Why you should pick a leader in exposure management

In this article:

Gartner has replaced its Market Guide for Vulnerability Assessment with a new annual Magic Quadrant for Exposure Assessment Platforms, signaling a major market shift from vulnerability management to exposure management.
Exposure management is defined as continuous, business-context security evaluation, involving the continuous discovery of attack surfaces, the assessment and prioritization of potential exposures according to business impact, validation of the top risks, and the mobilization of remediation efforts.
Tenable is ranked as the highest leader overall among exposure management platforms in Gartner's first EAP Magic Quadrant report, credited for broad attack-surface coverage and strong exposure analytics and threat-intelligence integration.

Last month witnessed a minor earthquake in the cybersecurity world. Gartner, the industry's leading research and advisory firm, replaced its long-running annual Market Guide for Vulnerability Assessment with a new yearly publication: the Magic Quadrant for Exposure Assessment Platforms.

This changeover marks a milestone. Eight years after Tenable began to popularize the concept of exposure management, and three years after Gartner began to refer to it as continuous threat exposure management (CTEM), it has finally eclipsed its predecessor, the older concept of vulnerability management/assessment.

Gartner's new publication didn't explain the shift beyond stating that, "By 2027, organizations that integrate exposure assessment data into IT and business workflows will experience 30% less unplanned downtime from exploited vulnerabilities than those relying on isolated vulnerability management tools."

For more information:

But in 2023, Gartner researcher Jeremy D'Hoinne defined the new concept as "a pragmatic and effective systemic approach to continuously refine priorities and walk the tightrope between two modern security realities."

"Organizations can't fix everything," he added, "nor can they be completely sure what vulnerability remediation they can safely postpone."

To be blunt, it's become clear that getting far ahead of vulnerabilities, misconfigurations, identity compromises and other potential weaknesses is just as important as patching known bugs and changing known compromised passwords. It's also clear that there are just too many of these weaknesses for it to be possible to remediate every last one.

Or, as Tenable Co-CEO Mark Thurmond wrote in a blog post accompanying the release of the new Gartner report, "In 2017, we recognized that big changes needed to happen in how the industry at large was approaching cybersecurity.

"As the attack surface grew, stretching into cloud, OT and identity," Thurmond continued, "we moved with the market when customers needed us there, and we led the market with exposure management, and now AI, when customers needed to see what was next."

What Gartner expects from exposure-management vendors

Exposure management, or CTEM, is a form of sophisticated triage. It discovers everything that might be a problem, assesses the potential impact of each problem on the organization, prioritizes each problem accordingly, tests the top-priority ones to make sure they really are problems, and then maps out a plan to fix the most important problems.

"Continuous discovery and inventory of attack surfaces, involving verification of known assets and discovery of unknown threats, is a key step in an exposure management program to provide sufficient visibility," states the new Gartner Magic Quadrant report.

But exposure management/CTEM is a process, not something you can buy off the shelf and set up quickly. Each organization beginning the process needs to initially define the scope of its exposure-management area of focus, which a platform can't provide.

While exposure management/CTEM can mobilize remediation efforts by recommending which steps to take to patch or otherwise fix an issue, and can track the remediation process, the actual fixes are outside the scope of the process.

Exposure management platforms, which Gartner calls exposure assessment platforms (EAPs), are automated platforms that help perform some of the stages of exposure management, specifically the discovery, assessment, prioritization and mobilization stages. (Gartner's model of the CTEM process merges the discovery and assessment steps.) Some of these platforms also perform the validation stage.

"The core purpose of EAPs is to provide a better, consolidated view of high-risk exposures enabling organizations to take key proactive actions to prevent breaches," the report says.

The way Gartner sees it, exposure management platforms must offer:

Discovery across a broad range of attack surfaces, and reporting across a broad range of asset types. A platform must be able to scan "internal, external, cloud and end-user attack surfaces" and report on endpoints, network hardware and software, identity systems, containers, Internet of Things and operational technology devices, and cloud, on-prem and hybrid software and infrastructures.
Prioritization based on business context, security-control context, vulnerability severity, threat intelligence, and asset importance.
Mobilization through integrations with wider systems, including IT service management systems like ServiceNow or Jira, which can also provide "enhanced asset context and reporting."

Gartner also tosses in some optional capabilities:

Discovery that extends to "digital assets" and "artifacts being actively abused by external threat actors," such as social-media accounts, dark-web marketplaces and third-party suppliers.
Prioritization that takes into account potential attack paths through analysis or breach-and-attack simulation, as well as possible API compromise.
Faster remediation by integrating with security-operations tools like SIEM or SOAR solutions.
Tracking remediation efforts of high-priority exposures.

"Through prioritized visualizations and treatment recommendations," says the report, "EAPs help provide direction for mobilization, identifying the various teams involved in mitigation and remediation."

Who comes out on top in the Gartner report, and why

Gartner analyzed 20 vendors worldwide for its first exposure-assessment-platform report, and three came out as "Leaders" by virtue of being placed in the so-called Magic Quadrant: Qualys, Rapid7 and Tenable. That's more exclusive than in a similar report by market-analysis firm IDC, which adds five more vendors to its "Leaders" space.

The three leaders in the Magic Quadrant all have global reach and offer both SaaS and on-prem deployment options for their exposure-management platforms, even if the on-prem option may be somewhat limited, Gartner said. All are also rapidly expanding their capabilities through acquisitions or development.

If you're not familiar, the Magic Quadrant is the upper right-hand quarter of a two-dimensional graph upon which Gartner maps the standings of various vendors.

The X-axis indicates "completeness of vision," which Gartner says "evaluates a vendor’s ability to understand buyers’ emerging needs, their market competitors, and how to communicate solutions effectively." The further right a vendor, the more complete its vision.

The Y-axis denotes a vendor's "ability to execute," or its "ability to provide product functions in core EAP areas." The higher the vendor's standing, the greater its capabilities.

Of all 20 vendors, Tenable, with its Tenable One exposure-management platform, occupied the prime spot, further along on both axes than any other.

Gartner cited Tenable's continued expansion of capabilities through acquisitions, such as of Vulcan Cyber, which integrates with dozens of third-party cybersecurity tools, or Eureka Security, which offers data security posture management (DSPM) for cloud environments. It also commended Tenable's very broad attack-surface coverage, along with its strong market presence.

"Tenable One is a well-integrated platform that spans traditional IT, identity, cloud, OT, and container environments," said the report. "Its native capabilities include asset visibility, vulnerability prioritization, asset and identity relationship mapping, and contextual risk scoring across a wide range of attack surfaces."

However, Tenable One's truly distinguishing characteristic, according to Gartner, was its comprehensive integration of exposure analytics and threat intelligence.

"Tenable uses multiple threat intelligence sources to assess exploit likelihood and prioritize vulnerabilities with real-world impact," the Gartner report said. "This capability, combined with native support for CVSS v4.0, EPSS, asset criticality, business impact, attack path analysis, and control posture, enhances Tenable's ability to surface emerging exposures early."

It wasn't all puppies and rainbows: Gartner dinged Tenable for not making it easier to create custom risk models; for being difficult to set up on-prem; and for "limited native remediation playbooks" and no "ability to simulate the impact of configuration changes or test remediation workflows."

"Tenable believes our evolution of exposure management and our strong, mature partner ecosystem contributed to our position as a Leader," Thurmond said in his blog post. "We see this recognition as validation of the trust our customers have in Tenable as we work side-by-side to solve one of the greatest challenges facing organizations today: reducing cyber exposure."

As for the future of exposure management, Gartner anticipates that it will get bigger as organizations recognize the process as crucial to maintaining proper security postures.

"Gartner expects the EAP market to grow steadily over the next few years, driven by the increasing complexity of cloud environments and the accelerating use of AI, which are amplifying the scale and impact of exposures — potentially at an exponential rate," the report says. "As organizations face an expanding and increasingly complex attack surface, EAPs will play a critical role in unifying exposure management and other security operations practices."

Please visit our exposure management topic page.