Cybersecurity teams are often overwhelmed by an endless backlog of vulnerabilities, but not all of them are high risk. Traditional exposure management emphasizes identifying and prioritizing risks, but without validation, teams often spend time remediating issues that don’t even put critical assets at risk.
Dr. Süleyman Özarslan, co-founder of Picus Security and VP of Picus Labs, believes that exposure validation represents the missing piece in risk management. We talked to him about how organizations can move past theoretical risk assessments to create a more resilient approach to cybersecurity.
BN: How do organizations typically manage cybersecurity exposures?
SO: Exposure in cybersecurity means any vulnerability, misconfiguration, or security gap in an organization’s IT environment that a cybercriminal could exploit. These range from IoT assets, aging software and unpatched systems to weak encryption or misconfigured security controls. Attackers can slip through these cracks in an organization’s defenses to gain access to critical systems. Organizations that proactively address these exposures reduce the chances of suffering a breach.
To address these issues, security teams generally conduct exposure assessments, which include scanning for vulnerabilities, scoring them (for example, via CVSS), and then trying to prioritize remediation. However, as I often note, checking the right boxes (e.g., patching known bugs, deploying reputable security tools, and maintaining compliance dashboards) doesn’t necessarily mean you’re actually secure. A risk score or a compliance certificate only captures theoretical risk at a point in time. Attackers don’t care if your controls look impressive on paper; they care whether they can crack them in reality. This is the blind spot organizations miss when they rely solely on conventional exposure assessments.
BN: Why isn’t an exposure assessment alone enough to secure an organization’s network?
SO: Exposure assessments only tell part of a story. Organizations need to do more than find vulnerabilities. That’s where exposure validation comes in. Without it, exposure assessment is like diagnosing an illness but not verifying the treatment. You need both. A critical vulnerability might register a terrifying CVSS 9.8, but if it’s not actually exploitable in your environment, it might not be your biggest concern. Meanwhile, you could have a chain of moderate-severity bugs that, when combined, create a genuine path for threat actors.
Exposure validation is when organizations continue testing the vulnerabilities and other exposures they discovered to see if attackers can exploit them. It’s done through techniques like automated penetration testing and breach and attack simulation (BAS), which continuously test security controls by simulating real-world attacks to find misconfigurations and ensure that a company’s defenses are doing what they’re supposed to do.
Analyst firm Gartner calls this ‘adversarial exposure validation.’ By validating exposures, security teams can zero in on exploitable vulnerabilities rather than chasing issues that pose no real risk. This transforms security from guesswork based on ‘what-ifs’ into confident action plans driven by how well your controls hold up against actual threats.
BN: Can you give an example of how adversarial exposure validation makes a difference?
SO: Let’s say a financial services company runs an exposure assessment and finds over 1,000 vulnerabilities. Prioritizing them just by severity might suggest that most are ‘critical,’ and the team could spend months frantically patching everything. By simulating cyberattacks through adversarial exposure validation, the company learns that its next-generation firewalls, intrusion prevention systems, and web application firewalls protect against 90 percent of them. Instead of spending months remediating vulnerabilities that were low risk, the company can focus on addressing the remaining 100 actually exploitable vulnerabilities. This precision not only saves time and resources but also puts remediation efforts where they really matter.
BN: What is a Continuous Threat Exposure Management (CTEM) strategy, and how does adversarial exposure validation play into that?
SO: CTEM is a structured, ongoing approach designed to proactively discover, verify, and mitigate threats to minimize an organization’s cybersecurity exposure. It’s about establishing which vulnerabilities are exploitable and ranking them based on real-world threats.
As an important part of CTEM, adversarial exposure validation is the essential pivot from mere ‘risk scoring to actual ‘risk proving.’ By running continuous real-world attack simulations, you verify which threats matter so you can address them first. As a result, CTEM becomes not just about checking boxes but hardening your environment by focusing on the most critical threats.
BN: Can CTEM be used in different industries and business sizes?
SO: CTEM works really well for businesses of any size or industry. The main ideas — proactively monitoring for threats, focusing on the highest-risk threats to your company, and iterating to improve — apply to nearly any organization.
Whatever your business is — a startup establishing its digital presence or a large organization with an advanced IT ecosystem — CTEM can scale and adapt to your requirements.
CTEM is important for industries dealing with sensitive data, such as finance, healthcare, IT, and e-commerce. For businesses in regulated industries, CTEM is also an essential component of enhanced security and compliance requirements. Note that compliance is a baseline; validated exposure management ensures you are actually protected.
BN: The cybersecurity industry has seen many vendors claiming to offer CTEM solutions. What’s the risk in this trend?
SO: The market is saturated with vendors hyping existing tools as CTEM offerings. Some go so far as to call their products ‘AI-powered CTEM,’ which is misleading. The risk is believing you can ‘buy’ CTEM like a piece of software. CTEM isn’t a product; it’s a program with processes, people, and technologies working in tandem. The danger is that organizations believe they can simply purchase CTEM to solve their exposure management challenges and don’t need to build a tailored program that serves their unique needs. The reason Gartner is creating a how-to guide for CTEM is that most companies lack the resources and aren’t prepared to implement a CTEM program.
BN: How can a company get started with a CTEM program?
SO: A CTEM program follows a clear, structured process consisting of five key phases. In the scoping phase, security teams need to assess critical infrastructure and evaluate cyber resilience across internal, external, and cloud attack surfaces. This sets the stage for prioritizing critical assets and defining the program’s focus.
Next, during discovery, security teams must catalog assets and assess risk profiles, uncovering vulnerabilities, misconfigurations, and hidden weaknesses that could impact business operations.
In the prioritization phase, teams should identify security gaps, such as undetected attacks or broken detection rules, to help them focus their remediation efforts where they’ll be most effective.
The validation phase involves teams testing security defenses in real-world scenarios through controlled attack simulations or adversary emulation. Automated tools like BAS and automated penetration testing provide a complete picture of the security posture. This is the essence of shedding the false confidence of theoretical risk scores and building true confidence in your security posture. By combining the automation of BAS and pen testing with the strategic lens of CTEM, organizations move from simply claiming to be secure to proving it every single day.
Finally, in the mobilization phase, security leaders need to emphasize that while automation handles basic tasks, complex vulnerabilities require human intervention. This involves a more nuanced, hands-on approach to managing cybersecurity risk.
Image credit: Napong Rattanaraktiya/Dreamstime.com
