Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
It usually starts at minute thirty of a discovery call, after the official agenda is over and the Zoom faces relax. Someone says “can I be honest with you for a second?” — and then I get the list. Same complaints. Different shop. Five years running.
The complaints are not about tools. The tools mostly work. The complaints are about a job that has slowly turned into something nobody signed up for. Ticket-triager with a security title. Spreadsheet janitor. Compliance-evidence factory. Words I have heard from senior engineers in the last ninety days.
Here is what I have stopped pretending. Vulnerability management, as practiced today, is not security work. It is the paperwork that surrounds security work, scaled to a volume no human team can keep up with, against an adversary who has stopped operating at human speed. It sucks. Saying so is the first step.
The pairs that follow are real. The left column is what I have heard, in those quiet moments after the agenda ended, in shops across healthcare, financial services, federal, energy, and tech. The right column is what those same people tell me their lives look like six months after the program shifts to continuous threat exposure management. Eight pairs. Two columns. One uncomfortable comparison.
The job nobody signed up for is the job we keep accepting. Until we stop.
A note on the format. The quotes in the left column are composites, drawn from dozens of conversations and intentionally anonymized. They are not edited for tone — the venting is the point. The quotes in the right column are from operators six to eighteen months into a CTEM program. The change is real. The change is also not free. We will get to that at the end.
“My week is a CVSS-sorted queue with 4,200 high-severity findings. I have no idea which of them actually matter. Neither does my scanner. Neither does my auditor. I’m patching by faith.”
“My week is forty validated, reachable exposures. I know they matter because BAS proved they’re exploitable in our environment. I close the ones I can. I document the ones I can’t. I sleep.”
“My phone rings on Sunday because a vendor patched a CVSS 9.8 and the auditor wants it deployed by Monday. The asset isn’t internet-exposed. We have six compensating controls. Nobody cares. Patch it.”
“My phone doesn’t ring on Sunday for unreachable bugs. The reachability filter caught it. We mobilize Monday morning, like adults. The auditor sees the validation evidence and signs off.”
“I spend half my Friday arguing with IT ops about which patches to deploy this weekend. Nobody trusts the priority list. They push back on every ticket. By 5 PM I have lost three hours and one fight.”
“Tickets land enriched with reachability evidence and exploit context. IT ops trust the priority because we showed our work. They run the change windows. I stop being the person they argue with.”
“I report ‘CVEs closed this month’ to the board. They nod. Nobody asks if any of those CVEs would have been exploited. The number goes up. The breach risk doesn’t go down. We are measuring the wrong thing.”
“I report mean-time-from-detection-to-mobilization, validated exposures closed, KEV coverage, internet-exposure rate. The board gets a number that matches the headlines. The number is going down.”
“My auditor wants every CVSS 7+ closed in thirty days. He doesn’t care that ninety percent of them are unreachable. I argue every exception. I produce justification documents I should not have to write. The audit takes a month.”
“My audit prep takes one day. I show validated, mobilized exposures and our risk-acceptance log. I show the auditor the reachability filter. He signs off. We are done by lunch.”
“When the breach comes, my IR team scrambles. The CVE wasn’t on our list. Or it was on the list but ranked seven hundredth. Half our scanner output was noise. The signal was buried. We are improvising.”
“When the breach comes, we have a record of every exposure we validated, prioritized, and chose to mobilize against — with risk justification. We are not improvising. We are executing the plan we wrote in cold blood.”
“My best engineer just left. She was tired of remediating things she knew wouldn’t matter. I am down to four people doing the work of six. The two newest will be gone by Q3 because the job is paperwork, not security.”
“My team is doing the work they were hired to do. Validation strategy. Threat modeling. Real defense. They show up Monday because the job feels like security again. I am not backfilling open positions every quarter.”
“Monday morning starts with a 4,200-row spreadsheet. Friday afternoon ends with a 4,400-row spreadsheet. I am running in place. My career is going nowhere because my job is reconciling spreadsheets.”
“Monday starts with the top forty exposures, ranked by reachability and weaponization. Friday ends with thirty-five closed and five in mobilization. I am moving forward. So is my career.”
Read the right-hand column again. Notice what is not there. It is not “I bought a new tool.” It is not “I hired six more engineers.” It is not “the auditor went away.” The auditor is still there. The tools are mostly the same. The team is the same size, sometimes smaller.
What changed is the operating model. Aggregation across feeds, not one scanner output. Validation before remediation, not blind closure. Reachability as the prioritization spine, not CVSS alone. Mobilization measured by outcome, not activity. The CTEM phases — Scope, Discover, Prioritize, Validate, Mobilize — replacing the queue with a loop. None of this is new. Gartner formalized it years ago. Most teams have just never made the shift, because the cost looks high until you realize the cost of not shifting is higher.
Six to twelve weeks of reorganization. A change in board metrics. A documented risk-based exception process to defend in front of auditors. The willingness to suppress, with justification, the CVSS findings that cannot reach. Some uncomfortable conversations with QSAs and Big Four assessors who have not yet caught up. That is the bill. It is not nothing. It is also a small fraction of what the patch tax is costing you right now.
The right column is not aspirational. It is what the shift produces. I have watched dozens of teams cross that line. None of them want to go back.
If we walked through your current VM program against the eight pairs in this brief, where would your team’s quotes land — left column or right column? I will work with your VM lead to map it. No deck. No demo. Just the dual-life inventory and a 90-day plan to move the quotes from left to right.
Book the Conversation
