CTEM.org
Continuous Threat Exposure Management Standards Organization
Developing vendor-neutral standards and taxonomies for Continuous Threat Exposure Management (CTEM) to simplify adoption and ensure consistency across cybersecurity products and organizations.
What is Continuous Threat Exposure Management?
CTEM is a framework designed to reduce an organization's exposure to cyber threats through a continuous cycle of identification, assessment, and mitigation of risks in real time.
Vendor-Neutral Standards
Develop unbiased, vendor-neutral approaches to CTEM ensuring consistency across products and organizations
Standardized Identifiers
Categorize threat types with standardized identifiers for consistent threat classification
Community-Driven
Collaborate with CTEM practitioners to develop practical, real-world applicable standards
Simplified Adoption
Make CTEM adoption easier through clear documentation and standardized processes
Project Objectives
What CTEM.org aims to achieve in the cybersecurity landscape
Standardize CTEM Practices
Create consistent, industry-wide standards for threat exposure management
Develop Threat Taxonomies
Build comprehensive categorization systems for security findings and threats
Foster Community Collaboration
Bring together CTEM practitioners to share knowledge and best practices
Simplify CTEM Adoption
Reduce barriers to implementing effective threat exposure management programs
CTEM Identifier Categories
Complete standardized categorization system for threat exposure management findings from the official CTEM.org documentation
Complete Framework: This section includes all 8 categories and 28 identifiers from the official CTEM.org taxonomy. The identifiers are continuously refined based on community input and real-world implementation.
Brand Impersonation
Counterfeit products and unauthorized use of corporate branding
Counterfeit Product Offered For Sale Or Use
Fake products using corporate branding offered for sale or distribution
Credential Dump
Exposed credentials found in data breaches and dumps
Credentials Leaked With Hostname
Corporate credentials exposed in data breaches with associated hostnames
Vendor System Dump With Credentials Offered Privately
Vendor system dumps containing credentials offered in private channels
Financial Information Exposure
Exposed financial and sensitive business information
Corporate Bank Account Routing Information Exposed
Banking routing information and account details exposed publicly
Accounts Payable Information Exposure
Accounts payable data and vendor payment information exposed
Infected Device
Compromised devices across different ownership models
Infected Corporate Owned Device
Corporate-managed devices compromised by malware
Infected Vendor Owned Device
Vendor or partner devices compromised and potentially affecting the organization
Infected Employee Owned Device (Corporate Credentials)
Personal devices compromised while containing corporate credentials
Infected Employee Owned Device (Personal Use of Corporate Identity)
Personal devices using corporate credentials for non-work activities
Infected Customer Owned Device
Customer devices compromised that may impact organizational security
Infected Employee Owned Device (Internal Network Connected)
Personal devices connected to corporate network infrastructure
Infected Employee Owned Device (3rd Party Business Use of Corporate Identity)
Personal devices using corporate identity for third-party business activities
Lookalike Domains
Domains created to impersonate or confuse with legitimate corporate domains
Typo Squatted Domain
Domains registered with common misspellings of corporate domains
Homoglyph Attack Domain
Domains using visually similar characters to impersonate legitimate domains
Phishing Indicator Domain
Domains showing indicators of being used for phishing campaigns
Brand Impersonation Domain
Domains created to impersonate corporate branding and identity
Ransomware
Ransomware attacks affecting organizational assets
Ransom Dump (Supplier)
Supplier data leaked via ransomware affecting organization
Ransom Dump (Customer)
Customer data exposed through ransomware incidents
Source Code Exposure
Exposed source code repositories and development artifacts
Public Source Code Repository (Company Sanctioned)
Official company repositories with potential security exposures
Public Source Code Repository (Employee Created)
Employee-created repositories containing corporate code or data
Public Source Code Repository (Vendor Owned)
Vendor repositories containing code related to the organization
Public Source Code Repository (Unrelated 3rd Party)
Third-party repositories containing organizational references or code
Public Source Code Repository (Unrelated Company Comment/Issue)
Company information exposed in comments or issues on unrelated repositories
System Exposure
Exposed systems and infrastructure accessible from external networks
Directly Connected Internal System
Internal systems directly accessible from external networks
Remote Site Owned System (Presumed Connected)
Remote location systems presumed to be connected to corporate infrastructure
Corporate Internet Exposed Gateway Device
Gateway devices and network infrastructure exposed to the internet
Corporate Cloud Connected System
Cloud-hosted systems connected to corporate infrastructure
Presumed Company System By Branding
Systems identified as corporate-owned based on branding or naming
Contractor Or Vendor Managed System
Systems managed by contractors or vendors on behalf of the organization
Featured Examples
CTEM-INF-4: Infected Employee Device
Personal device using corporate identity for personal activities
Key Characteristics:
- • Personal device owned by employee
- • Corporate email used for personal services
- • Established persistence by attackers
- • Found in stealer logs or cybercrime forums
CTEM-RAN-1: Ransom Dump (Supplier)
Supplier data leaked via ransomware affecting organization
Key Characteristics:
- • Supplier or vendor breach impact
- • Public dumping of stolen data
- • Indirect organizational exposure
- • Supply chain risk amplification
Real-World Implementation
How organizations can use CTEM identifiers in practice
Security Operations Center (SOC)
Use CTEM identifiers to categorize and prioritize threat intelligence findings consistently across different security tools and platforms.
Risk Management
Standardize risk assessment processes by using CTEM categories to ensure consistent evaluation of threats across the organization.
Vendor Management
Evaluate and monitor third-party security posture using standardized CTEM identifiers for consistent supplier risk assessment.
Join the CTEM.org Community
Contribute to the development of CTEM standards and best practices
The CTEM.org project is community-driven and welcomes contributions from security practitioners, researchers, and organizations implementing threat exposure management programs.
Project Timeline
Development milestones and roadmap
Project Launch
CTEM.org organization founded to develop threat exposure management standards
Initial Taxonomy Development
Core identifier categories established for infected devices and ransomware incidents
Community Expansion
Growing practitioner community and expanding taxonomy coverage
Industry Adoption
Partner with organizations to implement CTEM standards in production environments