Ask any security leader how they decide what to fix and you’ll get some version of the same answer. Scope the attack surface. Discover what’s exposed. Prioritize by severity. Validate what’s exploitable. Remediate. Until recently, it’s been a reasonable process.
Ask the same leader whether they understand what that process is actually protecting, and the answer gets a lot shakier.
Every step of the process begins with what you own. Threat activity gets folded in somewhere around prioritization. Business impact gets folded in even later, if at all. That ordering feels natural. You can’t secure what you don’t know you have. But it means the entire program is organized around your asset inventory, not around what’s actually coming after you. It’s a structural problem.
Continuous Threat Exposure Management (CTEM), the category Gartner defined for this work, is the right idea. Traditional approaches treat exposure management as a point-in-time activity — run a scan, generate a report, hand it to IT, wait for patches. CTEM reframes this as a continuous cycle aligned to business priorities rather than technology boundaries. But most implementations of it are still asset-first in practice, so threat context and business impact stay bolted-on inputs instead of the frame the analysis actually runs in.
That ordering costs something, and it’s not small. An organization can close a large number of exposures, watch every dashboard metric improve, and still leave the one path a real threat actor is actively using untouched. Compounding these problems is the advancement of frontier AI models like Anthropic Mythos and OpenAI Daybreak, which find and chain vulnerabilities at scale. Resource-strapped teams have the ability to identify more vulnerabilities than ever before. But they still don’t know which ones to prioritize based on business impact.
“You can’t patch at AI speed. It’s a losing proposition.”
— Colin Anderson, CISO, Dayforce
“Which exposures score highest?”, and “Which exposures sit on a path someone is using against organizations like mine, right now?”, are different questions. Asset-first programs answer the first one well. They were never built to answer the second.
We built Predictive Threat Exposure Management (PTEM), to solve the vulnerability prioritization problem the right way.
Threat-first Isn’t a Tweak to CTEM. It’s a Different Starting Point.
Predictive Threat Exposure Management (PTEM) resolves three things together, continuously, instead of in sequence:
- What a threat actor is actually doing right now.
- Whether your existing controls already stop it.
- The financial impact on the business if they didn’t.

I described this as a three-agent model in an earlier post: Threat Agent, Vulnerability Agent, Remediation Agent. It’s still the clearest way to think about the three jobs that have to happen together.
Analyzing threats involves watching for:
- active exploitation activity,
- dark web chatter consistent with a new exploit, and
- early signals of a zero-day in circulation.
This is the kind of activity that shows up before a CVE has even been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. In one recent case, this kind of early detection identified a critical zero-day 38 days before it reached the KEV list. That’s a window most organizations never knew they had, because they were waiting on a feed that only updates after the fact.
Analyzing controls evaluates that signal and checks it against your actual environment. Is this CVE present? If so, where? And, the part that matters most, do your existing compensating controls already neutralize it? A WAF rule. An IAM policy. Network segmentation. This is the step that keeps the output honest. A threat that’s active in the wild but fully blocked in your environment isn’t your problem today. A threat that’s active and unblocked is.
Analyzing business risk takes the uncompensated threats, those that are active and unblocked, weighing it against what it would actually cost the business if it landed. Not a severity score. A financial number your CFO would recognize.
Think of the three as legs of a stool. Take one away and the whole thing tips over, usually in the direction you weren’t watching. An organization fixated on threat activity without checking business impact spends its best hours hardening a system nobody would miss. An organization fixated on its highest-value assets without checking active threat behavior can miss an attacker who has no interest in that asset at all, and is instead chaining three low-CVSS vulnerabilities together on a low-priority system to get where they’re actually going. Run all three together, continuously, and you get something CVSS scores, patch volume, and compliance checklists were never built to produce: a short list of exposures that are genuinely material right now, recalculated as threats, controls, and your environment change.
Why Organizations Shouldn’t Wait to Change Their Threat Exposure Protocols
The volume math alone would justify this. Security teams are staring down 59,000-plus new CVEs predicted in 2026, with exploits weaponizing in a median of five days while enterprise remediation still averages 74 days. No amount of additional headcount closes a gap measured in that ratio. It isn’t a resourcing problem. Rather, it’s a filtering problem; and filtering at that speed and scale isn’t something a manual or quarterly process can do.
The more fundamental reason PTEM exists now is that the industry is starting to automate the response side of this equation, not just the detection side. Once a remediation system can push a patch, trigger a maintenance window, or isolate infrastructure on its own, “What’s exposed?” stops being the only question that matters. The real question becomes: what is this system allowed to decide without a human in the loop, and on what basis?
You can’t answer that with an asset inventory. You can’t answer it with a severity score either. You can only answer it if you already know, continuously, what a threat actor is doing, whether your controls stop it, and what it would cost you if they didn’t. That’s precisely the three-agent model PTEM runs on. Organizations still stuck in asset-first mode aren’t just slower at triage. They don’t yet have the threat-first, business-linked foundation that safe automation actually requires. That foundation has to come before the automation, not after it, and it’s the subject of the next post in this series.
What Predictive Threat Exposure Management Is
Predictive Threat Exposure Management is available today as part of Dataminr for Cyber Defense. It’s built for CISOs and risk leaders who need a defensible answer to “are we protected against what matters,” and increasingly for the SOC and vulnerability management teams who have to act on that answer day to day. It combines Dataminr’s Threat Intelligence with Continuous Control Monitoring and Risk Quantification into a single, continuously recalculating view: threat, exposure, impact.
The next post goes inside the mechanics: what data each check actually uses, how the three signals get resolved into one decision, and what it takes to turn that decision into something a business, not just a security team, has actually authorized.

Dataminr’s Predictive Threat Exposure Management
Move beyond exposure guesswork — prove control gaps, quantify financial risk, and drive real, risk-prioritized remediation.
Learn More