Before I expand on the impact of threat exposure, let’s first define continuous threat exposure management. This is a framework developed by Gartner to help businesses proactively manage and minimise cyber security risks.
It emphasises continuous monitoring, assessment and remediation of vulnerabilities across an organisation's attack surface, shifting from traditional, periodic vulnerability scans to a more dynamic and ongoing approach.
Now let's move to threat validation which, again according to Gartner, is the process of confirming that an exposure can be exploited. It uses offensive security methods to evaluate security controls, identify weaknesses and validate the exploitability of vulnerabilities and unpatchable points of threat exposure. Gartner cites use cases to include defence optimisation, exposure awareness and scaling offensive testing.
Cymulate's 2025 Threat Exposure Validation Impact Report is the result of a survey of 1 000 CISOs, SecOps practitioners, and red and blue teamers across the globe with one goal: to discover how they validate cyber security in their cloud, on-premises and hybrid environments.
An offensive approach that leverages automation and Al is crucial to achieving true cyber resilience.
The report explores the role of artificial intelligence (Al), the rise in automation and the need to evolve legacy best practices − like manual penetration testing − into continuous, proactive processes. The survey also explored the evolution − and challenges − of exposure management within SecOps teams.
Companies are realising that reactive security methods are no longer sufficient to defend against the scale, speed and sophistication of new and emerging threats. And an offensive approach that leverages automation and Al is crucial to achieving true cyber resilience.
The report’s findings also shed light on the current cyber security reality, the extent to which businesses have been impacted by breaches and how CISO confidence in existing processes is at an all-time low.
Results served to highlight how CISOs struggle to identify and remediate cloud exposures, as well as their underlying concerns around their security teams’ ability to defend against attacks.
The results are clear: exposure validation is evolving into a pillar of modern cyber security and more organisations are integrating it into their security arsenal to optimise defences.
Threat exposure validation is a must-have
Reactive security is no longer viable. As cyber attacks grow more sophisticated, most security leaders are worried about the ability of their existing security defences to protect against threats. 96% of surveyed businesses experienced at least one security breach in the last year and noted long testing times had left them vulnerable.
It is vital that SecOps teams must be 100% confident, not only in the effectiveness of their security controls, but also the assurance that they are working as intended. However, the research reveals widespread doubt and underscores the concerns of CISOs regarding their ability to prevent complex threats.
In fact, 84% of security leaders surveyed said they are concerned about the ability of their security defences to withstand an attack from a sophisticated threat actor. This is where offensive security processes, such as threat exposure validation, come to the fore.
The use of automation and Al continues to grow across enterprise environments. Manual processes simply cannot keep up with the countless alerts, misconfigurations, gaps and potential threats plaguing businesses on a daily basis.
It is no surprise that many organisations are implementing automation and Al into their security processes. When asked what security validation methods they use, respondents surveyed were most likely to say automated security control validation (44%) and automated penetration testing (39%).
These stats are hardly surprising. Automation is having a major impact on businesses’ ability to filter through alerts and identify the threats that require immediate remediation. On average, respondents surveyed say that compared to manual security testing methods, they can test over 230x more threats with automated security control validation.
Moreover, respondents who have had one to three security breaches in the past year can test 197x more threats with automated security validation, and those who experienced seven to nine breaches reported the ability to test 356x more.
The survey revealed that, on average, enterprises that have implemented Al into their exposure validation process take 24 fewer hours to test their defences against newly identified cyber threats, compared to those that have not implemented it.
The research endorses the fact that companies are increasingly embracing Al as a way of bolstering their cyber security protocols. 89% of respondents were seen to have already begun to implement Al into their exposure validation processes, with seven in 10 agreeing that this year they want their businesses to take an innovative approach to leveraging Al adoption for security.
My next article on this research will reveal the key role exposure management will play in 2025.
Share