We've Been Managing Vulnerabilities Wrong for 25 Years. Here's What Changed. - Safe Security

We’ve Been Managing Vulnerabilities Wrong for 25 Years. Here’s What Changed.

Blog

Jul 2, 2026

Series: Understanding CTEM and Why It Matters | Part 1 of 3

Safe CTEM prioritizes exposures based on business impact analysis

By: Ramesh Ramachandran

Ask any security leader how their team spends most of its time, and you’ll get a version of the same answer: chasing findings. Reconciling scanner outputs. Arguing over what to patch first. Writing up reports that go stale before anyone reads them.

It’s exhausting. And more to the point, it isn’t working.

The way enterprises manage exposure risk has gone through four distinct eras over the past 25 years. Each one was a genuine improvement on what came before. None of them was built for the environment we’re in now. Understanding that progression — and where it breaks down — is the only honest starting point for a conversation about what Continuous Threat Exposure Management actually solves.

Era One: The Compliance Scan (Late 1990s – Early 2010s)

  • Vulnerability management began as an audit requirement for due diligence, not actual risk reduction.
  • The workflow involved simple quarterly or half-yearly scans (Nessus/Qualys, OpenVas), followed by patching critical findings before the next audit.
  • Attack surfaces were smaller, networks had real perimeters, and adversaries moved more slowly.
  • The process focused on what existed but failed to capture attacker intent, which proved problematic as exploitation became easier.

Era Two: Risk-Based VM — Better Prioritization, Same Broken Pipeline (2010s – 2020)

  • By the early 2010s, the quarterly scan model had collapsed due to tens of thousands of new CVEs annually and an expanded attack surface (On-Prem, Cloud, Mobile, SaaS).
  • Risk-Based Vulnerability Management (RBVM) emerged to introduce context, such as asset criticality and network exposure.
  • This was progress, but RBVM scored vulnerabilities in isolation and did not model attack chains.
  • Implementing multiple tools (RBVM, Cloud Security, EDR, CMDBs, and more) led to fragmented scanner outputs, conflicting severity scores, and unreconciled data.
  • By 2019, the average remediation rate was only 10–15% per cycle, and the findings backlog was widening.

Era Three: The AI Wave — Both Sides Get Faster (2020–2025)

  • Starting around 2020 and accelerating sharply through 2023 and 2024, AI capabilities began materially changing what was possible in security on both the defensive and offensive sides.
  • On the defensive side, machine learning models started improving anomaly detection, behavioral analysis, vulnerability discovery, and prioritization.
  • The median time from vulnerability disclosure to a weaponized exploit collapsed from 771 days (2018) to under four hours (2024).
  • The CISA Known Exploited Vulnerabilities (KEV) Catalog emerged as a vital recommendation for prioritizing urgent remediation of actively exploited flaws.
  • Unlike generic severity scores (CVSS), which assume all vulnerabilities exist in identical environments, without the context of Business/Asset
  • Security teams were better equipped but not gaining ground because adversaries were moving faster.

Era Four: The Mythos Inflection Point: The Most Critical Era

  • Anthropic released Claude Mythos Preview in April 2026, demonstrating unprecedented cyber capabilities & which autonomously identified thousands of previously unknown zero-day vulnerabilities.
  • In its first month, Project Glasswing identified over ten thousand high- or critical-severity vulnerabilities in systemically important software, with partners like Cloudflare and Mozilla reporting drastic increases in bug-finding rates.
  • Mythos developed working exploits on the first attempt in over 83% of cases; however, the patching bottleneck has shifted to human capacity, causing an “avalanche” of reports that maintainers are struggling to verify and fix.
  • To aid defenders, Anthropic released Claude Security in public beta for enterprise customers and is making custom instructions and threat model builders available to the qualifying security teams.
  • OpenAI launched the DayBreak initiative, which uses AI models to help cyber defenders build security resilience directly into software through automated secure code review, threat modeling, and patch validation, shifting defense to the beginning of the development lifecycle.
  • This AI-driven speed has dramatically collapsed the median time from vulnerability discovery to weaponized exploit, a transition graphically emphasized in Anthropic’s research.
  • In June 2026, Anthropic launched Claude Fable 5 and Claude Mythos 5, marking a strategic pivot toward empowering cybersecurity defenders. While the initial Mythos Preview proved that AI could uncover systemic vulnerabilities at scale, these latest iterations provide advanced security reasoning and defensive capabilities. Anthropic is currently expanding access to Mythos 5 through a trusted access program, enabling security teams to operationalize the high-fidelity analysis that previously identified thousands of zero-day vulnerabilities.
Carvana Got 200% ROI in Less Than 9 Months
  • 25% lower insurance premiums
  • 2x insurance coverage
Read the Story

The Deduplication Problem Nobody Talks About Enough

Every era of vulnerability management made this worse, not better. Here’s the core of it:

Why the data is broken:

  • Each tool in the security stack adds another finding pipeline — Endpoint agents, CSPM, EASM, container scanners, identity products, network scanners — runs its own asset model, its own CVE taxonomy, its own severity scale
  • The same underlying vulnerability shows up three times across three tools, tagged to slightly different asset records, with conflicting scores and conflicting fix recommendations
  • No single tool knows it’s looking at the same problem as the others

What that costs security teams in practice:

  • Analysts spend a disproportionate share of their time reconciling tool outputs rather than reducing risk
  • Remediation owners receive multiple, conflicting tickets for the same issue, which erodes trust in the data and leaves the critical divide between Security and IT teams unaddressed.
  • Asset ownership is ambiguous when every tool carries a different version of the same asset record
  • Prioritization becomes unreliable: the same finding scores as critical in one tool and medium in another, with no clear way to know which is right
  • Without effective deduplication and prioritization, validating findings against compensatory controls or attack paths remains a significant, unsolved challenge—a gap that modern CTEM tools are specifically engineered to close.

Why AI makes it worse before it makes it better:

  • AI-native discovery — defensive or eventually adversarial — generates findings at orders-of-magnitude higher volume
  • More findings are useless without a unified, deduplicated asset model underneath them
  • Without that foundation, prioritization is noise dressed up as signal

Any serious CTEM implementation has to solve the deduplication problem at the foundation level. Everything else — prioritization, validation, mobilization — depends on it.

De-duplication in SAFE CTEM
De-deuplication with SAFE CTEM

What CTEM Actually Changes

Gartner introduced CTEM in 2022. It’s not a product category — it’s a program model built around five continuous stages: Scoping, Discovery, Prioritization, Validation, and Mobilization.

Things separate it from everything that came before:

  1. It starts with business risk, not scan coverage
  • Scope is defined by what the organization can’t afford to lose — not what’s easiest to scan
  • Prioritization is anchored in attack analysis and financial impact, not CVSS scores
  • A unified, business-contextualized asset model becomes the foundation, which also solves the deduplication problem as a byproduct
  • Evaluate compensatory controls (e.g., EDR, network segmentation, WAF, Attack Path, or identify the possible killchain) against frameworks like MITRE ATT&CK to quantify their true risk-reduction impact. This allows remediation teams to prioritize the most critical exposures rather than being overwhelmed by massive, unprioritized backlogs. Without this context, teams often spend months chasing stale vulnerabilities, only to be buried by a fresh, even larger list before they can finish.
  1. It runs continuously — not on a schedule
  • The attack surface changes daily: cloud workloads spin up, shadow IT proliferates, identities multiply
  • A program built around periodic snapshots is always catching up
  • CTEM is architected to match the pace at which the surface actually changes
  1. It connects assessment directly to remediation
  • Mobilization — the fifth stage — is a first-class program function, not an afterthought
  • Structured workflows push findings into ITSM platforms with defined ownership and SLA tracking
  • Agentic automation handles the coordination overhead that kills most legacy remediation pipelines
  • Mobilization is about end-to-end automation. A mature CTEM platform integrates deeply with your existing ecosystem—ITSM platforms for ticketing, CMDBs for accurate asset and owner correlation, and patch management tools—to drive verified remediation. Automating exception management, reporting, and workflow orchestration, it eliminates the manual bottlenecks that plague most programs, ensuring that patches and compensatory controls are implemented at the speed of the modern attack surface.

The result when all three work together:

Instead of 50,000 findings ranked by severity score, security teams get a continuously updated, focused picture of the exposures that sit on realistic attack analysis toward their most critical assets — ordered by what exploitation would actually cost the business. In a post-Mythos world where adversaries can chain medium-severity findings at machine speed, working from the right list isn’t a nice-to-have. It’s the baseline.

Where SAFE CTEM Fits In

SAFE has been working on this problem before CTEM became standard vocabulary. The core insight on which the company was built: vulnerability data is only useful when it’s connected to business impact analysis.

CRQ + CTEM in SAFE
Prioritize findings based on business impact

The foundation — Cyber Risk Quantification

  • SAFE’s CRQ engine, built on the FAIR framework, translates exposure findings into financial terms that boards and executives can act on
  • Named the category leader by Forrester Research in Q2 2025
  • Knowing a system is vulnerable is not the same as knowing what it costs the business if that system is exploited — SAFE built the bridge between those two things
  • Built on the globally trusted open FAIR standards, ensuring defensible data for strategic investment planning and regulatory compliance.
  • Analyzes approximately 600 threat events daily through the Threat Research team to keep risk models continuously updated.
  • Helps organizations achieve significant operational efficiency, including a 73% reduction in assessment time and up to 20% savings on cyber insurance premiums.
  • Trusted by major enterprises like T-Mobile, Victoria’s Secret, and Booz Allen Hamilton to communicate cyber risks in business language through executive-ready dashboards.
  • SAFE is recognized as a Gartner Visionary for Exposure Assessment Platforms
  • By unifying impact quantification and exposure analysis, SAFE developed the SAFE One Cyber Risk Singularity Platform.

Why CRQ is critical in the Mythos era

  • Prioritizes Signal Over Noise: AI-driven vulnerability discovery moves at machine speed, making static CVSS-based prioritization insufficient. CRQ filters out the “noise” of AI-generated floods, focusing effort on exposures that threaten the organization’s most critical assets.
  • Defensible “Blast Radius” Calculations: Provides rapid, data-backed decisions on remediation, essential when adversaries can chain multiple medium-severity findings into a critical breach in seconds.

Why CRQ matters for the CISO organization

  • Translates Strategy into Business Value: Shifts the CISO’s narrative from technical jargon to business strategy, justifying investments by linking spend directly to quantifiable risk reduction.
  • Optimizes Capital Allocation: Moves beyond tool efficacy to demonstrate exactly how much financial risk is retired and how security programs actively support resilience and compliance goals for the Board and C-Suite.
Zero-Day Auto-Responder
Agentic Workflows in SAFE CTEM

What this means in practice

  • Ingests data from 100+ integrations across the security and IT stack
  • Normalizes everything against a unified asset model — duplicates collapse, conflicting records resolve
  • Every exposure gets a financial impact estimate, not just a severity score
  • Agentic workflows push remediation into ServiceNow and Jira and track it through to completion
  • Exposure state is monitored over time — not just whether tickets are closed, but whether risk actually declined

While SAFE’s CRQ provides the strategic foundation by quantifying annualized loss in financial terms using the FAIR model, SAFE CTEM empowers operational teams with the technical focus needed to act. By bridging these perspectives, SAFE’s agentic workflows prioritize findings based on business impact, ensuring remediation efforts are consistently aligned with the organization’s most critical risks.

For enterprise customers navigating the shift this blog describes, that combination — unified asset model, business-contextualized prioritization, agentic remediation, on a single platform — is what a CTEM program grounded in reality looks like.

Part 2 of this series covers the first two stages of the CTEM lifecycle — Scoping and Discovery — and why getting them right is harder and more consequential than most programs treat them. We will further deep-dive into SAFE CTEM and learn more about it.

See how SAFE transforms your CTEM Unified exposure visibility, AI-driven prioritization, and quantified risk in business terms. Built for enterprise scale.