Skip to content
Framework · Gartner CTEM

The CTEM loop —
all five stages, one workflow.

Gartner named CTEM a five-stage continuous program in 2022. By 2026, most platforms still implement two or three of the stages and bolt the rest on. VirtueThreatX was built loop-first — every stage is native, and the loop is the product.

Schedule a demo Read the CTEM primer
Stage-by-stage

What VirtueThreatX does at each stage.

  1. 01
    Stage

    Scope. Decide what to defend before deciding how.

    The first Gartner stage is the one most platforms skip. Scoping is where you decide which assets are in, which surfaces matter, and what business priority each carries. Get this wrong and every downstream decision drifts.

    What VTX does

    Tag assets by tier, owner, business priority, and SLA. Scope by surface (Web · API · Cloud · Identity · AI/LLM). Capture data-residency and regulatory constraints once; they propagate forward.

    Engines · asset-tier model · owner registry · surface taxonomy · regulatory tags
  2. 02
    Stage

    Discover. Map every asset — including the ones the team forgot about.

    Discovery is more than running an inventory. Real exposure starts with the assets that nobody remembers — the staging subdomain a contractor stood up, the cloud bucket created during a hackathon, the LLM endpoint a team shipped without telling AppSec.

    What VTX does

    Seedless asset discovery across web, API, cloud, code, identity, and AI surfaces. Continuous certificate transparency, DNS, and cloud-provider monitoring surface new assets within minutes of appearance.

    Engines · Passive enumeration · CT log monitor · DNS analysis · cloud-provider walks · k8s discovery · AI endpoint mapping
  3. 03
    Stage

    Prioritize. Score real risk, not raw severity.

    Severity is published. Priority is local. A 9.8 CVSS on a forgotten test box is not the same as a 9.8 on the payments path. CTEM-aligned prioritization requires real-world exploit pressure and your business context.

    What VTX does

    CRPS = CVSS × EPSS + KEV multiplier × business context. Every score is deterministic, broken down, and challengeable by analysts. No black-box AI weighting.

    Engines · cvss · epss · cisa kev · asset-tier · reachability · blast-radius
  4. 04
    Stage

    Validate. Prove exploitability before paging the on-call.

    Validation is the stage that separates a CTEM platform from a vulnerability scanner with a dashboard. The platform should be able to answer: "Is this exploitable from here, right now?" with evidence. Most cannot.

    What VTX does

    Multi-engine corroboration plus adversarial probing where safe. LLM-assisted triage captures replication steps, request/response traces, and exploitation paths. Findings move through Validated · Validating · Theoretical · Suppressed states with full governance.

    Engines · corroboration scoring · BAS engine · LLM triage · evidence capture · re-validation on close
  5. 05
    Stage

    Mobilize. Route the right fix to the right owner — with the work pre-done.

    A finding that ends in a ticket nobody reads is worse than no finding. Mobilization is the operational stage where evidence, owner, SLA, and reproduction land together in the team's existing tools.

    What VTX does

    Jira · ServiceNow · Slack · PagerDuty integrations route validated findings with owner, SLA, evidence, and reproduction pre-filled. Re-validation closes the loop automatically when the fix ships.

    Engines · jira · servicenow · slack · pagerduty · opsgenie · webhook · sla policy · re-validation triggers
Related capabilities
Discovery
EASM →

Seedless asset discovery
Validation
Adversarial Validation →

Prove exploitability
Orchestration
Surface dispatch →

49 scanners · 10 surfaces
Intelligence
CRPS scoring →

CVSS + EPSS + KEV + context

See all five stages run against a target you own.

Thirty minutes. One business day to reply.

Schedule a demo Talk to our team