Whether you’re running security for one company or managing it across a whole book of clients as an MSSP, the problem tends to be the same.
Most teams can tell you what’s exposed. What’s harder is knowing what to do about it, in the right order, fast enough to matter.
Our CEO Dani Solis describes it this way: “The problem in cybersecurity was never that defenders lacked visibility. The problem was always the gap between knowing something and being able to act on it fast enough to matter.”
Gartner introduced Continuous Threat Exposure Management, CTEM, in 2022 to address exactly that. Here’s what it is, how it works, and how MTTRER – the metric we built to follow it – turns exposure management into something measurable.
What Is CTEM? The Gartner Definition of Continuous Threat Exposure Management
Gartner defines CTEM as a set of processes and capabilities that let enterprises “continually and consistently evaluate the accessibility, exposure, and exploitability” of their assets. [Gartner Hype Cycle for Security Operations, 2022]
Three words carry most of the meaning. Continually, consistently, and exploitability.
Continually means the program doesn’t stop between review cycles. Attackers don’t pause for scheduled windows, so neither does CTEM.
Consistently means the same methodology applies across the whole attack surface, not just the systems your existing tools happen to cover. Cloud environments, shadow IT, third-party integrations, and externally exposed infrastructure all count.
Exploitability is where things get interesting. Most vulnerability management programs still rank findings by CVSS scores, which measure theoretical worst-case impact. CTEM asks which of these exposures an attacker could realistically use, in this environment, against these specific controls, right now. That’s a very different question.
CTEM is a continuous operating program built around five stages, not a product or platform.
The Five Stages of the CTEM Framework
Stage 1: Scoping
CTEM starts by deciding what gets looked at first.
Assessing everything at once isn’t realistic, so scoping narrows things down to the systems and assets that are most critical to the business and most likely to attract attacker attention. It gets revisited regularly, because the business keeps changing.
Stage 2: Attack Surface Discovery
Once scope is set, discovery maps what’s there.
Known assets, shadow IT, third-party connections, externally exposed infrastructure, supply chain components. The goal is understanding what’s reachable from outside, not just what’s in the asset register.
Stage 3: Vulnerability Prioritization
This is where CTEM and conventional vulnerability management really part ways.
Rather than working through a remediation backlog ordered by CVSS score, CTEM prioritizes by exploitability in context: how likely is this to be used by an attacker, in this specific environment, right now?
A medium-severity finding in a critical, internet-exposed system with active exploit code circulating outranks a high-severity finding in an isolated, air-gapped system. The score alone won’t show you that.
Stage 4: Validation
Validation tests whether a prioritized exposure can be exploited in the current environment.
Breach and attack simulation (BAS) tooling, red team exercises, and automated attack path analysis are the standard approaches. The question being answered is whether an attacker could reach and exploit that exposure today, given what controls are in place.
Stage 5: Mobilization
Mobilization is where validated findings move from the security team to the rest of the organization.
That means IT operations, DevOps, cloud teams, application engineering, and whoever needs to sign off on the change window. It’s the remediation handoff, and it’s where most programs slow down. High-priority, validated risks can sit in change queues for weeks while the window stays open.
CTEM treats all five stages as a continuous cycle. Each pass sharpens prioritization and, when it’s working, shortens the time between discovery and risk reduction.
CTEM vs. Traditional Vulnerability Management
| Stages | Traditional Vulnerability Management | CTEM |
|---|---|---|
| Cadence | Monthly or quarterly | Continuous |
| Coverage | Known assets, scanned inventory | Full attack surface including shadow IT and third parties |
| Prioritization | CVSS severity score | Contextual exploitability, business impact, threat intelligence |
| Validation | Rarely included | Built into the program |
| Remediation Tracking | Ticket-based | Mobilization is a defined program stage |
| Success Metric | Vulnerabilities patched | Exploitable risk reduced |
The Five Security Eras and Why MTTRER Comes Next
Security operations have evolved through five eras. Each one is defined by a single metric.
- Visibility – Coverage. Can you see your environment?
- Detection – MTTD. How quickly do you find threats?
- Response – MTTR. How quickly do you contain incidents?
- Exposure – CTEM. Can you reduce exploitable risk before incidents happen?
- Self-Defense – MTTRER. Can you measure how fast you’re reducing that risk?
Detection and response defined Eras 2 and 3. CTEM sits at Era 4, working upstream of both, focused on reducing exposures before they become incidents.
Gartner’s research on AI-driven threats (G00844051, December 2025) named it the velocity gap, describing how quickly the window between an attacker gaining access and reaching their objective is compressing.
Mandiant’s M-Trends 2026 report put AI-assisted attack hand-off at 22 seconds, and Sysdig’s February 2026 research clocked the full sequence from credential theft to admin access at eight minutes.
Enterprise change cycles still run in weeks, and faster detection alone doesn’t close that gap.
And regulators are responding to that same shift. NIS2, DORA, and SEC disclosure rules all require continuous risk management processes. Gartner’s 2026 trends report (G00840672) found 93% of board directors now link cybersecurity to shareholder value, and 98% expect cyber risk to grow or stay constant.
MTTRER: Mean Time to Reduce Exploitable Risk
To go one step further, we’ve developed MTTRER, Mean Time to Reduce Exploitable Risk, to measure how fast exploitable risk is being reduced. The clock starts when a validated exposure is found and stops when the risk is gone, not when a ticket is raised.
It’s a preemptive metric, and that’s what separates it from MTTR.
| MTTR | MTTRER | |
|---|---|---|
| What It Measures | Time to contain an active incident | Time to reduce a validated exposure |
| When It Applies | After compromise | Before compromise |
| Direction | Reactive | Preemptive |
| Inputs | Alert, triage, containment, recovery | Discovery, validation, remediation, verification |
MTTR measures how fast your team responded after an incident.
MTTRER goes further by measuring how fast you reduced the risk before one could materialize.
That’s why exposure management only becomes meaningful when exposure reduction becomes measurable.
MTTRER runs through five stages: Govern, Mitigate, Verify, Reduce, Measure. Together they track every step from identifying an exposure to closing it, so you can see exactly where the delay is.
And when teams do find that delay, it usually sits after discovery, in approvals, unclear ownership, or coordination gaps between teams.
CTEM for MSSPs: Continuous Exposure Management Across Client Portfolios
Managing Risk Across Multiple Client Environments
Managing security for 10 clients looks different from managing it for 40. As a portfolio grows, each client has its own attack surface, risk tolerance, and capacity to act on what you find. Running periodic scans and triaging results manually per client doesn’t hold up at scale. The economics break down before the headcount does.
CTEM changes what you’re delivering. An MSSP running CTEM gives each client a continuous view of their exploitable risk, prioritized for their environment and validated against their controls. That’s a completely different service from a monthly severity report, and it opens a different conversation about what you’re worth.
MTTRER as a New SLA Category
Most MSSP SLAs are built around detection: mean time to detect and mean time to respond. MTTRER opens up a different kind of commitment: how quickly can exploitable risk be reduced on a client’s behalf?
For clients under NIS2, DORA, or equivalent frameworks, that maps directly to their compliance requirements. Being able to report “your median MTTRER dropped from 18 days to six days this quarter” gives your client something concrete to bring into their own board and audit conversations. Not many MSSP competitors are in a position to offer that benchmark yet.
Analyst Efficiency and Service Capacity
The classic MSSP challenge is that more clients has always meant more analysts.
When prioritization is continuous and context-driven rather than manual and periodic, analysts spend their time on validated, high-priority exposures rather than working through scanner noise.
That shift changes the commercial model too. An analyst who isn’t triaging noise is an analyst who can take on more clients, go deeper on fewer escalations, and contribute to the kind of advisory conversations that justify stronger pricing. More clients, same team, without service quality taking a hit.
For more on how this integrates with automated exposure reduction, take a look here.
CTEM for Enterprise Security Teams: Exposure Management at Scale
Reporting Cyber Risk to the Board
As a CISO, you spend a lot of time translating technical findings into language that lands in the boardroom, and CVSS scores rarely make the cut. Patch completion rates don’t either, because they can’t tell a board whether the organisation is measurably safer than six months ago.
MTTRER gives you something that does. “Our median time from exposure validation to risk reduction is 14 days, down from 31 last quarter” is the kind of language boards understand, and under NIS2, DORA, and SEC disclosure rules, it’s exactly the measurable risk management data regulators and auditors want to see.
For more on how this connects to a broader preemptive security strategy, see our full guide.
The Remediation Handoff: Where the Delay Sits
Security teams can identify and prioritize exposures, but fixing them rarely stays with the security team. IT operations, DevOps, cloud teams, and application engineering all have a part to play, and each needs time to act within its own processes and change windows.
MTTRER shows you where the delay is, whether that’s in approvals, unclear ownership, or coordination between teams, so you know exactly where to focus.
The Future of CTEM and Continuous Threat Exposure Management
Where Most Programs Stand Today
The first three stages of CTEM, scoping, discovery, and prioritization, are where most programs are strongest, with tooling that’s now widely available and well-understood. It’s stages 4 and 5, validation and mobilization, where things tend to slow down.
Validation still runs quarterly for many teams, and turning a validated exposure into a fix across multiple teams takes longer than it should. Gartner’s Tech FutureSight research (G00844759, December 2025) describes exactly that challenge: acting on what you’ve validated before attackers can exploit it.
What Continuous CTEM Requires
Running CTEM continuously means scoping, discovery, prioritization, and validation all need to keep going, not just kick off as quarterly projects. That takes clear ownership, connected workflows, and tooling that fits into what you already have.
Governance doesn’t go away either. Remediation still needs to move through change management, and that’s the right way for it to work. What tends to improve as programs mature is how quickly that process runs, and getting there takes longer than choosing the right tools.
From Activity Metrics to Outcome Metrics
Most CTEM programs start by measuring activity, tracking assets scanned, vulnerabilities found, and patches applied. Those numbers show what the program did. The question boards ask is whether the organization is measurably safer than it was six months ago.
That’s the shift Gartner’s 2026 trends research (G00840672) reflects. Board expectations around cyber risk reporting are rising, and under NIS2, DORA, and SEC rules, showing measurable risk reduction over time is increasingly what regulators expect. MTTRER is designed to show exactly that.
What a Mature CTEM Program Looks Like
A mature CTEM program looks different from a first-year one in specific, measurable ways.
- Scoping is dynamic. New environments, acquisitions, and third-party relationships get assessed as they appear
- Discovery is continuous. New assets and exposures are identified when they emerge
- Prioritization uses current threat intelligence, so exploitability scores reflect today’s landscape
- Validation runs frequently. High-frequency attack path simulation fills the gaps between red team exercises
- Mobilization has a target time. Validated, high-priority exposures have a defined window for risk reduction, and MTTRER tracks whether it’s being hit
- Outcomes reach leadership. Boards and clients see exposure reduction velocity over time, not just vulnerability counts
For MSSPs, this is what service differentiation looks like going forward.
And for enterprise security teams, it’s the foundation for board credibility and regulatory readiness.
To go deeper on how security automation supports this model, take a look at our guide to preemptive security, the case for moving beyond reactive SOC tools, and how NINA’s AI agents support continuous exposure reduction.