A new market intelligence study by Reflectiz, which interviewed 128 business security decision makers, points out that a clear gap is being formed between organizations that adopt a modern exhibition management framework and those that follow traditional models. This is not so much the size of the budget and the sector, but a strategic choice: the companies that have integrated Continuous Threat Exposure Management (CTEM) show quantifiable advantages in visibility and adoption of solutions against those that have not.
CTEM is not a fashion: it is a different way to manage the attack surface that prioritizes the continuous detection and validation of real risks against the reactive patch. Instead of relying on specific reviews, CTEM seeks to discover assets, assess their relevance to business and prioritize mitigation with criteria. To understand its place in the evolution of cybersecurity, it is useful to contrast it with analysis and recommendations from analysts like Gartner about the need to move towards continuous threat management models: Gartner: How to manage cybersecurity threats, not episodes.
Reflectiz's report reveals figures that invite reflection: although the vast majority of security leaders know the concept, actual implementation remains minority. Only a fraction of the organizations surveyed have moved the idea to day-to-day operations, and that difference already translates into concrete metrics of monitoring and control of the digital environment.
One of the reasons why this change does not materialize is the combination of organizational inertia and competitive pressures: security officials are forced to prioritize between projects that compete for resources, and to sell an initiative that requires changes in processes and tools is not always simple. However, when comparing pairs by exposure surface size and operational results, a consistent pattern emerges: more complexity without continuous automation ends up increasing risks and generating blind points difficult to control manually.
This phenomenon materializes in what the study itself calls the "visibility gap": the difference between the assets an organization believes it monitors and those that really exist and can be exploited by an attacker. As a company multiplies domains, integrations and scripts, the attack surface grows exponentially and the specific monitoring methods are no longer effective. When the number of domains exceeds a certain threshold, the amount of connected artifacts can be fired into an unmanageable mosaic without continuous discovery and validation processes.
The external context also pushes for stronger approaches. Third-party incidents have increased in recent years, reflecting recent surveys of CISUS, and the average cost of a gap remains very high for most organizations. Reports such as IBM on the cost of gaps put the average figure at several million dollars per incident: IBM: Cost of a Data Break Report. At the same time, regulatory and compliance frameworks, such as the latest versions of PCI DSS, require more stringent monitoring and controls that require not to rely only on regular audits: PCI Security Standards Council.
So why continue to delay a CTEM initiative when market and regulatory signals push its adoption? The answer is not unique: part of the problem is that many organizations are still trying to meet new monitoring needs in inherited processes. Another part comes from the difficulty of justifying investments in management if the argument is left in technical concepts. It is therefore essential to translate the value of CTEM into business metrics: reduction of exposure windows, decrease of incidents attributable to unknown assets, and improvement of global visibility that avoids sanctions and response costs.
Building the business case for CTEM goes by speaking the language of the board of directors: financial impact, area exponential risk reduction and ability to demonstrate continuous control over auditors and partners. At the operational level, the transition usually involves combining automatic inventory, continuous validation of external units, risk-based prioritization and automation of repetitive actions, so that the security equipment is not caught in manual tasks that do not scale.
No need to reinvent the wheel at once. There are already well-documented practices and frameworks that help to lay solid foundations for CTEM. The approach can be based on standards and guidelines for continuous monitoring and risk management, such as NIST publications on continuous monitoring, which guide how to integrate telemetry and response processes into sustainable cycles: NIST SP 800-137. The key is to design a progression that combines small tactical victories with the construction of strategic capacities.
The picture of the market today is clear: the organizations that have already bet on CTEM report better levels of visibility and operational results. This does not mean that adoption is trivial or that all companies must run without a plan. It means, that's right, that for environments with high exposure and third parties, holding on to regular controls is a risk that grows with complexity. The question relevant to security teams and leaders is no longer whether CTEM brings value and becomes whether the current architecture and processes can sustain the growth of the digital ecosystem without continuous supervision.
If you want to deepen the data and graphics that illustrate these conclusions, you can see the full study published by Reflectiz: CTEM Divide 2026 - Reflectiz. For a complementary perspective on trends in third-party incidents, the 2025 CISUS survey provides additional context: Panorays: CISO Survey 2025. And if you are looking to understand the potential economic impact of not closing the gap, the IBM data gap cost report provides quantitative arguments that are often persuasive to management: IBM Data Breach Report.
In the end, the decision is no longer planted only in the technical field: it is strategic. Adopting continuous exposure management can make the difference between maintaining a visible and controllable risk area or discovering, too late, that the real problem was what was not being seen.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...