Fragmented tools and manual processes are widening the gap between threat awareness and effective CTEM. Only 41% of organisations have a fully consolidated view of cyber risk exposure, and security teams spend 42% of their time investigating risks that turn out to be low priority or non-exploitable
At the same time, AI-driven CTEM processes expected to nearly double, from 37% to 59%, within two years; 88% say that automation is essential to keep pace with the growing volume of risk.
These were some of the findings of The State of Threat Management Report, released by Filigran, a European open-source threat management company. The global study surveyed 550 security decision-makers and practitioners, and was conducted by independent research firm Vanson Bourne.
The research reveals a disconnect: Even as Continuous Threat Exposure Management (CTEM) gains traction as an industry framework, the operational maturity to execute it remains elusive.
The report speaks of an “exposure gap”: the distance between knowing where threats exist and having the CTEM maturity to continuously prioritise and remediate them. Despite deploying an average of 14 different threat intelligence feeds, 61% of organisations say they cannot determine which vulnerabilities are most likely to be exploited in real-world attacks. Only 38% use threat intelligence within a continuous, fully automated validation process. Security teams spend an average of 42% of their time investigating risks that later prove low priority or non-exploitable.
Julien Richard, co-founder of Filigran, says visibility isn’t the problem. “It’s that teams struggle to translate that visibility into action fast enough. Organisations are drowning in threat data from dozens of feeds and tools. Without continuous validation and intelligent prioritisation, that data creates noise rather than clarity. Closing the exposure gap requires connecting threat intelligence directly to exposure validation and risk reduction in a continuous workflow.”
Visibility remains fragmented
Heavy investment in security tooling has not delivered a unified view of exposure. Only 41% of organisations report full consolidation of cyber risk visibility, and the gap is especially pronounced outside North America, where organisations are roughly 20 points behind on both consolidated visibility and continuous automated validation. Nearly 9 in 10 respondents agree that threat intelligence alone does not reduce risk unless it is continuously validated against actual exposure.
Regional maturity diverges sharply
Maturity is not evenly distributed. For multinational organisations, the regional divide functions as a risk map: a breach is most likely to originate where the operational gap is widest.
North American organisations report the strongest operational maturity globally, with 52% reporting a fully consolidated view of cyber risk exposure, compared with a global average of 41%, and 51% using threat intelligence within a continuous, automated validation process. The US specifically leads all surveyed countries in CTEM programme adoption, with 58% reporting a fully established programme, though US organisations are also among the most likely to cite escalating attack frequency as their primary driver for investment.
EMEA falls in the middle of the global curve, with 37% reporting a fully consolidated view of exposure and 35% using continuous, automated validation. APAC reports the widest gap: just 31% have a fully consolidated view, and only 27% use continuous, automated validation, roughly half the North American rate.
Germany is the clearest exception to the regional pattern. At 58%, it leads all surveyed countries in automated validation adoption; and the dividend shows: German security teams report wasting just 27% of their time on low-priority or non-exploitable risks, compared with the global average of 42%, strong evidence that closing the automation gap returns real time to security teams, not just risk reduction.
Manual processes create a prioritisation bottleneck
While 88% of respondents acknowledge that periodic assessments cannot keep pace with the speed of change in their environments, nearly half still rely completely or mostly on manual processes for vulnerability identification and threat analysis.
The bottleneck has real consequences: 84% agree that cyberattacks exploit known risks that are not prioritised. The top barriers to validating whether threats are exploitable include concern about disrupting systems (49%), excessive manual effort (46%), and poor integration with existing security processes (42%). Alert noise compounds the problem, with 89% saying that reducing it would help identify which alerts represent real business risk.
“This research quantifies a challenge security practitioners have been living with for years,” said Neena Sharma, Head of Customer and Product Marketing at Filigran. “The industry invested heavily in detection and intelligence, but without continuous validation and prioritisation, organisations remain reactive. These findings reinforce why we are building the XTM platform, to give security teams the operational bridge from awareness to action.”
AI and automation emerge as the path to operational CTEM
Eighty-eight percent of security teams agree that without greater automation, they cannot keep up with the volume of risks they must assess. But AI adoption in exposure management is accelerating. Currently, 37% of exposure management processes are AI-driven, and respondents expect that figure to reach 59% within two years.
While 95% of organisations agree greater automation would improve their confidence that teams are focused on the most important risks, only 38% have implemented continuous, automated validation.
The areas respondents say would benefit most from AI and automation are detecting vulnerabilities, misconfigurations, and exposures (59%); understanding which threats are relevant to their specific environment (56%); and validating whether exposures are realistically exploitable (54%).
Over the next 12–24 months, three-quarters of organisations plan to invest in both cyber risk quantification tools and exposure assessment capabilities. The urgency is clear: 93% agree that delaying improvements to how they manage cyber risk increases the likelihood of serious incidents, and 94% say a proactive cybersecurity posture in 2026 will depend on integrating threat intelligence with exposure management.
The full report is available here.
FAQs
What are the biggest takeaways for the UK specifically?
The report suggests UK organisations are struggling to turn cyber visibility into meaningful risk reduction, despite growing investment in security tools and threat intelligence, with 86% of UK organisations facing challenges maintaining an accurate, up-to-date view of their attack surface. While only 24% say they have a fully consolidated view of cyber risk exposure across the organisation.A further 88% of UK respondents say many cyber attacks exploit risks that were already known but not prioritised, highlighting what researchers describe as a growing “exposure gap” between identifying threats and actually acting on them.
The findings also point to a significant automation gap in UK cybersecurity operations. Just 14% of UK organisations currently use threat intelligence within a continuous, fully automated validation process, one of the lowest rates in the global study, while most still rely heavily on manual processes for vulnerability assessment and threat analysis. UK respondents increasingly see AI as critical to addressing this challenge, with the biggest opportunities identified in detecting vulnerabilities (62%) and validating whether exposures are realistically exploitable (60%). The report argues this is driving growing interest in Continuous Threat Exposure Management (CTEM) approaches that combine threat intelligence, validation and risk prioritisation into a more continuous and operationalised security model.
How do I know if my security team is spending time on the wrong risks?
The report found that security teams spend an average of 42% of their time investigating risks that turn out to be low priority or non-exploitable. Nearly half their working hours are consumed by noise. The problem is compounded by fragmented tooling: organisations deploy an average of 14 threat intelligence feeds, but only 38% feed that intelligence into a continuous, automated validation process. Without that loop, analysts are left making prioritisation calls without confidence in which risks are actually exploitable in their environment. The 89% of respondents who said reducing alert noise would help identify real business risk faster point to the same underlying issue: the signal exists, but it’s buried.
What prevents organisations from automating exposure management faster?
Three barriers stand out. Nearly half of respondents (49%) cite concern about disrupting production systems during validation. That reasonable fear often leads teams to defer testing rather than risk an outage. Forty-six percent point to excessive manual effort as a barrier, and 42% say poor integration among existing security tools makes it difficult to validate threats in context. Investment intent suggests organisations recognise the problem: 76% plan to invest in cyber risk quantification and GRC tools, and 75% in exposure assessment capabilities over the next 12–24 months. Organisations know what they need to do. The challenge is replacing years of manual process with continuous, automated workflows while keeping production systems running.
Does investing in a CTEM programme actually improve security outcomes?
The data suggests it does. Organisations with fully established CTEM programmes are four times more likely to report a fully consolidated view of cyber risk exposure and 3.5 times more likely to use continuous, automated threat intelligence validation. In practice, that means these organisations are actively testing whether their defenses hold up against real-world threats rather than relying on periodic assessments that quickly become outdated. The correlation is clear: organisations that have committed to CTEM as an operational framework, not just a strategic aspiration, are measurably further ahead on the capabilities the rest of the survey identifies as most urgent.
About the survey
The State of Threat Management Report is based on a survey of 550 senior IT security decision-makers and practitioners at organisations with 1,000+ employees across financial services, healthcare, energy, public sector, IT and technology, and retail. Research was conducted by Vanson Bourne between February and March 2026 across the United States, Canada, France, Germany, the United Kingdom, Australia, Singapore, Japan, and the UAE.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.

