Exposure validation is a critical part of any continuous threat exposure management (CTEM) solution. While the benefits − such as improved security control, more efficient patching and mitigation, and increased resilience against the latest threats − are clear, exposure validation enables security teams to optimise cyber defences and validate real threat exposures.
These are the research findings of the Cymulate Threat Exposure Validation Impact Report 2025.
Organisations that run exposure validation testing at least once per month have experienced a 20% reduction in breaches. Prioritisation of security gaps is another benefit highlighted by survey respondents.
The 37% who have implemented an exposure validation solution say it's resulted in a more efficient prioritisation of exposures that are most likely to impact the organisation. Moreover, 30% say exposure validation has resulted in having readily available cyber resilience metrics.
According to survey respondents, the following lists the top benefits of exposure validation:
- 47% reported improved security controls for prevention and detection.
- 47% achieved improved mean time to detection.
- 44% had improved hand-off to system owners who are responsible for patching and mitigation.
- 41% have confidence in the security program's ability to handle the next significant threat.
- 40% noted increased threat resilience against the latest immediate threats.
- 37% experienced continuous validation and tuning of security controls.
Taking all this into account, it is hardly surprising that 71% of surveyed security leaders view threat exposure validation as absolutely essential in 2025.
Legacy security?
Pen testing is a good example of legacy security processes. It's manual, costly, limited in scope and has reduced defence efficacy. Pen tests only provide a point-in-time assessment. They are most effective when combined with other security practices, such as automated security control validation, so that a multi-layered defence strategy is created.
In fact, 67% of respondents say that when it comes to manual pen testing, the major drawback is the infrequent testing (as they are not automated). This leaves long gaps between assessments, so they don't identify security control drift or understand the potential impact of new threats.
It is hardly surprising that 71% of surveyed security leaders view threat exposure validation as absolutely essential in 2025.
The survey revealed 67% of respondents felt infrequent testing due to manual pen tests leaves gaps in assessments. The majority of security leaders were reported to agree that manual pen tests cannot deliver on security validation.
More than two-thirds (67%) noted that when it comes to penetration testing, scope limitations are an issue. Moreover, time constraints (66%) and missing exposures due to manual testing (65%) are also cited as problematic, highlighting a clear opportunity for companies to achieve more value, efficacy and results through automation.
The cyber threat landscape is evolving at lightning speed. It's becoming commonplace for threat actors to use AI in their attacks. Now more than ever it is critical that businesses move away from manual testing methods and embrace the inclusion of AI and automation in their technology implementations and cyber best practices.
One such way to do that is to deploy an AI-powered exposure validation solution. This will enable security teams to quickly, efficiently and intelligently focus on the most relevant threats, exposures and vulnerabilities across their entire IT environment.
What about cloud?
Enterprises are shown to be struggling to identify and remediate cloud exposures. Cloud environments are complex, ephemeral and often multi-layered, with each layer relying on different security controls for protection.
Because of this, common cloud security technologies, such as cloud security posture management, don't validate cloud security effectiveness − leaving organisations in doubt about their true cloud security posture.
While businesses are using a variety of security methods, including cloud security information and event management (38%), cloud native tools (38%) and cloud infrastructure entitlement management (38%), their ability to quickly validate cloud exposures on a continuous basis is lacking.
The research reveals that many security leaders are unable to adequately manage cloud exposures. In fact, 61% of security leaders reported their companies lacked the ability to identify and remediate exposures in their cloud environments.
An additional 37% say it can take up to 24 hours to validate cloud exposures. Only 9% of organisations run exposure validation in their cloud environments on a daily basis. Just one in six (16%) reported they were able to validate exposures in their cloud within one hour.
Ninety percent of security leaders say they apply validation in their exposure management process at least once a month. The more businesses apply validation to their exposure management processes, the more likely they are to experience a decrease in security breaches.
The bottom line
While this article cannot expose the full extent of the research findings, the bottom line is that it is apparent that exposure management is playing a key role in 2025.
Not only are businesses seeing a reduction in breaches as a result of implementing a CTEM process, but the vast majority are planning to invest further in the coming year.
However, the success of exposure management hinges on the right approach and the right technology that proves the exploitability of the exposure within a specific environment. As such, validation is a critical component of a successful CTEM process.
Share