What is CTEM?
CTEM, or Continuous Threat Exposure Management, is Gartner's framework for continuously finding and reducing your exposure to attack. It is a five-stage loop that runs all the time, not a once-a-year assessment: scope, discover, prioritize, validate, mobilize. Here is what each stage means, and how an external attack surface management platform runs the outside-in half of it for you.
CTEM is a continuous program, not a tool. Gartner introduced it to replace point-in-time testing with an always-on loop: keep an accurate picture of what you expose, rank exposures by what attackers can actually use, confirm the real ones, and drive the fix through whoever owns it, then do it again. Resensor operationalizes the external-facing half of that loop as a managed service, so you continuously discover internet-facing assets, prioritize with CISA KEV and FIRST EPSS, and mobilize remediation without stitching the pipeline together by hand.
The five stages of CTEM
CTEM is usually drawn as five stages that feed into one another and repeat on a cadence. The point of the loop is that exposure is a moving target: assets change, new CVEs get weaponized, and a clean report from last quarter says nothing about this week.
Scoping
Define which assets, domains, and business areas are in scope, framed around what would actually hurt if it were compromised, not just the IP ranges IT happens to track.
In Resensor: register the domains and cloud accounts that matter, tag assets by business unit, environment, and criticality, and scope monitoring to the org that owns them.
Discovery
Find the assets and exposures that actually exist inside that scope, including the unknown, shadow, and forgotten ones. Most breaches start on the asset nobody documented.
In Resensor: org-rooted enumeration continuously maps domains, subdomains, IPs, certificates, and services, plus exposures a CVE scan ignores: spoofable email (SPF, DKIM, DMARC), typosquatted lookalike domains, weak certs, and breached credentials.
Prioritization
Rank exposures by real-world exploitability, not raw CVSS. A long list sorted by severity buries the handful of things an attacker will reach for first.
In Resensor: findings are ranked with CISA KEV (known exploited vulnerabilities), FIRST EPSS (exploit prediction), and breach correlation, so what is being exploited now rises to the top.
Validation
Confirm an exposure is genuinely reachable and worth acting on, so teams spend effort on real risk instead of theoretical noise.
In Resensor: re-test any finding on demand to confirm it is still live, triage false positives, and track each exposure to closure. Resensor does not run active exploitation or breach-and-attack simulation, it pairs with a pentest or BAS tool when you need hands-on exploitation proof.
Mobilization
Get the validated exposures to the people and systems that can fix them, with enough context to act, and close the loop back to scoping.
In Resensor: new exposures fire to Slack, Teams, PagerDuty, your SIEM, or any webhook, with takedown packets for lookalike domains and board-ready PDF reports mapped to SOC 2, ISO 27001, and PCI DSS controls.
CTEM vs point-in-time assessment
| Dimension | Annual pentest / scan | CTEM program |
|---|---|---|
| Cadence | Point in time, often yearly | Continuous, looping on a regular cadence |
| Scope | Fixed list agreed up front | Kept current as the perimeter changes |
| Discovery | Tests the assets you named | Surfaces unknown and forgotten assets too |
| Prioritization | Severity or CVSS ranking | Real-world exploitability (KEV, EPSS, breach) |
| Outcome | A report you read once | Remediation driven back into the loop |
| Shelf life | Stale within weeks | Reflects exposure as it is right now |
How Resensor maps to CTEM
Resensor is an external attack surface management platform with evidence-based exposure validation, so it is strongest on the outside-in stages of CTEM. We would rather be precise about where it covers a stage end to end and where it does one part well, than claim the whole framework.
| CTEM stage | Coverage | What Resensor does |
|---|---|---|
| Scoping | Covered | Org and target management with business-unit, environment, and criticality tags |
| Discovery | Covered | Continuous org-rooted discovery of domains, subdomains, IPs, certs, services, email posture, typosquats, and breach exposure |
| Prioritization | Covered | CISA KEV, FIRST EPSS, and breach correlation, refreshed daily |
| Validation | Partial | On-demand re-test, false-positive triage, and tracking to closure. No active exploitation or BAS, pair with a pentest tool for hands-on exploitation proof |
| Mobilization | Covered | Alerts to Slack, Teams, PagerDuty, SIEM, and webhooks, plus takedown packets and compliance-mapped PDF reports |
Run the outside-in loop, automatically
A full CTEM program spans your internal estate as well as your perimeter, and most teams combine tools to cover it. Resensor owns the external attack surface: the internet-facing assets an attacker sees first, and the email, domain, certificate, and breach exposures that sit outside a CVE scan. It continuously scopes, discovers, prioritizes, confirms, and mobilizes that half of the loop, so the outside-in view is always current instead of being rebuilt by hand each quarter. Pair it with internal vulnerability management and, where you need hands-on exploitation proof, a pentest or breach-and-attack-simulation tool.
Stand up the external half of your CTEM loop
Add a domain and get a continuous, exploitability-ranked map of your external attack surface in minutes. No credit card to start.
Start freeCommon questions
What is CTEM (Continuous Threat Exposure Management)?
CTEM is a framework introduced by Gartner for continuously identifying and reducing an organization's exposure to attack. Rather than a once-a-year assessment, it runs as an ongoing five-stage loop, scoping, discovery, prioritization, validation, and mobilization, that keeps an accurate, exploitability-ranked view of what an attacker could reach and drives remediation on a continuous cadence.
What are the five stages of CTEM?
Scoping (decide which assets and business areas are in scope), discovery (find the assets and exposures that exist, including unknown ones), prioritization (rank by real-world exploitability rather than raw severity), validation (confirm an exposure is real and reachable), and mobilization (drive the fix through the people and tools that own it). The stages repeat on a cadence.
How is CTEM different from a penetration test or vulnerability scan?
A pentest or vulnerability scan is a point-in-time activity against a known scope. CTEM is a continuous program: it keeps the scope current as your perimeter changes, prioritizes by what attackers actually exploit, and feeds remediation back into the loop. Pentests and scans are tools that can sit inside a CTEM program, not replacements for it.
Does Resensor cover the validation stage of CTEM?
Partly, and we are upfront about it. Resensor confirms a discovered exposure is real and still live: you can re-test any finding on demand, triage false positives, and track each exposure to closure. It does not perform active exploitation or breach-and-attack simulation. For active exploitation that proves end-to-end exploitability, Resensor pairs with a pentest or BAS tool inside the same CTEM program.
How does Resensor fit into a CTEM program?
Resensor operationalizes the external-facing half of CTEM as an always-on service. It continuously scopes and discovers your internet-facing assets, prioritizes them with CISA KEV and FIRST EPSS, confirms exposures are live, and mobilizes remediation through Slack, Teams, PagerDuty, your SIEM, takedown packets, and board-ready reports, so your team is not running the outside-in loop by hand.