Vulnerability prioritisation and validation: continuous threat exposure management (CTEM) series #2

May 20, 2025

Vulnerability prioritisation

We all have to-do lists to triage and decisions to make over which outstanding tasks are most urgent. No one can do everything all at once.

In the world of vulnerability management, prioritisation is particularly tricky given what’s at stake and the lengthening queue of suspected vulnerabilities.

After all, security teams can typically patch only about 10% of known vulnerabilities in their environment each month, according to Cyentia Institute research. This begs vital questions about what gets fixed first amid the shrinking time-to-exploitation of zero days and the rising cost of data breaches.

The five steps of CTEM

A model has emerged in recent years that can answer these questions, as well as offer visibility of the vulnerabilities that might exist and the terrain where they might lurk.

Adoption of this SecOps system, called continuous threat exposure management (CTEM), could lead to a two-thirds reduction in breaches, according to Gartner, which coined the CTEM term.

Focused on vulnerability prioritisation and validation, this is the second part of a series exploring the five phases of CTEM. We’ll explain how YesWeHack’s Attack Surface Management (ASM) product facilitates risk-based remediation with automated priority scores, helps to guide validation decisions, and broadens visibility of potential risk exposures by consolidating multiple sources for vulnerability discovery into a single, unified interface.

The first part explained the first two steps, scoping and discovery, which enable a real-time understanding of an organisation’s attack surface by systematically identifying all of its internet-facing assets – including systems the security team were not aware of due to shadow IT, misconfigurations or the siloed acquisition of tech. The next instalment will cover the final phase: mobilisation of resources to efficiently remediate validated vulnerabilities in order of priority.

Proliferation of vulnerabilities

An inevitable corollary of complex, expanding and fast-changing attack surfaces of course is an increase in vulnerabilities within those attack vectors.

Reflecting this trend, the number of new vulnerabilities discovered in 2024 jumped 38% year-on-year, reaching an all-time record of 40,009 new CVEs (common vulnerabilities and exposures).

With a burgeoning workload and hampered by the ongoing cyber-skills shortage, it’s unsurprising that security teams are struggling to remediate the security flaws they know about, let alone bring hidden bugs to light.

Multiple testing sources

YesWeHack’s Attack Surface Management (ASM) solution supports security teams in implementing CTEM by helping them to prioritise the most critical vulnerabilities, as well as streamlining the vulnerability management process to ensure timely remediation of the rest.

The Prioritisation and validation phases follow SCOPING, where SecOps teams declare their domain names and IP ranges/addresses, and DISCOVERY, where our backend scanners detect related domains and subdomains, reachable services and associated technologies, then continuously detect any newly-surfaced online assets thereafter.

PRIORITISATION involves evaluating the urgency of ‘findings’ (suspected vulnerabilities) based on auto-generated priority scores.

Unlike standalone ASM platforms, our platform integrates vulnerabilities from multiple sources into a single, unified interface. These sources include:

  • Automated CVE scanning – drawn from a Vulnpedia module that is updated daily with in-the-wild vulnerability data, such as affected vendors, detection tools, public exploits and patches
  • Bug Bounty Programs
  • Traditional pentesting via our Pentest Management product
  • Vulnerability Disclosure Policies (VDPs)
  • Coming soon: Active Vulnerability Scanner within the ASM

Located in the Vulnerability Center with standardised formats and workflows, findings from all sources are consolidated into a single, unified view – providing a one-stop-shop for managing vulnerabilities.

Priority scores

Priority scores, which are automatically generated by a transparent, easy-to-understand algorithm, offer an accurate assessment of vulnerability risk within the context of the organisation’s environment. This saves SecOps teams time and empowers them to make the right decisions. They also retain ultimate control, since they can manually adjust scores to reflect their risk appetite and operational context.

The most widely used metric for evaluating a vulnerability’s threat level is of course the CVSS (Common Vulnerability Scoring System) score, which is determined by ease of exploitation, potential impacts and the potential for impacting other systems, among other variables.

Despite criticism from some quarters for oversimplification and misrepresenting real-world risks, CVSS is a valuable metric. However, it does not tell the whole story.

That’s why our priority scores are based not just on CVSS but also in-the-wild exploitability and the affected asset’s criticality value.

In-the-wild exploitability is determined by the exploit prediction scoring system (EPSS), which harnesses machine learning to analyse threat intelligence feeds, public exploit databases and correlations between past vulnerabilities.

The asset value, meanwhile, reflects the criticality of the asset where the vulnerability resides. This metric is generally higher if, for instance, it stores sensitive data, is a potential springboard into the wider network or if downtime would significantly disrupt the business and its customers. Asset value is set manually by the ASM customer because only they can truly understand the function and importance of the component or system in question.

How prioritisation informs validation

The prioritisation algorithm provides invaluable insights for the next CTEM phase: VALIDATION, where SecOps teams manually confirm (or disconfirm) findings as exploitable (or not) within the context of their environment.

The EPSS score and asset value are particularly useful in judging whether a vulnerability poses a genuine security risk given:

  • In-the-wild threats
  • The system where it exists
  • How that system is configured
  • And defensive mechanisms in place

Validation decisions can also be informed by engagements outside the ASM, such as:

  • Red and purple team exercises
  • Breach and attack simulations (BAS)
  • And by testing the protections offered by firewalls, SIEM systems and the like

When findings are confirmed within our ASM, a vulnerability report is automatically generated for security teams to act upon.

Unified, comprehensive, risk-based

A suite of other ASM features also empower SecOps teams to implement a unified, comprehensive and risk-based approach to security testing. This includes a dashboard affording a real-time overview of attack surface coverage and vulnerability exposure through multiple metrics and filters, such as filtering by priority score, charts showing ‘vulnerable assets by category’ and ‘top 5 most vulnerable assets’. Time-to-fix can be shortened meanwhile by integrating vulnerability reports into popular bug-tracking tools and tracking their status in real time with our connectors and public API.

Next up in this series is an examination of the final CTEM phase: MOBILISATION. After that we’ll publish a follow-up article exploring the synergy between Bug Bounty Programs and CTEM – with benefits including optimised testing coverage and cost-effective hardening of your exposed vectors.

Schedule a demo with YesWeHack today and discover how a risk-based approach can transform your organisation's security strategy.