Continuous Threat Exposure Management (CTEM) has moved well past buzzword status. We’ve talked about this before.
It’s true that in the past years, Gartner has been making these grand predictions about its benefits: organizations prioritizing CTEM investments will suffer two-thirds fewer breaches by 2026… Well, we’re now in 2026 and, in reality, SOC teams are still facing the same dilemma: more exposure data than they can act on, and no reliable way to decide what actually matters.
96% of security teams face challenges trying to validate whether their security risks are exploitable, while 2 in 3 state that they don’t have a consolidated view of their cyber risk exposure.
- Filigran-comissioned third-party market survey on exposure validation
It’s pretty clear now that to actually benefit from CTEM, organizations needs to first utilize their cyber threat intelligence better. It is not just about better asset, vulnerability management or dealing with a single CTI provider, but being able to unify the signals together to build a complete picture of your threat landscape. This article dives into the two CTEM phases where that gap is most costly and most fixable: Prioritization and Validation.
The CTEM Cycle: Five Phases, One Continuous Loop
If you are reading this, then you would know that CTEM is the Gartner-defined 5-phase process for organizations to continually and consistently evaluate the accessibility, exposure and exploitability of their digital and physical assets. As a quick reminder:
- Scoping defines which assets matter to the business and are included in the scope of a specific CTEM program.
- Discovery builds the picture of what's exposed to potential attacks.
- Prioritization cuts through the noise to surface what must be tested, validated and fixed first.
- Validation proves whether your controls would actually stop an attacker.
- Mobilization turns findings into action across security and IT teams.
Indeed, the key point here is that the cycle isn't linear, it's a continuous loop, with each phase depending on the one before it.
All five phases depend, to varying degrees, on threat intelligence being present and structured. Without it, CTEM remains a conceptual buzzword for a glorified “vulnerability scan”. With it, it becomes a genuine and practical risk reduction program.
This is where the concept of Threat-Informed Defense comes in, where the output of Intelligence directly feeds the input of validation, continuously. This can be done with threat management tools such as Filigran's eXtended Threat Management (XTM) platform, combining both Cyber Threat Intelligence (CTI) and Adversarial Exposure Validation (AEV) capabilities.
Let’s take a look at what this actually looks like in practice.
Scoping and Discovery: Getting the Foundation Right
These early phases are where many CTEM programs go wrong - either scoping too broadly (everything is critical) or too narrowly (only perimeter assets).
Effective scoping means aligning on which business processes, assets, and data are most critical, and which adversaries are realistically likely to target them. A financial services firm and a healthcare provider face very different threat landscapes, and their CTEM programs should reflect that.
Then follows discovery: an inventory of exposed assets, misconfigurations, vulnerabilities, and potential attack paths. Threat intelligence enriches this step significantly.
Knowing that a given CVE is being actively exploited by a ransomware group targeting your sector changes how you treat that finding in the next phase. Let's take a look.
Prioritization: Where Threat Intelligence Earns Its Place
Prioritization is where CTEM delivers value.
The average enterprise has tens of thousands of vulnerabilities open at any given time: In 2024 alone, over 40,000 new CVEs were disclosed. Clearly, no team can fix all of them. The question isn't "what is vulnerable?" but "what can actually hurt us, given who is targeting us right now?"
That question can only be answered with contextual threat intelligence. But data shows most teams can’t do so properly.
On average 42% of SOC teams’ time is spent investigating potential risks that later prove to be low priority or not exploitable*. That’s nearly half of all analyst hours, burned on noise. At the same time, 96% of those same teams believe that prioritization makes them more effective at detecting and responding to threats*.
This means that there is near-universal consensus that prioritization is the key enabler of effective threat response, yet teams are still wasting close to half their operational capacity on risks that don't matter.
That is the prioritization gap, and it is arguably the highest-ROI problem in CTEM to solve: every percentage point wasted on irrelevant investigation time translates directly into slower response to real threats.
Effective prioritization combines three factors:
- Asset criticality → what matters to the business?
- Exploitability → can this realistically be attacked? What are the Tactics, Techniques and Procedures (TTPs) attackers are most likely to use?
- Adversary relevance →are our sectors’ threat actors actually using any of these TTPs?
But to get those, you need structured, curated intelligence - not just a CVSS score (a CVSS 9.8 vulnerability that no relevant threat actor is exploiting is a very different problem from a CVSS 7 finding that appears in three recent campaigns targeting your sector)
This structure means mapping exposed assets to known threat actor campaigns, cross-referencing CVEs against active exploitation data, and understanding which ATT&CK techniques are showing up in recent incidents within your industry and/or region.
Priority Intelligence Requirements in OpenCTI
One of the most practical ways to operationalize this in a tool setting is through Priority Intelligence Requirements (PIRs): structured questions your organization needs threat intelligence to answer, based on your actual business risks (as defined in the scoping phase) and threat landscape.
For example, in OpenCTI, SOC or the CTI team can define these requirements formally within the platform, and then continuously measure whether incoming intelligence is answering them. Rather than drowning in feeds and reports, PIRs give the team a framework:
- here is what we need to know,
- here is what we are watching for,
- and here is what the intelligence tells us right now.
For example, a PIR might be: "Which ransomware groups are currently targeting manufacturing organizations in Europe, and what initial access techniques are they using?" OpenCTI structures the incoming intelligence - from ISACs, commercial feeds, open-source reports - against that requirement, surfaces the relevant threat actors, maps their TTPs to MITRE ATT&CK, and allows the team to pivot from actor to technique to CVE to affected asset.
Example Priority Intelligence Requirements page in OpenCTI showing Ransomware targeting the North American Financial industry.
For practitioners: this means prioritization stops being a weekly spreadsheet exercise and becomes a continuously updated view of what matters most, grounded in evidence and with much richer context.
For CISOs and security leaders: it means prioritization decisions can be explained in terms of specific adversary behavior, to understand why a particular exposure sits at the top of the risk, not just CVSS/ risk scores.
Validation: Proving Your Controls Work Against Real Threats. Continuously.
Prioritization tells you what to focus on. Great. But what if an adversary actually tried to exploit this exposure: Would your current security tools be able to detect it? Would you stop it?
Most organizations assume the answer is yes. The data says otherwise.
Fewer than 4 in 10 organizations have achieved continuous, automated, intelligence-driven validation*, and 14.5% use threat intelligence only selectively, occasionally, or not at all in their validation workflows*.
This makes validation the bottleneck between knowing about a risk and knowing it matters. And fixing that bottleneck requires the same ingredient that fixes prioritization: threat intelligence, properly integrated into breach and attack simulations.
Think about it: Security controls that worked yesterday may not work today. Detection rules develop blind spots. Configuration drift opens gaps that weren't there six months ago. The only way to know whether your defenses hold is to test them continuously - not in an annual penetration test or one-off exercises, but as a regular operational discipline. Running a generic phishing simulation or firing random MITRE ATT&CK techniques at your environment will tell you little.
What actually matters is whether your controls can stop the specific techniques being used by the adversaries who are targeting you right now. That requires the validation process to be driven by the same intelligence that drove your prioritization.
The handoff from threat intelligence to validation is critical.
Custom dashboard in OpenCTI
Intel-Driven Validation with OpenCTI and OpenAEV
Traditionally, different security teams handle threat intelligence and security validation/ testing tools. However, theCTEM framework brings them closer. For proactive security, once you have identified and prioritized a potential threat, you would want to test it immediately to see whether your security controls would be able to stop this potential attack, and if not, then take a remedial action. In Filigran’s case, this is where the integration between OpenCTI and OpenAEV becomes practically significant.
- OpenCTI surfaces the threat landscape (which actors are active, which techniques they use, which vulnerabilities they're exploiting)
- OpenAEV takes that intelligence and turns it into adversary-aligned, realistic attack simulations that run against your actual environment.
The workflow is direct: an analyst identifies a relevant threat context (a new incident report, a new attack campaign, …) in OpenCTI, maps it to specific ATT&CK techniques and known indicators (if not already provided), and pushes that context into OpenAEV to build a simulation scenario. OpenAEV then executes the attack sequence - safely, in production or in a controlled environment - and measures whether your EDR detected it, whether your SIEM fired an alert, andwhether your firewall blocked the lateral movement.
Custom dashboard in OpenAEV
The result is evidence-based, not theoretical: "We emulated the initial access technique used by this threat actor, with a specific payload. Our EDR missed it. Here is the specific detection rule that needs to be tuned. We retested after the fix. It now blocks and alerts within eight minutes."
That kind of outcome - from named threat actor to validated control gap to confirmed remediation - is what separates a mature CTEM program from an expensive vulnerability management exercise.
Mobilization: Closing the Loop
What we previously discussed only creates value if they drive action.
Mobilization is about getting the right information to the right teams fast enough to matter - structured remediation guidance, clear ownership, and workflows that connect security findings to the IT and engineering teams responsible for fixing them.
Intelligence matters here too: remediation should be sequenced by adversary relevance, not just severity. The gap a currently-active threat actor could exploit next week should move faster than a theoretical exposure nobody has touched in two years.
CTEM as the Foundation of Threat-Informed Defense
When executed well, CTEM leverages proactive threat intelligence to identify early warning signs of emerging threats and vulnerabilities, improving your ability to take strategic decisions and reduce overall cyber risks.
Every prioritization decision is grounded in adversary behavior. Every validation exercise reflects real-world attack techniques. Every remediation action is sequenced by what matters most to the actual threats your organization faces.
This is what is meant by threat-informed defense: a way of running security where intelligence continuously shapes your priorities, your testing, and your investments.
The gap between "we know about this threat" and "we have proven we can stop it" is where most security programs fall short.
Closing that gap - continuously, with threat-led evidence - is what CTEM, done right, actually delivers.
Interested in testing the XTM platform in your own environment? Click here.
About Filigran
Filigran, founded in France in 2022, stands out in the cybersecurity landscape with its unique open-source, threat-informed approach to Continuous Threat Exposure Management (CTEM). Filigran’s eXtended Threat Management (XTM) platform delivers proactive security by combining threat intelligence, exposure validation, and cyber risk quantification - underpinned by an agentic foundation. The platform includes:
- OpenCTI: structures and operationalizes holistic threat intelligence across technical, operational, and strategic levels, enabling security teams to contextualize attacks and act proactively.
- OpenAEV: helps prioritize critical vulnerabilities and strengthen organizational security posture through advanced attack simulations, resilience testing, and crisis management exercises.
- OpenGRC (forthcoming): oversees compliance assessments and tracks dynamic risk metrics to manage investments based on individual threat profile and security capabilities.
For more information, visit filigran.io
Jean-Philippe Salles — Head of Product at Filigran https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitthujjahzlAJn_zmaJZnqEgPImNz0z0xIklI9GaZscaGV3d1UoGbhyphenhyphen2C-I6cF_rklXVp0VBSJngwTKoGY2esyIh2QQ66JhHgjYBZ7Zy3ccPEZ1CMDOssFSZJwpQPu59RRC3z6rPFCs1u27ZtbyMXClAEaPWS1Psuvb4FX5v2xBkkzCo8b5CXgMyNmBzU/s1600/author.png
