40,009 CVEs Were Published in 2024. Most Security Teams Chased the Wrong Ones.
That is 108 new vulnerabilities every single day — a 38% increase from 2023. Yet research from Kenna Security and EPSS data shows that only 2-5% of published CVEs are ever exploited in the wild. Sixty-two percent have less than a 1% probability of exploitation.
The math is brutal: traditional vulnerability management programs drown in findings while attackers walk through the handful of exposures that actually matter. This is precisely the problem Gartner set out to solve when it published the Continuous Threat Exposure Management (CTEM) framework in July 2022.
CTEM is not another scanning tool or a vulnerability management rebrand. It is a five-phase program that shifts security teams from “find all the vulnerabilities” to “eliminate the exposures attackers will actually use.” Gartner’s prediction is direct: organizations prioritizing CTEM will be three times less likely to suffer a breach by 2026.
Two years into that prediction window, the data supports the thesis. IBM’s 2024 Cost of a Data Breach report put the average breach cost at $4.88 million — a record high and a 10% year-over-year increase. The average organization still takes 204 days to identify a breach and another 73 days to contain it. That 277-day window exists because most security programs react to vulnerabilities instead of continuously managing exposures.
The Five Phases of CTEM
Gartner structured CTEM as a continuous loop, not a linear process. Each phase feeds the next, and outcomes from later phases refine earlier ones. Here is what each phase demands in practice.
Phase 1: Scoping
Scoping defines what your organization needs to protect — and just as importantly, what it does not. This is a business decision, not a technical one.
Effective scoping starts with revenue-generating systems, customer-facing applications, and regulated data stores. It then expands to include the infrastructure those systems depend on: identity providers, CI/CD pipelines, cloud accounts, third-party integrations.
The mistake most teams make is scoping too broadly in the first iteration. A CTEM program that tries to cover everything covers nothing well. Start with your two or three highest-risk attack surfaces and expand quarterly.
Phase 2: Discovery
Discovery goes far beyond running a port scan against known IP ranges. It means finding every asset an attacker could reach — including the ones your asset inventory does not know about.
The Verizon 2025 DBIR found that third-party breaches doubled to 30% of incidents. Those third parties represent attack surface your security team likely has no visibility into. Discovery must enumerate shadow IT, forgotten subdomains, orphaned cloud resources, exposed APIs, and partner integrations that create transitive risk.
Certificate Transparency log monitoring, passive DNS analysis, and internet-wide scan data (Shodan, Censys) are table stakes. The goal is to match or exceed the reconnaissance a motivated threat actor would perform. If your discovery misses an asset, your entire CTEM program has a blind spot. Read our attack surface management guide for a deeper treatment of discovery techniques.
Phase 3: Prioritization
This is where CTEM breaks decisively from traditional vulnerability management.
Legacy prioritization is a CVSS score and a spreadsheet. A critical-severity CVE in an air-gapped test system gets the same urgency as a medium-severity CVE in a public-facing payment API with a known exploit. That is not risk management — it is sorting.
CTEM prioritization layers multiple signals: CVSS base score, EPSS exploitation probability, presence in CISA’s Known Exploited Vulnerabilities catalog, asset business value, network reachability, and compensating control effectiveness. The output is not a ranked list of CVEs. It is a ranked list of exposures — specific combinations of vulnerability, asset, and context that represent actual risk to the organization.
The difference matters. Two identical CVEs on two different assets produce two different exposure scores. One might demand emergency patching; the other might be adequately mitigated by an existing WAF rule.
Phase 4: Validation
Prioritization estimates risk. Validation proves it.
Breach and attack simulation (BAS) techniques attempt to exploit prioritized findings in your actual environment — safely, automatically, and continuously. A vulnerability that a scanner flags as critical but that your network segmentation, EDR, or WAF prevents from being exploited is not a critical exposure. BAS confirms this, freeing your team to focus on the exposures that genuinely bypass your defenses.
Validation is the phase most organizations skip, and it is the phase that delivers the highest ROI. Teams that validate before remediating consistently describe substantial reductions in actionable findings — not because the vulnerabilities disappeared, but because compensating controls already handled most of them.
Phase 5: Mobilization
Findings without action are noise. Mobilization ensures validated exposures reach the right team with enough context to remediate quickly.
This means automated ticket creation with asset ownership, exploitation evidence, and business impact pre-populated. It means SLA tracking tied to exposure severity, not generic CVSS buckets. And it means feedback loops: when remediation is complete, the exposure re-enters the validation phase to confirm the fix worked.
Mobilization also owns the executive reporting function. Boards and regulators do not want vulnerability counts — they want to know how exposed the organization is to the threats that matter. CTEM provides that answer.
CTEM vs. Traditional Vulnerability Management
The difference is not incremental. It is structural.
Traditional vulnerability management operates on a scan-patch-report cycle. Teams run periodic scans (weekly or monthly), generate findings sorted by CVSS, open tickets, and report on patch compliance. The implicit assumption is that finding vulnerabilities and patching them reduces risk proportionally. It does not. Patching a CVE that no attacker would bother exploiting while leaving an actively weaponized edge device vulnerability unpatched does not improve your security posture — it improves your compliance metrics.
CTEM replaces that model with continuous exposure reduction. Scans are always-on, not periodic. Scope includes shadow IT, APIs, cloud configurations, and identity systems — not just known network assets. Prioritization uses real-world exploitation data, not just severity scores. Findings are validated through BAS before they consume remediation resources. And outcomes are measured in “exposures eliminated,” not “patches applied.”
The practical result: CTEM programs produce fewer, higher-confidence findings and faster remediation cycles. Teams fix less but accomplish more.
Why CTEM Is Non-Negotiable in 2026
Three forces have converged to make continuous exposure management a requirement, not a best practice.
Attacker speed has outpaced periodic assessment. CrowdStrike’s 2026 Global Threat Report measured the average eCrime breakout time at 29 minutes — down from 62 minutes in 2024. The fastest observed breakout was 27 seconds. Quarterly vulnerability scans cannot compete with attackers who move from initial access to lateral movement in under half an hour.
Regulation now demands continuous visibility. The SEC’s cybersecurity disclosure rules (effective December 2023) require material incident reporting within four business days. The EU’s Digital Operational Resilience Act (DORA, effective January 2025) mandates continuous ICT risk monitoring for financial entities. NIS2 (effective October 2024) extends similar requirements across critical infrastructure. PCI DSS 4.0, fully enforced since March 2025, requires ongoing security testing rather than annual snapshots. None of these frameworks are satisfied by periodic scanning.
Attack surfaces are expanding faster than teams can track manually. The Verizon 2025 DBIR showed vulnerability exploitation rising to 20% of all breaches — a 34% increase. Edge device exploitation surged from 3% to 22% of those cases. APIs now carry 71% of web traffic (Imperva 2024). Every new cloud service, API endpoint, and SaaS integration is a potential exposure that CTEM must discover, prioritize, and validate.
Starting a CTEM Program
Organizations that succeed with CTEM follow three principles from day one.
Scope narrowly, then expand. Pick the attack surface with the highest business risk — usually external-facing web applications and identity infrastructure — and run the full five-phase loop before adding scope. A working CTEM program on one surface beats a theoretical program across ten.
Validate before you remediate. The single highest-impact change a security team can make is adding validation between prioritization and remediation. It eliminates false positives, reduces ticket volume, and builds credibility with engineering teams who are tired of patching things that do not matter.
Measure exposures, not vulnerabilities. Track how many validated, exploitable exposures exist at any given time and how quickly they are remediated after discovery. These metrics tell you whether your security posture is improving. Vulnerability counts do not.
VirtueThreatX operationalizes all five CTEM phases in a single platform — from automated attack surface discovery through BAS validation and remediation tracking. See the platform overview or schedule a 30-minute walkthrough to see it in practice.