Gartner's Continuous Threat Exposure Management framework is the model your auditor, your insurer, and your board are increasingly asking you to map to. Celvex was built around its five stages from day one — with Proof Capsule sitting squarely in the Validation stage as the artifact that makes every claim verifiable end-to-end. This page shows the mapping.
What CTEM is
Gartner introduced Continuous Threat Exposure Management in 2022 as the operating model for security programs that needed to move beyond episodic vulnerability management and annual penetration testing. The framework defines a five-stage cycle that runs continuously rather than in scheduled engagements: Scoping, Discovery, Prioritisation, Validation, and Mobilisation. Each stage feeds the next; the loop closes itself; the result is a security posture that's grounded in current evidence rather than last-quarter's assumptions.
Three years on, CTEM has moved from forecast to operational reality. Auditors ask about it. Cyber-insurance underwriters reference it. CISOs translate it for their boards. The vocabulary is the new shared language for "what does our security program actually do?"
Why it matters
The shift CTEM names is the same shift the rest of operational engineering already made: continuous integration replaced quarterly merge windows. Continuous deployment replaced scheduled releases. Continuous monitoring replaced annual audits. Security validation is the last domain to make the same move — and Gartner's CTEM framework is the structure the industry agreed on for how to do it.
"Organizations prioritizing their security investments based on a continuous threat exposure management program will be three times less likely to suffer a breach by 2026."— Gartner, 2022 (forecast cited in industry CTEM commentary; see notes below)
Gartner's 2022 forecast remains directionally supported across industry research; an empirical breach-rate study confirming the precise three-times reduction has not yet been published. We cite the prediction as the founding rationale of the framework, not as a settled measurement — treat it the way we treat every claim on this site: verify the source for yourself.
Stage by stage
For each stage below, the upper paragraph paraphrases Gartner's framework definition. The lower paragraph describes what Celvex does in that stage and what the customer gets out the other end.
Scoping is the work of selecting which assets, identities, and data stores actually matter to the business — aligned to organisational risk appetite and strategic priorities, not technology silos. It's the stage where you decide what's in the program and what's out.
We ingest your existing asset inventory, CSPM feed, EDR feed, and crown-jewel registry — or help you build the inventory if it doesn't exist yet. The platform's scope per engagement is reviewable, versioned, and signed-off by the customer. Fortress-tier customers can scope at the business-unit level for per-subsidiary programs.
Discovery identifies all exposures across the scoped environment — not just CVEs, but misconfigurations, identity risks, shadow IT, credential leaks, and excessive permissions. The output is a complete picture of what an attacker would see.
Continuous external attack-surface mapping, cloud-misconfiguration enumeration, dependency and container audit, exposed-service drift detection — all in the same dashboard. Every newly-discovered exposure routes automatically to the right validation capability, so Discovery doesn't end at a list.
Prioritisation cuts through the noise to surface what must be tested, validated, and fixed first. Industry research suggests only about 2% of discovered exposures actually reach critical systems — the work is finding the 2% before someone hostile does.
Findings are scored on reachability, exploit-chain potential, business-asset criticality, and active threat-actor relevance — not on CVSS in isolation. The platform's calibrated confidence score is declared on every finding so engineering knows what to act on first and what's safe to defer.
Validation tests whether prioritised exposures are genuinely exploitable in the customer's specific environment — through penetration testing, breach-and-attack simulation, red-teaming. The stage is meant to reduce false urgency and surface real impact.
This is where our differentiator lives. Every confirmed finding ships as a sealed, signed, runnable Proof Capsule. The customer's engineers run the capsule on their own laptop against their own asset, watch the exploit work, write the fix, and re-run the capsule to confirm fix-confirmed. Validation stops being a vendor claim and becomes an artifact the customer holds and can verify offline.
Mobilisation turns findings into action across security, IT operations, cloud teams, and governance — with structured workflows, clear ownership, and SLAs. The stage is what separates a CTEM program from a vulnerability management report.
Each Proof Capsule arrives with the patch citation, the remediation pattern, and pre-mapped compliance controls (SOC 2, ISO 27001, HIPAA, PCI-DSS). It plugs into Jira, Linear, or GitHub Issues automatically. The retest closes the loop with a one-command verification — the Find, Prove, Fix, Verify framework is exactly Mobilisation done with verifiable evidence.
Frameworks we respect, deliverables we own
Industry frameworks — Gartner CTEM, NIST Cybersecurity Framework 2.0, MITRE ATT&CK, OWASP Top 10, OWASP API Top 10 — define what a mature security program should measure and report on. They're table stakes. They give your auditor and your board a shared vocabulary. None of them define how a finding becomes verifiably real to the engineer who has to fix it. That gap is where the Proof Capsule lives.
Customers feel anchored when their security program speaks the language their auditor, their insurer, and their board already use. They feel confident when the deliverables go beyond a framework checkbox and arrive as something an engineer can run. We aim for both.
Verifiable security.The unifying principle. Find. Prove. Fix. Verify. is how we operationalise it.
Sources
We don't paraphrase frameworks we can't link. The references below are public. Verify the framing yourself, then come back and audit our mapping line by line.
CELVEX Group