Skip to content
Validation · the differentiator

The "Validated" label —
earned, not assumed.

Adversarial Exposure Validation is the Gartner-named category that splits CTEM platforms from vulnerability scanners with dashboards. It is the part of the loop that proves what is actually exploitable — and the part most platforms still hand-wave through.

See validation live All platform capabilities
Why this exists

Severity is published. Exploitability is local.

A CVE is real. Whether it can be exploited in your environment, from where an attacker actually stands, with the controls you actually have in place — that is a separate question. Most platforms answer it with a probability. We answer it with a probe.

The Gartner 2026 Market Guide for Adversarial Exposure Validation names this gap explicitly. We built the platform around it.

Pipeline

Detection is the start. Validation is six stages further.

  1. 01

    Detection

    A scanner produces a candidate finding. By itself, this is signal — not proof.

    any of the 49 engines
  2. 02

    Corroboration

    Cross-engine agreement raises confidence. Single-engine detections move into the validation queue; uncorroborated noise dies here.

    corroboration scorer · multi-engine vote
  3. 03

    Adversarial probing

    Where safe, the platform runs an adversarial probe that demonstrates exploitability. Production-safe modes are the default.

    BAS engine · safety policy · payload library
  4. 04

    LLM triage

    Replication evidence is reviewed by an LLM agent against a curated context. Findings that fail the triage check stay in Validating until human review.

    on-prem LLM · evidence agent
  5. 05

    State transition

    Validated · Validating · Theoretical · Suppressed — each finding lands in exactly one state, with the evidence that justifies it.

    state machine · audit trail
  6. 06

    Re-validation

    When a fix ships and the ticket closes, validation re-runs automatically. Regression flips the state back and reopens the ticket.

    re-validation triggers · regression detector
State machine

Every finding lands in exactly one of four states.

Validated

Proven exploitable. Reaches the queue.

Corroborated by multiple engines, adversarial probe successful, evidence captured. This is the only state that pages the on-call.

Validating

In active probing. Held until proven.

Initial detection passed corroboration; adversarial probe is running. Analysts can claim; the on-call is not paged from this state.

Theoretical

Real, but not exploitable from here.

The finding exists but reachability is blocked or the BAS probe is not safe to run. Tracked, never paged on its own. Status flips automatically if reachability changes.

Suppressed

Accepted, scoped-out, or known pattern.

Analyst suppression with reason, or rule-based auto-suppress. Default expiry 90 days; review on rule change. Fully audit-logged.

Governance

Suppression that an auditor can read.

Suppression is the most-misused state in any vulnerability platform. We treat it as a first-class governance event: every suppression requires a reason, defaults to a 90-day expiry, and is reviewed when the underlying rule changes.

The audit log captures who suppressed what, when, why, and for how long. When a finding's status transitions because of suppression — or back from it — that transition is part of the evidence record on the finding itself.

Default expiry
90 days
Reason
Required · taxonomy
Audit trail
Per-finding · per-actor
Related capabilities
Intelligence
CRPS scoring →

What gets validated first
Orchestration
Surface dispatch →

Where validations run
Framework
CTEM loop →

Where validation sits in the lifecycle

Bring a target. Watch it get validated.

We'll run validation against an asset you own and show you the evidence chain end-to-end.

Schedule a validation walkthrough