the operational substrate that CTEM requires. They have run multi-tenant security workloads at scale for two decades; the plumbing works. Where they tend to be weaker is on the parts of CTEM that are not native vulnerability management: validation, identity, AI/LLM, modern API surfaces. The category-stretch is real, and the bolt-ons are visible.
For buyers running large existing VM deployments who want to evolve into CTEM rather than replace and rebuild, VM-evolved platforms are the lowest-risk migration. For buyers building a CTEM program from a blank page in 2026, the legacy weight is often a tax rather than a feature.
Camp Four: Cloud-Native (the Wiz Camp)
The fourth camp owns a single environment beautifully. Wiz, Orca, and the rising CNAPP class built CTEM-aligned capability around cloud surfaces specifically — code, container, cloud configuration, cloud identity, runtime context.
Within their environment, these platforms are excellent. The graph model — agent-less, code-to-runtime, single-platform — set the standard the rest of the category is now copying. Where they are structurally weaker is outside the cloud surface they were designed for. Web DAST, API testing of non-cloud-deployed services, on-premise infrastructure, OT/ICS, mobile binary analysis — all of these are out of scope by design.
For buyers whose attack surface is cloud-native end-to-end, the Wiz camp is the dominant choice. For buyers whose surface includes anything outside cloud — and almost every real enterprise environment does — these platforms are a strong component, not a complete platform.
The Seat That Is Still Open
Four camps. None of them, individually, implements the full five-stage CTEM program Gartner actually described.
EASM-led platforms own stages one and two. BAS-led platforms own stage four. VM-evolved platforms own the operational substrate. Cloud-native platforms own one surface deeply. The seat Gartner described — a platform that runs all five stages, across multiple surfaces, with adversarial validation closing the loop — is still empty in the category-leader tier.
This is the seat VirtueThreatX was built for. Three things define the seat:
Surface breadth without depth sacrifice. Coverage across web, API, network, cloud, code, container, identity, mobile, AI/LLM, and OT — with a surface-aware dispatch model that points the right scanners at the right surfaces, not a uniform spray.
Validation as the centerpiece, not the add-on. Multi-engine corroboration, adversarial probing where safe, LLM-assisted triage, full evidence chain per finding. The four-state model — Validated, Validating, Theoretical, Suppressed — is the governance, not a labeling exercise.
The closed loop. Re-validation fires automatically when tickets close. Findings that regress reopen with the regression captured. Stage five is operationalized, not just integrated.
What’s Also Changed: AI/LLM Becomes a First-Class Surface
One development since Gartner’s original CTEM framework deserves explicit attention: the AI/LLM attack surface, which barely existed when the framework was published, is now a top-tier concern.
Indirect prompt injection has moved from research demos to wild-caught samples. Shadow AI services proliferate inside enterprises faster than security teams can inventory them. RAG context leakage exposes the data the LLM was supposed to protect. NIST and ISO have both moved on AI-specific standards (NIST AI 600-1, ISO/IEC 42001 published 2023, now in adoption).
The CTEM platforms built before 2024 mostly do not treat AI/LLM as a surface at all. The 2026-built platforms have to. This is one of the cleanest tests of whether a CTEM vendor has architecture flex or feature-list flex: ask them what their AI/LLM scanner stack looks like, what they discover in shadow AI inventory, and how they validate prompt injection. The answers vary wildly.
What This Means for a 2026 Procurement
Three questions cut through the marketing layer.
“Of the five Gartner CTEM stages, which two do you own deepest, and which two do you bolt on?”
Every vendor owns some and bolts on others. The honest ones say so. The dishonest ones claim all five at equal depth — which is the signal that they own none at depth.
“What is your scanner-to-surface mapping?”
A table — explicit, observable, editable. Vendors that cannot produce one are running spray-and-pray dispatch, which is a 2018 model in 2026 clothing.
“What evidence travels with a Validated finding?”
Replication steps, request capture, response trace, exploitation path. If the answer is a severity score with EPSS attached, the platform does not validate; it estimates.
The CTEM category has settled into camps. The seat that runs the full program — surface-broad, validation-first, closed-loop — is still open. Buyers willing to ask the three questions above will find the answer in their procurement process pretty quickly.
VirtueThreatX runs all five Gartner CTEM stages in one workflow, with adversarial validation and AI/LLM exposure built in. See the platform overview, browse the five capability sub-pages, or schedule a 30-minute walkthrough — bring a target you own, and we will run the loop against it live.