CYE Insights

Understanding the 5 Stages of the CTEM Framework

June 4, 2025

Understanding the 5 Stages of the CTEM Framework

What is the CTEM Framework?

Continuous Threat Exposure Management (CTEM) involves a detailed 5-stage framework designed to reduce the attack surface. The CTEM framework enables organizations to proactively identify and assess mitigation efforts on vulnerabilities that have the highest impact on business operations. 

Is your organization prepared for a potential attack? If not, can you trace the underlying cause of a breach when it happens? Is it an unsecured third-party API or a misconfigured AWS S3 bucket? 

This article will cover all 5 stages of the CTEM framework in detail, including actionable steps and considerations.

Getting Started

Before diving into the five stages of the CTEM framework, it’s important to lay the groundwork for success. Start by aligning stakeholders across security, IT, and business units to ensure there’s a shared understanding of why continuous threat exposure management matters, and how it differs from traditional vulnerability management.

Remember to clarify your objectives: Are you looking to reduce risk across your entire environment, validate existing controls, or improve incident response readiness? Take stock of your current tools, data sources, and visibility gaps, and consider how CTEM can complement or enhance your existing security strategy.

Establishing this context beforehand will help you approach the framework with purpose and maximize its impact across your organization.

The 5 Stages of the CTEM Framework

Scoping

The first step in the CTEM framework is to define the attack surface and identify all assets within the organization. These assets might include: 

  • Customer databases
  • Source code repositories
  • ERP systems
  • Domain controllers
  • Data warehouses 
  • API gateways

Security leaders must assess the potential outcomes if any critical assets are compromised. Forward thinking begins by mapping each asset to its business function, owner, classification type, and risk exposure level. But you cannot protect what you haven’t yet discovered, or control who has access to it. Research taken from the 2024 Verizon Data Breach Investigation Report found nearly 40% of data breaches involved privileged accounts. 

A comprehensive cyber risk assessment should be conducted to define all business-critical assets and assign stakeholders based on ownership, operational impact, and responsibilities.  

Assets must be tied to ownership to ensure accountability and prevent unauthorized access, which is the initial attack vector of many breaches.  

Here are a few key questions to address during the scoping stage:

  • How many admins have excessive privileges in cloud environments?
  • How is asset classification managed?
  • What is the current asset inventory, and how is it maintained?
  • What critical assets are externally exposed?
  • What segmentation controls are in place? 
  • Is least privilege access being enforced across the organization, and to all known third parties?

Map all of your assets and their interdependencies. This is the time to do so.

Discovery 

The next stage of CTEM is discovery, where the potential exposure of the impacted assets is analyzed further. 

For example, if an Active Directory (AD) server is compromised, an attacker can manipulate dynamic DNS records, gain access across environments with stolen Kerberos ticket credentials, and disable security controls. And speaking of Active Directory (AD), over 90% of enterprises have become prime targets for ransomware attacks as part of their reconnaissance and entry path into an organization’s critical infrastructure. 

That’s only one business-critical asset at risk. 

Business Assets Threats

A large-scale enterprise might have hundreds or even thousands of critical assets with varying levels of exposure and business impact. Without proper visibility, security teams cannot properly assess which assets are at the highest risk and who has access to them. 

This is exceptionally challenging for CISOs. A study found that 76% of CISOs reported being overwhelmed by the increasing volume of cyber threats detected from a growing number of tools on an increasing number of assets. 

The threat volume of potentially exposed assets grows even further when you factor in third parties’ asset inventories and data sharing processes with other unknown entities. As you might imagine, this creates many blind spots and inherited security risks that are virtually impossible to quantify, let alone detect. 

The discovery stage is an ideal time to reevaluate third parties, reassess their shared responsibilities, and reopen SLAs to ensure they reflect your current risk tolerance. 

Prioritization 

The prioritization stage focuses on the exposure of critical assets and the overall business impact.

A broken access control containing sensitive data carries more weight and priority than an outdated library with no direct exploit path to critical assets. Therefore, mitigation efforts are better allocated to addressing high-risk exposures directly impacting business operations. 

Assets must be classified by severity and business impact, otherwise, there is no true way to prioritize remediation. Even more difficult is keeping pace with the sheer volume of vulnerabilities in the wild. 

Which Identified Threats Should You Prioritize? 

In 2024, a record-breaking 40,009 CVEs were published, and the MTTR for a critical severity web application vulnerability was 35 days. 

Context is key, but it’s not always effective. Each attack surface is different, and each organization’s critical assets are defined differently.  

Without prioritization, there is simply no effective method to track the volume of growing CVEs or distinguish the high-risk priorities from all the noise. This becomes a real bottleneck for security teams or CISOs attempting to translate risk into quantifiable business-related decisions. 

Traditional vulnerability scoring systems, such as the Common Vulnerability Scoring System (CVSS) and the Exploit Prediction Scoring System (EPSS), lack the essential business context required to assign monetary values for potential losses caused by an exploit. 

Mitigation Success Trend

Rather than assigning scores of 0-10 based on risk severity, a more feasible approach when prioritizing vulnerabilities is to connect remediation efforts with the potential business impact in dollars. Prioritization becomes clearer with CTEM because mitigation efforts are directly attributed to real business outcomes rather than assigning vulnerability scores. Not every vulnerability is worth remediating (at least not immediately). CTEM enables organizations to identify the high-risk ones that could lead to significant financial losses and operational disruption. 

Validation 

Mitigation Graph

The validation stage of CTEM focuses on the probability or likelihood of an attack and whether your existing security controls are effective. It also brings up several key questions:

 Existing Security Controls Checklist 

  • What are the current attack paths attributed to the vulnerability in question?
  • What type of data is at risk if the vulnerability is exploited?
  • Are the existing security tools in place effective? 
  • Are there critical vulnerabilities in any internal systems and applications?
  • Which assets are currently at the highest risk of exposure?
  • How likely are adversaries to exploit this vulnerability based on current threat intelligence?
  • Is the threat intelligence accurate?
  • If an attacker succeeds in breaching us today, what is the immediate impact on our core operations, and is there a plan for containment? 

Finding the root cause can help prevent a potential breach. This includes understanding the sequence of events from initial compromise to full exploitation. 

For example, a misconfigured S3 bucket that is publicly accessible may serve as the entry point of attack. A few thoughts to take into consideration in this scenario:

  • Do you know who has admin access?
  • Are specific access policies in place to limit who can read or write to the S3 bucket? 
  • Are encryption settings enabled for sensitive data stored in the S3 bucket?
  • Has the access control list (ACL) been reviewed, and are there any overly permissive settings?

In order to better visualize the attack from the adversary’s point of view, it’s highly recommended to perform red teaming exercises to simulate actual attacks, expose potential threats, and assess existing defenses. A study found that 81% of organizations reported that their security posture improved after conducting red team exercises. Certainly a worthwhile investment during the validation stage of CTEM.

Another highly effective method for tracing the root cause is applying the 5 Whys technique popularized by Toyota, which involves asking “Why?” five times in succession to uncover the underlying root cause of a problem. Toyota would halt assembly and production until the root cause of a defect or failure was fully understood and addressed.

Let’s use our compromised S3 bucket example and apply the Five Whys technique. 

The hypothetical sequence might look something like this: 

Why was the S3 bucket publicly accessible?

Because the permissions were not correctly set.

Why were the permissions incorrectly set?

Because there was no automated validation process to ensure proper configuration.

Why was there no automated validation process?

Because the Identity and Access Management (IAM) system wasn’t integrated with the S3 bucket permission checks.

Why were the configuration management tools not integrated with permission checks?

Because there wasn’t any policy to enforce permission validation as part of the deployment phase.

Why was there no policy or requirement for permission validation?

Because security practices weren’t enforced during the development phase.

Now, take a step back to reevaluate the existing security controls and security measures. You may want to revoke excessive permissions in cloud environments, review access policies, patch critical vulnerabilities, and ensure the incident response plan is up-to-date. 

Combine the Five Whys philosophy with red teaming exercises and attack route visualization, and you have a powerful framework to leverage actionable threat intelligence beyond any traditional vulnerability assessment or scoring system. 

Mobilization 

The final stage of implementing a CTEM framework is mobilization, where remediation efforts are implemented to improve the organization’s security posture. Key stakeholders are looped into the process and assigned remediation tasks prioritized on business impact and risk exposure.

This is especially important for CISOs who must present findings to the board to demonstrate ROI on cybersecurity investments and communicate risk efficiently. Budget approval is often contingent on tangible business outcomes. Research showed that only 41% of board members believe cybersecurity budgets are appropriate. The study revealed that only 29% of CISOs said they have an adequate budget to achieve their security goals.

With business context attributed to each vulnerability, CISOs can clearly articulate the financial impact of a breach and ensure that remediation efforts are prioritized based on potential losses. We’ve also outlined a full guide on threat exposure metrics that CISOs can confidently present to the board to justify budget requests and cybersecurity spending. 

Securing the External Attack Surface with CYE

CYE’s Hyver platform visualizes exposure from threat sources to your critical business assets. 

Risk Dashboard

Hyver analyzes your threat exposure and identifies the most likely exploitable attack vectors targeting your most business-critical assets across the organization. Hyver determines the likelihood and cost of a breach in dollars to help you plan mitigation effectively. Discover which assets are at the highest risk. Quantify your organization’s threat exposure and protect what matters most. 

Want to learn more about how Hyver can evaluate your threat exposure? Contact us.

Ziv Levi

By Ziv Levi

Ziv is SVP Technology at CYE. He is an accomplished executive and seasoned cybersecurity professional with over 18 years in the field. Following his service in an elite cybersecurity unit in the IDF, he founded a cybersecurity startup and led it as a CEO through its acquisition few years later. He is deeply passionate about entrepreneurship, technology, and innovation, and earned his B.Sc. in Computer Science and Mathematics from the Hebrew University of Jerusalem.