Back to Blog

The CTEM Chronicles: Prioritization for Balancing the Scales

By
Victor Marchetto
,
Manager, Advisory Services
Contents

Welcome to Episode 4 of the CTEM Chronicles, Phase 3 Prioritization, the point where organizations decide what deserves attention, investment, and action during this CTEM cycle.

In a world of near infinite risks but finite resources, prioritization is critical.

Why Prioritization is the Tipping Point

Security teams often find themselves overwhelmed by scan results, audit findings, and external requirements. Trying to fix everything is impractical and often ineffective. CTEM’s 3rd Phase emphasizes focusing on exposures with the most significant business and operational impact.

Instead of reacting to technical severity alone, the shift is toward exposures that are exploitable, relevant to current threat activity, and critical to the business.

Moving from vulnerability management to exposure management means shifting focus from technical severity to business relevance and adversarial feasibility. We must evaluate not just what could go wrong, but what would matter if it did.

Core Elements of Prioritization

Let’s break down what effective prioritization looks like in a CTEM-aligned program

1. Threat Modeling as a Filter

We should be focusing on threat actions, what adversaries do, not just who they are. This provides a structured lens to rank threats by relevance and impact.

  • Prioritize threats that are actively exploited or mapped in realistic attack paths.
  • Use cases: Credential abuse, phishing entry points, lateral movement opportunities.

2. Asset Criticality Mapping

Rather than addressing all assets equally, prioritize based on the business function, data sensitivity, and exposure profile of each asset in the scope for this cycle.

3. Contextual Scoring

Static CVSS scores often leave out important context. Prioritization needs dynamic, multi-input scoring models:

  • Exploit Prediction Scoring System (EPSS) to assess likelihood of exploitation.
  • Threat intelligence to determine active campaigns and TTPs in play.
  • Control effectiveness data: are our existing controls covering the exposure, or failing silently?

Sidebar: What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven risk model maintained by FIRST that predicts the likelihood of vulnerability being exploited in the wild within the next 30 days. It complements CVSS by focusing on real-world exploitability.

For example, a CVSS 9.8 vulnerability with an EPSS of 0.1% may pose less immediate risk than a CVSS 7.5 vulnerability with a 75% EPSS.

EPSS updates daily and is publicly accessible at https://www.first.org/epss/.

4. Safeguard Mapping and Coverage Analysis

Once threats and assets are ranked, map your existing safeguards to these threats. Where are the gaps? Are compensating controls truly compensating?

This step shifts prioritization from abstract risk to concrete remediation paths which will be tested in the next phase.

The Output: An Exposure Narrative

When executed correctly, prioritization produces business-aligned exposure narratives:

  • What exposures exist?
  • Which ones have credible paths to critical systems?
  • What is actively being exploited?
  • Where are we unprotected?
  • What’s the cost (or consequence) of not acting?

This narrative is what enables alignment with leadership, funding for remediation, and support from cross-functional teams.

From Reactive to Risk-Based

Evolve recommends for organizations to get proactive by narrowing focus on exposures that:

  • Are easily discoverable by attackers
  • Sit close to critical data or systems
  • Lack meaningful protective controls
  • Are part of known, successful attack paths

Organizations that succeed here often group exposures by threat vector or business initiative (e.g., phishing-resistance, exposed RDP, insecure AI workflows).

CTEM prioritization is more than a spreadsheet sort.  The diagram below shows how different inputs feed into a structured path toward meaningful remediation:

Pitfalls to Avoid

  • Fixation on CVSS: It’s a useful signal, but not a decision-making tool by itself.
  • Trying to Boil the Ocean: Prioritize by campaign, asset group, or threat vector. Precision is key, and keeping focused on this cycle’s scope is important.
  • Operating in Silos: Include IT, compliance, and business owners. CTEM prioritization is a team sport.

The table below contrasts traditional vulnerability management with CTEM’s prioritization mindset:

Feature Traditional Vulnerability Management CTEM Prioritization
Focus Patch Everything Focus on exploitable & impactful exposures
Inputs CVSS Scores Threat Intel, Asset value, EPSS, Control Gaps
Remediation Urgency First most severe Context and business driven
Output Vulnerability list Exposure narrative aligned to business risk
Cross-Team Collaboration Minimal Strong, Includes IT, Business unit liaisons, GRC

Final Thought: Prioritization is Empowerment

Phase 3 of CTEM is focused on determining what exposures and attack paths are worth spending resources to validate and fix. By focusing on exposures that pose the greatest threat to what matters most, organizations can finally get off the hamster wheel of reactive patching and move toward intelligent, sustainable defense.

In Phase 4, we’ll explore Validation where we will test our assumptions before moving to remediate.

WHITE PAPER
Empower your organization against cyber threats! Use our groundbreaking insights on Managing Risks With External Attack Surface Management

Uncover the strategies to fortify your defenses in our latest whitepaper. Don't wait – safeguard your future now!
Get Whitepaper

Ready to find more vulnerabilities than your last pentest?

Unlock your organization's full security potential and uncover even more vulnerabilities than before by choosing our advanced penetration testing services.

Request a Demo

Other blog posts

View More
View more