Full Report
I had the honor of hosting the first episode of the Xposure Podcast live from Xposure Summit 2025. And I couldn’t have asked for a better kickoff panel: three cybersecurity leaders who don’t just talk security, they live it. Let me introduce them. Alex Delay, CISO at IDB Bank, knows what it means to defend a highly regulated environment. Ben Mead, Director of Cybersecurity at Avidity
Analysis Summary
# Main Topic
Discussion on the practical challenges, priorities, and best practices for implementing and operationalizing Continuous Threat Exposure Management (CTEM) within complex production environments, featuring security leaders from regulated and innovative sectors.
## Key Points
- CTEM is considered essential, with Gartner predicting organizations prioritizing it will be three times less likely to be breached by 2026, contingent on it being operationalized.
- Core components of a successful CTEM program start with robust asset inventory and stringent control over identity management (focusing on weak service accounts, over-permissioned users, and legacy logins).
- Frequency of validation is critical: weekly for internal assets and daily for external-facing assets.
- CTEM differs from traditional vulnerability management by focusing on whether controls effectively block real-world threats, rather than merely patching CVEs.
- Success measurement shifts from counting vulnerabilities to quantifying the number of exploited attack paths closed.
- Reporting must translate cyber findings into quantifiable business risk terms, focusing on risk profile changes rather than technical metrics like CVSS scores, especially when addressing boards or regulators.
## Threat Actors
- Mention of "Adversaries" generally, who are constantly challenging defenses.
- The importance of understanding adversaries by simulating their TTPs is highlighted as the backbone of security testing.
- No specific named threat actors or groups were identified.
## TTPs
- Focus is on validating defenses against **real-world scenarios** rather than specific TTPs.
- Key attack vectors addressed through CTEM validation include:
- Exploiting weak service accounts.
- Abusing over-permissioned user accounts.
- Leveraging legacy logins.
- The process involves simulating adversary Tactics, Techniques, and Procedures (TTPs) against existing controls.
## Affected Systems
- Highly regulated environments (e.g., Banking, represented by IDB Bank).
- Environments utilizing targeted RNA therapeutics technology (e.g., Avidity Biosciences).
- General production environments, particularly concerning external-facing assets.
- Systems suffering from poor identity hygiene (over-permissioned accounts, forgotten assets).
## Mitigations
- **Asset Inventory & Identity Management:** Prioritize checking and securing service accounts and user permissions.
- **Frequency of Testing:** Implement rigorous, frequent validation cycles (weekly internal, daily external).
- **Control Validation:** Shift focus from patching to actively testing if security controls block simulated threats (Exposure Management).
- **Risk Reporting:** Ensure reporting focuses on the change in overall risk profile and concentration, not just vulnerability scores, to influence leadership.
- **Leadership Engagement:** Utilize tabletop exercises that walk leadership through real attack scenarios to explain consequences.
## Conclusion
Operationalizing CTEM is less about technology acquisition and more about adopting a rigorous, reality-based testing methodology centered on identity hygiene and validating control effectiveness against simulated adversary techniques. Success is measured by reducing exploitable attack paths and effectively communicating residual risk to business leadership.