Full Report
Pentesting isn't just about finding flaws — it's about knowing which ones matter. Pentera's 2025 State of Pentesting report uncovers which assets attackers target most, where security teams are making progress, and which exposures still fly under the radar. Focus on reducing breach impact, not just breach count. [...]
Analysis Summary
# Best Practices: Continuous Threat Exposure Management (CTEM) and Risk Prioritization
## Overview
These practices focus on maturing Exposure Management programs by shifting focus from chasing every vulnerability (CVEs) to strategically prioritizing remediation based on **exploitability** and **impact** to the business. The goal is to prevent breaches that matter, even if minor technical compromises occur on low-value assets.
## Key Recommendations
### Immediate Actions
1. **Adopt the Foundational Mindset:** Recognize that "not all breaches are equal." Focus resources on closing exposures that, if exploited, lead to data exposure, downtime, or financial loss, rather than treating all severity scores equally.
2. **Prioritize Web-Facing Assets:** Immediately review and harden public-facing assets (DNS, web portals, login pages), as data shows these are the most frequently perceived as vulnerable, tested, and breached.
3. **Implement Compensating Controls on Exposed Assets:** Ensure all public-facing systems have robust compensating controls, such as requiring Multi-Factor Authentication (MFA) on every accessible login page and service.
### Short-term Improvements (1-3 months)
1. **Shift Testing Focus:** Direct penetration testing and validation efforts toward assets identified as both highly exploitable *and* highly impactful (e.g., assets connecting to production systems or holding sensitive data).
2. **Establish Business Impact Context:** Map identified exposures and potential compromise paths to critical business systems and sensitive data stores. If an exposed asset leads to a dead end without access to critical resources, downgrade immediate remediation priority for that specific vulnerability.
3. **Enhance API Visibility and Testing:** Inventory all existing APIs. Introduce adversarial testing focused specifically on logic flaws, authorization issues, and integration misconfigurations, as these paths bypass traditional scanning methods.
### Long-term Strategy (3+ months)
1. **Implement Continuous Validation:** Establish a Continuous Threat Exposure Management (CTEM) program that moves beyond periodic penetration testing to involve continuous, data-driven validation of security controls against real-world attack paths across the entire, complex attack surface (Cloud, APIs, IoT/OT).
2. **Simplify the Security Stack:** Evaluate the usage and effectiveness of the average managed 75 security tools. Look for opportunities to consolidate tools or automate processes to reduce operational complexity, which can inadvertently hide risk.
3. **Develop Integrated Surface Management:** Create unified monitoring and testing programs for dynamic surfaces like cloud-native environments, APIs, and IoT/OT, ensuring continuous inventory and vulnerability assessment that accounts for cross-system integrations.
## Implementation Guidance
### For Small Organizations
- **Focus on External Perimeter:** Since web-facing assets are the primary vector, ensure 100% coverage of MFA on all external services and strong input validation on all customer-facing web applications.
- **Leverage Automated Validation:** Utilize capabilities within existing tools (or low-cost validation tools) to prioritize vulnerability remediation based on known exploit chains affecting similar external assets, rather than relying solely on raw vulnerability scores.
### For Medium Organizations
- **Formalize Risk Scoring:** Develop a simple, internal risk matrix that incorporates **Likelihood of Exploitation** (based on public knowledge/testing) and **Business Impact** (based on data classification/system criticality) to score remediation tickets.
- **Segment Testing:** Ensure pentesting efforts are explicitly divided between the high-risk perimeter (web/cloud ingress) and internal assets, dedicating more adversarial testing depth to the former until risk reduction is proven.
### For Large Enterprises
- **Establish CTEM Framework:** Formally implement the stages of Continuous Threat Exposure Management (CTEM) to bridge the gap between assumed risk and actual, validated risk across hybrid/multi-cloud environments.
- **API Attack Path Mapping:** Invest in specialized tooling or expertise to map cross-system attack paths involving APIs, focusing on lateral movement possibilities between cloud services and internal data lakes.
- **Inventory Complexity Management:** Allocate significant budget and engineering time toward deep, automated inventorying of ephemeral assets common in cloud-native deployments, which contribute heavily to the "opaque" nature of the modern attack surface.
## Configuration Examples
*Since the article emphasizes strategic philosophy over specific technical commands, the configuration focus is on control implementation:*
1. **Web Asset Hardening (Example Control):** Mandate the enforcement of Multi-Factor Authentication (MFA) across all login endpoints, leveraging SSO/IDP solutions for centralized policy enforcement (e.g., forcing compliant session cookies or tokens before access).
2. **API Security Posture (Example Control):** Implement API gateway policies that validate schema, enforce rate limiting based on known business transactions, and specifically check for broken object-level authorization (BOLA) via dynamic testing.
## Compliance Alignment
The practices described align closely with modern risk management frameworks, emphasizing continuous monitoring and risk prioritization:
- **NIST Cybersecurity Framework (CSF):** Strongly aligns with the **Identify (ID)** function (Asset Management, Risk Assessment) and **Protect (PR)** function (Access Control, Data Security). CTEM is a maturation step for ongoing risk assessment.
- **ISO/IEC 27001/27002:** Focuses on establishing Annex A controls commensurate with identified risk, supporting the principle that security measures must be scaled based on impact.
- **Center for Internet Security (CIS) Critical Security Controls (CSC):** Aligns with CSC 1 (Inventory of Assets) and CSC 7 (Vulnerability Management), but shifts the prioritization lens from CSC's standard severity to business impact.
## Common Pitfalls to Avoid
1. **Chasing Theoretical Severity:** Do not allocate resources based *only* on a CVE's CVSS score. If a high-severity vulnerability on an isolated, impact-free sandbox server must be fixed before a medium-severity vulnerability allowing attacker pivot to the core database, remediation order is incorrect.
2. **Ignoring System Interconnectivity:** Assuming an exposed asset is contained. Always trace potential paths from an exposed ingress point through APIs and cloud integrations to critical data stores.
3. **Underestimating API Complexity:** Assuming traditional perimeter scanning tools fully test modern APIs. Logic flaws and authentication issues require specialized, adversarial testing methods incompatible with basic port scanning.
4. **Assuming "Zero Impact" Means "Zero Danger":** While a breach to a low-impact asset might not cause immediate harm, it should still be remediated if it represents a stable foothold that an attacker could leverage later (lateral movement). Focus on impact first, but don't ignore completely harmless exposures indefinitely.
## Resources
- **Framework Utilization:** Leverage existing knowledge related to **NIST CSF** and **ISO 27001** to structure your risk assessment processes.
- **Testing Strategy:** Research methodologies related to **Adversarial Testing** and **Continuous Threat Exposure Management (CTEM)** platforms to guide tool acquisition and practice maturity.