Authored by: PlexTrac Team Posted on: February 27, 2026 Moving Beyond Vulnerability Lists to Real Risk Reduction There’s no shortage of data in cybersecurity. Vulnerability scans pile up, pentest reports stack up, threat intel keeps flowing, and alerts never stop. Security teams are drowning in findings. But more visibility doesn’t automatically mean less risk. In a recent Friends Friday session, PlexTrac sat down with Gareth Pritchard, CTO at Sapphire, to talk about Continuous Threat Exposure Management (CTEM), the growing shift toward exposure management, and what this change really means for both enterprises and service providers. What emerged from the discussion was a clear message: security maturity today is less about discovering issues and more about ensuring the right issues get fixed—and stay fixed. The Shift From Vulnerability Lists to Business Impact For years, vulnerability management has been measured by output: How many vulnerabilities were identified How quickly reports were delivered How many findings were logged But that model often creates a frustrating cycle. Organizations run annual penetration tests, receive detailed reports, and twelve months later see many of the same findings resurface. This isn’t usually due to negligence. It’s due to prioritization challenges, competing business pressures, and the absence of a structured way to connect technical findings to operational risk. As Gareth emphasized during the discussion, cybersecurity is not about how many vulnerabilities you can list. It’s about how effectively you reduce exposure in a way that aligns with business priorities. Exposure management reframes the question from “What’s wrong?” to: What actually matters to the business? Which systems create measurable impact if compromised? Which findings meaningfully increase risk? Who owns remediation—and how do we track it to completion? That shift from enumeration to execution is at the heart of CTEM. CTEM Is a Framework, Not a Product Continuous Threat Exposure Management has become one of the industry’s most discussed concepts. But it’s important to understand what it is—and what it isn’t. CTEM is not a tool you buy. It’s not a platform you turn on. It’s a framework for aligning business risk, technical exposure, and remediation workflows into a continuous process. The “continuous” aspect doesn’t mean constant penetration testing. It means maintaining ongoing awareness of: What assets exist What identities have access How exposure changes over time Which risks require immediate attention Security programs that adopt this mindset move beyond point-in-time assessments and toward operational resilience. The Pentest Problem No One Talks About One of the more candid parts of the conversation centered on a common experience: rewriting the same penetration test report year after year. This cycle benefits no one. Organizations don’t meaningfully reduce risk, and testers don’t feel like their work is driving progress. The missing piece is structured remediation tied to business context. Without understanding how a vulnerability connects to revenue-generating systems, regulated data, or operational workflows, findings become just another ticket in a queue. Exposure management solves this by stitching together disparate engagements—pentests, vulnerability scans, threat intelligence—and tying them back to business-critical pathways. It creates clarity around what must be addressed first and why. The Role of Service Providers: Why Hybrid Models Win As organizations attempt to operationalize exposure management, many face a familiar question: Should we build this entirely in-house, or fully outsource it? The reality is that the most effective approach for many organizations is hybrid. In this model: The enterprise brings deep knowledge of its business processes and priorities The service provider brings cross-industry experience, security specialization, and threat visibility Both sides collaborate to prioritize and remediate effectively Hybrid models also enable knowledge transfer. Instead of creating dependency, they build internal capability while maintaining external perspective. But for this model to succeed, trust is essential. Exposure management requires collaboration, not an adversarial “us versus them” relationship. The goal isn’t to criticize; it’s to improve resilience together. Identity: The Center of Modern Exposure Another key theme from the discussion was the growing importance of identity. While traditional vulnerability management often focuses on software flaws and unpatched systems, many modern breaches center around compromised identities: Overprivileged user accounts Misconfigured service accounts Stolen credentials Machine or automated identities Attackers increasingly log in rather than break in. This shift means exposure management must include strong identity governance and visibility. Organizations need to ask: If an identity were compromised, how would we detect it? What systems could that identity access? What business impact would follow? Exposure is no longer limited to infrastructure. It extends deeply into identity and access controls. Practical First Steps to Starting the Journey For organizations looking to evolve toward exposure management, the starting point doesn’t require a massive overhaul. It requires clarity. Gareth highlighted a practical progression: First, build visibility into what you actually have—across on-prem infrastructure, cloud environments, and operational systems. Then connect those assets to business processes to identify critical pathways. Apply threat modeling to understand where exposure is most significant. Prioritize remediation based on measurable business impact, not just severity scores. Finally, establish a continuous cadence for testing, fixing, and monitoring recurrence. This approach shifts remediation from reactive to intentional. Scaling Smart: Tools, Strategy, and Enabling the Business The cybersecurity market is saturated with tools, with platforms promising to solve nearly every niche problem. These tools are powerful—they help teams manage volume, aggregate findings, correlate signals, and reduce noise. But tools alone cannot determine what matters most to your business. Exposure management requires human judgment, business alignment, and disciplined execution. Technology enables scale, but prioritization and follow-through are what actually reduce risk. That’s where mindset becomes critical. Security should not operate as the “office of no,” slowing progress or blocking innovation. Instead, it should function as a business enabler—providing the control needed to move forward safely. As Gareth described, security is like the brakes on a car: it doesn’t stop you from driving, it gives you control as you accelerate. When framed this way, exposure management becomes less about counting vulnerabilities and more about managing risk in a way that protects growth, builds resilience, and answers the board’s real question: not how many issues exist, but how effectively exposure is being controlled. Bringing It All Together The Friends Friday conversation with Gareth Pritchard underscored a clear shift in cybersecurity maturity. Organizations aren’t struggling because they lack tools or visibility—they’re struggling because turning findings into sustained risk reduction is operationally hard. Exposure management and CTEM offer a practical framework for solving that challenge by connecting technical insights to business priorities, enforcing accountability, and creating a continuous cycle of improvement. For security leaders, the takeaway is straightforward: progress isn’t measured by how much you find, but by what you fix and how consistently you reduce meaningful risk over time. As the industry evolves, the teams that succeed will be the ones that focus less on generating reports and more on closing the loop between discovery, prioritization, and action. Follow PlexTrac on LinkedIn for more engaging episodes of PlexTrac Friends Friday, featuring leaders across all aspects of the cybersecurity industry. PlexTrac Team Editorial Group At PlexTrac, we bring together insights from a diverse range of voices. Our blog features contributions from industry experts, ethical hackers, CTOs, influencers, and PlexTrac team members—all sharing valuable perspectives on cybersecurity, pentesting, and risk management.
The Hidden Cost of Siloed Security Data Why visibility, not volume, is the real security advantage Security teams today are overwhelmed by data overload. Vulnerability scanners surface thousands of issues at a time. SIEMs generate a constant stream of alerts. Cloud platforms flag misconfigurations. Penetration tests provide detailed narratives about real-world attack paths. Ticketing systems track remediation. Risk teams maintain registers. Leadership... READ ARTICLE
Why PlexTrac is an ideal fit for midsize enterprise organizations Midsize enterprise (MSE) security leaders are in a uniquely challenging position: they’re expected to reduce risk, show measurable progress, and keep pace with new threats without the staffing, time, or budget of a large enterprise security organization. That’s why choosing the right exposure management platform matters. The best fit usually isn’t the biggest, most robust... READ ARTICLE
Outsourced vs Internal Pentesting Is Not the Decision You Think It Is One of the most common questions I hear from security teams is whether they should outsource pentesting or bring it in house. It is usually framed as a fork in the road. Pick one path and commit. I think that framing is wrong. The real issue is not who runs the pentest. It is whether... READ ARTICLE