Problem Framing
Most vulnerability programs begin by asking what exists. CTEM begins by asking what matters. Continuous Threat Exposure Management, as Gartner defined it in 2022, opens with Scoping, not Discovery. Scoping means naming which business services, revenue systems, and regulatory-sensitive data actually matter before any tool touches the network.
Skip that step and every later stage inherits the gap. Discovery finds assets with no ranking of what they connect to. Prioritization scores by CVSS instead of consequence. Validation confirms exploitability with no sense of which exploit actually threatens the business. Mobilization hands remediation teams a list nobody outside security believes is the right list.
Teams that skip scoping treat all assets as equally important. A forgotten VPN gateway gets the same queue position as a customer database. The National Vulnerability Database logged over 40,000 new CVEs in 2024, an average above 100 a day. (Source Type: NVD published statistics · Attribution Confidence: High.) A scanner cannot rank that volume against what the business cannot afford to lose. Only the business can answer that question, and most programs never ask it before the tooling starts running.
Why the Common Approach Fails
Security teams default to asset-driven scanning because it is fast to stand up. Point a scanner at the CMDB, generate a report, start patching by severity score. Nobody asked finance, operations, or legal what actually matters if it goes down. The result is a queue sorted by a vendor’s severity rating instead of the organization’s own risk tolerance.
Colonial Pipeline, May 7, 2021: a single legacy VPN account, password reused from another breach, no multi-factor authentication, gave DarkSide ransomware operators their entry point. (Source Type: Congressional testimony and DOJ statements · Attribution Confidence: High.) The incident illustrates how a remote-access system with extraordinary business consequences can be treated as routine when business criticality is not driving prioritization. Colonial shut down 5,500 miles of pipeline carrying 45% of the East Coast’s fuel supply and paid a $4.4 million ransom within hours of the shutdown.
A scoping exercise that classified remote-access infrastructure as critical-path would have escalated that account’s exposure long before 2021. Scanning without scoping does not fail because the scan is bad. It fails because the scan has no concept of consequence.
The Better Model
Gartner’s five-stage CTEM cycle runs in this order for a reason: Scoping, Discovery, Prioritization, Validation, Mobilization. (Source Type: Analyst framework · Attribution Confidence: High.) Scoping is a business conversation, not a technical one. It answers three questions before any tool runs.
- Which business services generate revenue or carry regulatory exposure if disrupted?
- Which systems, if unavailable for 24 hours, trigger a material incident disclosure?
- Which third parties or vendors sit inside those services’ data or access paths?
Define the scope in those terms and discovery inherits direction. Prioritization inherits weight, because a scope tier gives the team a business multiplier to apply against technical severity instead of treating every CVE as its own island. Skip the step and a team can still call its work CTEM, but it is running a scan-and-patch cycle with new branding.
Scoping sessions belong to business leaders, not just security. A CISO who runs scoping alone produces a security team’s guess at what matters. A CISO who runs scoping with finance, operations, and legal in the room produces a list the business will actually defend during an incident.
Practical Application
Change Healthcare, February 2024: ALPHV/BlackCat affiliates entered through a Citrix portal that lacked multi-factor authentication. (Source Type: Congressional testimony, UnitedHealth Group · Attribution Confidence: High.) That single portal connected to claims-processing systems handling roughly 15 billion transactions a year across the US healthcare system.
UnitedHealth Group disclosed more than $872 million in direct response costs by mid-2024, with disruption reaching pharmacies and providers nationwide for weeks. The portal was known to the security team. The incident demonstrates the cost when internet-facing access into a business-critical service is not prioritized with the urgency its operational role demands.
A working scoping exercise produces a short, named list, not a framework diagram on a slide.
- Name the 5 to 15 business services that cannot go down without material harm.
- Map each service to its actual technical dependencies, including vendor and remote-access paths.
- Assign a scope tier to every asset before discovery tooling runs, so prioritization has a business weight to multiply against severity.
- Revisit the scope list quarterly. Business-critical systems change faster than most programs admit, especially after mergers, new vendor contracts, or cloud migrations.
Neither Colonial’s VPN account nor Change Healthcare’s Citrix portal was unknown. Both were unscoped. The gap was never visibility. It was a refusal to rank what mattered before the tooling started running.
Noorstream Perspective
Scoping is not a checkbox before the real work starts. It is the real work. A CTEM program that begins with discovery is optimizing a queue with no sense of what is actually at stake.
The programs that hold up under an incident are the ones that could name their crown jewels before the ransomware note did.

