CTEM isn’t VM: Moneyballing Breach Prevention

It’s one of the great ironies of the security industry: we are the only profession where more data reliably leads to less clarity.

For twenty years, Vulnerability Management (VM) has been run like a 1990s baseball team. Decisions are made by "scouts" who look for the "good face." In security terms, that means we look at a CVSS score (9.8 or 10.0) and see a high-risk threat. We see a big number, we panic, and we throw resources at it.

The problem is that billions of dollars and millions of person-hours are spent patching “the big numbers,” yet breaches continue to occur because we’ve been using the wrong math.

The Moneyball Shift

In baseball, the revolution occurred when teams realized that flashy home runs didn't win games; on-base percentage did. Security is currently having its Moneyball moment as we’ve realized that Vulnerability Management isn’t the same as Breach Prevention.

The Scouting Report vs. The Win Probability

Traditional VM was the right tool for its era, when:

• Environments were slower-moving
• Identities were fewer
• Attack paths were largely linear and infrastructure-bound

The Limitations of Traditional VM:

• Treats every vulnerability as if it exists in a vacuum
• Ignores the reality of your environment
• Provides a static score telling you what's "broken"

How Attackers Actually Work:

Attackers don’t play the game one vulnerability at a time. They play the path.

They ignore high-severity, unreachable flaws and focus on low-severity weaknesses that create access. A minor exposure on a public-facing service becomes dangerous when it leads to identity misuse, lateral movement, and access to sensitive systems.

Risk isn’t defined by the score of a single flaw. It emerges when weaknesses, identities, and reachability combine into a usable attack path.

The Critical Difference:

• Old VM model: That 4.0 vulnerability was ignored because it didn't "look" like a threat
• Moneyball model (CTEM): That 4.0 could be the most dangerous player because it gets the attacker on base
• CTEM starts with paths and then proves it, attackers don't infer their way in; they traverse it

Why CTEM Became the New Math

CTEM (Continuous Threat Exposure Management) was introduced to shift focus from individual vulnerabilities to the system as a whole. 

CTEM’s Three Fundamental Changes:

• From Inference to Validation: 
  
  • CTEM validates risk directly by determining whether a vulnerability is part of a real attack path.
  • If a flaw can’t be used to move an attacker forward, it’s not a priority.
• From Players to Systems: 
  
  • VM is obsessed with the individual "player" (the CVE)
  • CTEM is obsessed with the "system" (the environment)
  • Recognizes that exposure is an emergent property existing only when identities, network segments, and flaws are linked together
• From Static Lists to Dynamic Scoreboards: 
  
  • A VM scan is a snapshot of the past
  • CTEM is a live scoreboard providing win probability in real-time

CTEM is the shift from scouting reports to win probability: not identifying impressive flaws, but validating which conditions actually lead to a loss.

Why Most CTEM Fail in Practice

Most "CTEM" vendors are just scouts in new clothes, because CTEM without validation is just vulnerability management with more data. Sure, prioritization improves, but uncertainty remains. There are a few more stats added, maybe reachability or basic asset data, but still vulnerabilities are treated as the primary issue because they lack the engine to prioritize anything else.

Human-led workflows struggle to keep pace with the volume, velocity, and combinatorial complexity of modern environments. As exposure signals multiply and environments change continuously, even well-designed CTEM programs become bottlenecked by human-speed analysis and ticket-driven processes.

The ideal CTEM is a cross-signal correlation engine. A real CTEM strategy correlates identities, misconfigurations, and weaknesses into attack paths that traditional VM tools cannot see.

This is where traditional tooling, even well-designed CTEM, begins to break down. Risk no longer emerges from single flaws but from non-linear combinations of signals that shift as environments evolve. Validating these paths requires constant evaluation and feedback loops that operate faster than human review or ticket-based workflows can sustain. 

The constraint is execution. 

The Agentic Leap

Reasoning across an entire environment is computationally expensive and data-intensive. It requires a unified context layer (a continuously updated model of assets, identities, controls, and relationships) rather than isolated tool outputs. Without that foundation, “reasoning” collapses back into inference and heuristics.

With that foundation, we’re moving past “triage-by-consensus” and into an agentic security workflow.

Agentic CTEM is a shift from human-paced prioritization to machine-driven, continuous validation of exposure across the environment.

Instead of starting with vulnerabilities alone, Agentic CTEM reasons across the environment holistically:

• Multi-signal ingestion: CVEs, identities, misconfigurations, CWEs, and asset posture are ingested as first-class inputs, not secondary context added after prioritization.
• Cross-domain correlation: Risk is identified by correlating identity permissions, network reachability, asset exposure, and weaknesses into unified attack paths that reflect how attackers actually move.
• Path-level validation: Detection moves from inference to proof by validating whether signals can be chained into a real, end-to-end attack path in the current environment.
• Continuous reassessment: As identities change, assets appear and disappear, and configurations drift, attack paths are re-evaluated continuously rather than relying on static snapshots or periodic scans.
• Decision-grade outputs: Instead of raw findings or vulnerability tickets, the system produces validated attack paths tied to specific identities, control gaps, and environmental conditions, enabling faster, defensible decisions.

Instead of raw findings, the system produces a validated remediation package which are the affected identities, the reachable path, the control that can break it, and the evidence required for approval.

In this model, detection is no longer about ranking issues or managing backlogs. It is about continuously understanding which combinations of signals create exploitable risk, and doing so at the speed at which the environment evolves.

Breaking the Cycle

VM eventually created a "Decision Gap" where engineers fixed issues that didn't matter while real, cross-signal attack paths remained wide open.

Vulnerability Management is about cataloging what is broken. Agentic CTEM is about understanding what’s dangerous through a unified, integrated security fabric of AI, Data, and Automation. One is a list; the other is a strategy and an autonomous decision-and-validation layer for cyber defense.