Contextualize Prioritize and ACT ON RISK
Login
Get Access
Demo

blog

What is Continuous Exposure Management, and the difference between CEM and CTEM? 

CETEM and CEM for vulnerability management

Continuous Threat Exposure Management (CTEM) is an evolution of vulnerability management and a five-step program for achieving long-term and sustainable cyber resilience. A CTEM cycle includes the stages of scoping, discovery, prioritizing, validation, and mobilization.

History and evolution of vulnerability management

Vulnerability management is the process of identifying, prioritizing, and mitigating vulnerabilities in computer systems and networks. It involves regularly scanning for vulnerabilities, analyzing their potential impacts, and taking steps to fix or mitigate them. This can include patching software, configuring systems to reduce the attack surface, and implementing other security measures.

The current problem the security team face is having to manage different asset type from code to cloud and equivalent reports. 

The vulnerability reports associated with various assets are generally uncontextualized and lead to alert fatigue and exhaustion by the number of vulnerabilities.

Why the evolution from vulnerability management to Continous Threat Exposure Management 

One of the major drivers behind this evolution has been the increasing complexity and interconnectedness of modern computer systems and networks. With the proliferation of cloud computing, internet of things (IoT) devices, and other emerging technologies, it has become more difficult to identify and mitigate vulnerabilities in a timely manner. CEM addresses this challenge by continuously scanning for vulnerabilities and taking a proactive approach to mitigating them.

Another factor has been the increasing frequency and sophistication of cyber threats. With the rise of advanced persistent threats (APTs) and other highly targeted attacks, organizations must proactively identify and mitigate vulnerabilities to prevent successful attacks. CEM/CTEM helps organizations do this by continuously monitoring for vulnerabilities and implementing measures to prevent or mitigate them.

What is CEM/CTEM, and how does it differ from vulnerability management? 

Vulnerability management identifies, prioritises, and remediates vulnerabilities in an organization’s systems and networks. It involves continuous monitoring and scanning systems to identify vulnerabilities and implement measures to mitigate or eliminate them. The goal of vulnerability management is to reduce the risk of cyber-attacks and other security breaches by ensuring that systems are as secure as possible.

CTEM, or Cyber Threat and Exposure Management, is a related concept that involves identifying, assessing, and managing cyber threats and exposures that could potentially impact an organization. CTEM typically includes various activities, including threat intelligence gathering, risk assessment, and incident response planning. The goal of CTEM is to help organizations anticipate and respond to cyber threats in a timely and effective manner, to minimize the impact of those threats on the organization.

While vulnerability management and CTEM are related concepts, they differ in the specific focus of their activities. Vulnerability management is focused on identifying and mitigating vulnerabilities in systems and networks, while CTEM is focused on identifying and managing cyber threats and exposures.

CEM takes a more proactive approach to vulnerability management. Rather than simply reacting to vulnerabilities as they are discovered, CEM aims to monitor and assess an organization’s exposure to vulnerabilities continuously. This involves continuously scanning for vulnerabilities, analyzing their potential impacts, and implementing measures to prevent or mitigate them. CEM also involves ongoing communication and collaboration between different teams within an organization, such as security, IT, and development, to ensure that vulnerabilities are addressed promptly and effectively.

The key takeaway for Vulnerability Management evolution into CEM/CTEM

  • Improved security: By continuously monitoring and assessing an organization’s exposure to vulnerabilities, Continuous Threat Exposure Management can help to identify and mitigate vulnerabilities before attackers can exploit them. This can help to reduce the risk of successful attacks and improve an organization’s overall security posture.
  • Increased efficiency: Continuous Threat Exposure Management can help to streamline the process of identifying and mitigating vulnerabilities by continuously scanning for them and implementing measures to prevent or mitigate them. This can help to save time and resources that would otherwise be spent on manual vulnerability assessments and patching processes.
  • Enhanced collaboration: Continuous Threat Exposure Management involves ongoing communication and collaboration between different teams within an organization, such as security, IT, and development. This can help ensure that vulnerabilities are addressed promptly and effectively and can also improve overall organizational efficiency.
  • Greater visibility: Continuous Threat Exposure Management provides organizations with a continuous view of their exposure to vulnerabilities, which can help to inform decision-making and prioritize resources. To build a case on prioritization you can refer on our latest whitepaper

Which Team Map to CEM

CTEM and CEM interact with threat and incident response for managing incidents and vulnerabilities remediation

CTEM team work with the threat and secure posture optimization team (boots on the ground) to drive remediation and fixes

Threat detection and response will interact with the CTEM team to enrich vulnerability information and provide the latest trends and who is targeting which vulnerabilities. 

The areas looked after by CTEM tend to span from code to cloud, including manual red team exercise, and pentest

What are the five steps that form the CEM and CTEM process

In a recent article, Gartner described the process of CTEM and the evolution of traditional vulnerability management. 

Scoping Stage – The scope of the attack surface is evolved and exceeds the typical focus of vulnerability management programs and needs to evolve to encompass an extended asset and attack surface, from code and software artefacts to cloud and infrastructure artefacts. 

When scoping the software assets, consider the following: 

  • External attack surface – which assets are external
  • Internal attack surface – which assets are deployed where and how they are related to external assets
  • Software and deployable assets – software artefacts that are deployed across the infrastructure, cloud, container and more environmental assets
  • 3rd party assets – which 3rd party is connected to which asset

Discovery

Once the CTEM team has completed the scoping, it is essential to start analysing and discovering assets consolidating the asset surface in one location. Asset risk posture gets calculated at this stage. The more the assets are contextualized and mapped to the business and environmental contexts, the more the risk posture becomes precise. 

Prioritization

The team that manages and drives vulnerabilities has the mission to help narrow down and focus on the 10% of vulnerabilities that are highly probable to be exploited and are internally exposed or interconnected to externally exposed systems. With business criticality context, the organization can narrow down the vulnerabilities that are more likely to get exploited. 

Validation and Triage

When validating the security vulnerability, a security team looks at contextual compensating control and triages which vulnerabilities need to be treated first from a list of prioritized vulnerabilities. 

Traditionally this process is the most painful and slow, with the team taking up to 9h to triage and select which vulnerabilities to fix when while the average time that a security team can dedicate to various engineering teams varies between 48 min per week to 10 min in larger enterprises. 

Traditionally, this results in more time the security team spends on fewer applications to dedicate the required 9h. Automated triage aims to automate and speed up evidence collection and provide the security team with the fastest information.

Mobilization

The last but most important step is to mobilize and involve the various engineering teams to collaborate. In this step, security leaders must communicate and coordinate an approach to remediation with engineering teams. In this particular step is critical that CIO, CTO, and CISO agree on key metrics and remediation collaboration channels. Automate remediation helps speed up the process; nonetheless, the most effective programme uses a mix of communication and self-imposed targets by the various engineering teams. For more details on this, you can reference the latest whitepaper on SLA.

How can Phoenix security help from code to cloud assess and prioritize Cyber Security vulnerabilities? 

Scope & Aggregation – In this part of the process, you would map the business functions that are in scope of the asset management and vulnerability management programme. 

Diagnostic – aggregate, contextualize and understand who owns what and what’s the risk posture of the various applications and environments. 

  1. Aggregate and contextualize vulnerabilities: aggregate vulnerability from multiple sources, deduplicate, contextualize and consolidate the vulnerabilities and assets in a central place. 
  1. Map the assets into business applications and environments, enabling tracing who is maintaining what asset and tracing ownership. 
  1. Prioritize and Contextualize – In this stage, you would leverage the contextual business elements like business criticality and environmental context like which asset is internal and external and what mitigating controls are being applied to which environment. 

With the following information, you would be able to prioritize the vulnerabilities based on contextual elements  

Once the process is complete, you will be able to move into the action part, which is composed of

  1. Triage and set risk target – triaging the vulnerabilities that are contextualized enables the security team to automatically consider
    1. How exposed are assets
    2. Who is targeting specific vulnerabilities
    3. Who needs to act on vulnerability
    4. What is the probability of exploitation of the vulnerabilities

Setting risk targets – when the assets are contextualized and prioritized is possible to establish the baseline risk profile of the organization and move into setting the desired risk level

  1. Act on Prioritized vulnerability – the final and most important step is to act on the vulnerability that matters most. Is important to deliver those vulnerabilities to the team that maintains the vulnerability. Phoenix security helps to trace who owns what assets and maintain dynamic asset registers. 

Conclusions

Vulnerability management has evolved due to the modern and complex landscape. Vulnerability management teams are suffering from alert fatigue. A mature and effective process involves strategy, coordinating teams and agreeing collectively on objectives. 

How can Phoenix Security Platform help? 

Phoenix Security risk based vulnerability management for application and cloud security
Phoenix Security risk-based vulnerability management for application and cloud security

Technology is not the holy grail or answer to all the problems. Vulnerability management remains a people & culture, process, and technology problem. 

Phoenix security cloud platform can help automate, correlate and track maturity at scale and facilitate the enforcement of measurements. 

Phoenix offers a way to scale triaging and prioritising vulnerabilities, removing the manual part of security analysis and enabling the security team to scale better, from a 1:10 to 1:40 ratio, react faster (from 290 days average resolution time to 30) and be more efficient in the time spent on each vulnerability. 

With a proven methodology adopted by more than 1000 Security professionals, Phoenix enables security engineers to communicate more effectively with the business in terms of risk and loss as well as automatically prioritise vulnerabilities for developers.

Picture of Francesco Cipollone

Francesco Cipollone

Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.
3rd January 2023
Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

Join Slack community
Linkedin-in Youtube Facebook-f Twitter Instagram

From our Blog

  • 8th April 2025

Announcing Phoenix Threat Centric Approach

Learn how to predict ransomware risks and vulnerability exploitation using a threat-centric approach. Explore data-driven insights, verified exploit trends, and methods for assessing the likelihood of attacks with key references to CISA KEV, EPSS, and Phoenix Security’s 4D Risk Formula.
Francesco Cipollone
  • 8th April 2025

A Threat-Centric Look at Vulnerability Exploitation Likelihood and Ransomware Risk

Remote Code Execution flaws continue to undermine Kubernetes ingress integrity. IngressNightmare (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974) showcases severe threat vectors in NGINX-based proxies, leading to cluster-wide exposure. ASPM, robust remediation tactics, and strong application security solutions—like Phoenix Security—mitigate these vulnerabilities before ransomware groups exploit them.
Francesco Cipollone
  • 25th March 2025

IS  NGINX IngressNightmare bad? Bad news it is: Critical Remote Code Execution Threats (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974)

Remote Code Execution flaws continue to undermine Kubernetes ingress integrity. IngressNightmare (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974) showcases severe threat vectors in NGINX-based proxies, leading to cluster-wide exposure. ASPM, robust remediation tactics, and strong application security solutions—like Phoenix Security—mitigate these vulnerabilities before ransomware groups exploit them.
Francesco Cipollone
WIZ+Google Purchase what's the impact on cloud security
  • 20th March 2025

Google Bought Wiz for $32B. Now What? Why Is It Great for the Security Market?

The recent Google acquisition of Wiz for $32 billion has sent shockwaves through the cybersecurity industry, particularly in the realm of Application Security Posture Management (ASPM). This monumental deal highlights the critical importance of cloud security and the growing demand for robust ASPM solutions. While the acquisition promises potential benefits for Google Cloud users, it also raises concerns about vendor lock-in and the future of cloud-agnostic security. Explore the implications of this acquisition and discover how neutral ASPM solutions like Phoenix Security can bridge the gap in multi-cloud environments, ensuring continuous, collaborative, and comprehensive security from code to cloud.” – Find Assets/Vulns by Scanner – Detailed findings Location information Risk-based Posture Management – Risk and Risk Magnitude for Assets – Filter assets and vulnerabilities by source scanner Integrations – BurpSuite XML Import – Assessment Import API Other Improvements – Improved multi-selection in filters – New CVSS Score column in Vulnerabilities
Alfonso Eusebio
  • 19th March 2025

Phoenix Security Features – March 2025

The team at Phoenix Security pleased to bring you another set of new application security (ASPM) features and improvements for vulnerability management across application and cloud security engines. This release builds on top of previous releases with key additions and progress across multiple areas of the platform. Application Security Posture Management (ASPM) Enhancements • New Weighted Asset Risk Formula – Refined risk aggregation for tailored vulnerability management. • Auto-Approval of Risk Exceptions – Accelerate mitigation by automating security approvals. • Enhanced Risk Explorer & Business Unit Insights – Monitor and analyze risk exposure by business units for better prioritization. Vulnerability & Asset Management • Link Findings to Existing Tickets – Seamless GitHub, ServiceNow, and Azure DevOps integration. • Multi-Finding Ticketing for ADO – Group multiple vulnerabilities in a single ticket for better workflow management. • Filter by Business Unit, CWE, Ownership, and Deployment Environment – Target vulnerabilities with precision using advanced filtering. Cyber Threat Intelligence & Security Enhancements • Cyber Threat Intelligence Premium – Access 128,000+ exploits for better exploitability and fixability metrics. • SBOM, Container SBOM & Open Source Artifact Analysis – Conduct deep security analysis with reachability insights. • Enhanced Lacework Container Management – Fetch and analyze running container details for better security reporting. • REST API Enhancements – Use asset tags for automated deployments and streamline security processes. Other Key Updates • CVE & CWE Columns Added – Compare vulnerabilities more effectively. • Custom Status Management for Findings – Personalize security workflows with custom status configurations. • Impact & Risk Explorer Side Panel – Gain heatmap-based insights into vulnerability distribution and team risk impact. 🚀 Stay ahead of vulnerabilities, optimize risk assessment, and enhance security efficiency with Phoenix Security’s latest features! 🚀
Alfonso Eusebio
CVE-2025-30066 Tj Action, Supply Chain
  • 16th March 2025

CVE-2025-30066 tj-actions/changed-files GitHub Action Compromise: Impacts on Software Supply Chain Security and ASPM

Discover CVE-2025-30066 tj-actions/changed-files GitHub Action has been compromised, exposing secrets in CI/CD pipelines and posing a major software supply chain security risk. Attackers injected malicious code into all versions (V1–V45), repointing existing tags to a compromised commit that exfiltrated credentials via GitHub Actions logs. Immediate remediation is required—organizations must scan their repositories, rotate secrets, and replace the action to mitigate risk. Learn how Phoenix Security’s ASPM can automate threat detection and enhance GitHub Actions security.
Francesco Cipollone
Derek

Derek Fisher

Linkedin

Head of product security at a global fintech

Derek Fisher – Head of product security at a global fintech. Speaker, instructor, and author in application security.

Derek is an award winning author of a children’s book series in cybersecurity as well as the author of “The Application Security Handbook.” He is a university instructor at Temple University where he teaches software development security to undergraduate and graduate students. He is a speaker on topics in the cybersecurity space and has led teams, large and small, at organizations in the healthcare and financial industries. He has built and matured information security teams as well as implemented organizational information security strategies to reduce the organizations risk.

Derek got his start in the hardware engineering space where he learned about designing circuits and building assemblies for commercial and military applications. He later pursued a computer science degree in order to advance a career in software development. This is where Derek was introduced to cybersecurity and soon caught the bug. He found a mentor to help him grow in cybersecurity and then pursued a graduate degree in the subject.

Since then Derek has worked in the product security space as an architect and leader. He has led teams to deliver more secure software in organizations from multiple industries. His focus has been to raise the security awareness of the engineering organization while maintaining a practice of secure code development, delivery, and operations.

In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

Jeevan Singh

Jeevan Singh

Linkedin

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James

James Berthoty

Linkedin

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

christophe

Christophe Parisel

Linkedin

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris

Chris Romeo

Linkedin

Co-Founder
Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

jim

Jim Manico

Linkedin

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

The IKIGAI concept
x Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
ShieldPRO