A new 2026 market intelligence study of 128 enterprise security decision makers (available here) reveals a stark divide between organizations – it has nothing to do with budget size or industry and everything to do with a single-frame decision. Organizations using Continuous Threat Exposure Management (CTEM) show 50% better attack surface visibility, 23-point solution adoption, and higher threat awareness across all measured factors. 16% who have used it withdraw. 84% are still behind.
Demographics of the Division
The study surveyed an elite group: 85% of respondents are at the Manager level or above, representing organizations of which 66% employ 5,000+ people across the financial, healthcare, and retail sectors.
Download the full study here →
What is CTEM?
If you don’t know, CTEM goes from “integrating everything proactively” to “proactively discovering, validating, and prioritizing risk exposures that could harm the business.” Cybersecurity is now being widely discussed as the next generation of exposure/risk management, and a new report reinforces Gartner’s view that businesses that adopt it will continue to show stronger security results than those that don’t.
Awareness is High. Discovery is rare.
A surprising finding: There doesn’t seem to be a problem with awareness, just implementation. 87% of security leaders recognize the importance of CTEM, but only 16% have translated that awareness into practical action. So, if they heard about it, why don’t they use it?
The gap between awareness and implementation presents a modern security dilemma: which priority is effective? Security leaders understand CTEM well but struggle to sell its benefits in the face of organizational issues, competing priorities, and budget constraints that force impossible trade-offs. The challenge of getting management buy-in is one of the reasons we prepared this report: to provide statistics that a business cannot afford to ignore.
Complexity is the new multiplier
Example: Beyond a certain threshold, manual tracking of all additional integrations, documentation, and dependencies breaks, ownership blurs, and blinds multiply. Research makes it clear that the complexity of the attack landscape is not just a management challenge; it is a direct risk multiplier.
We can see this clearly in the graph below. Attack rates increase sequentially from 5% (domains 0-10) to 18% (domains 51-100), then increase in increments of the last 100 domains.
This sudden increase is driven by the ‘visibility gap’, the gap between the assets a company is responsible for monitoring and those who know them. Each additional domain can add a large number of connected assets, and if the number increases beyond 100, this can translate into thousands of additional documents: each one a possible attack vector. Traditional snapshot security cannot hope to log and monitor them all. Only CTEM-driven systems can provide oversight to proactively identify and validate dark assets hidden in this visibility gap – before attackers do.
Why This Matters Now
Security leaders are now facing a ‘perfect storm’ of demands. At a time when 91% of CISOs report an increase in third-party incidents, breach costs have risen to $4.44M, and PCI DSS 4.0.1 brings stronger monitoring and ever-present fines. With this in mind, the report shows that attack environment management has become as much a boardroom issue as the server room, and the C-suite reader can conclude that continuing to rely on manual oversight and periodic controls to manage such a complex, high-level challenge would be self-defeating.
One of the clearest signs in this study comes from the peer rating data. When organizations compare themselves to each other – in terms of attack surface size, visibility, tools, and results – a pattern emerges that is hard to ignore: beyond a certain level of sophistication, traditional security measures stop growing.
The takeaway from peer benchmarking is clear: below a certain level of exposure, organizations can rely on periodic controls and manual oversight. Moreover, those models are no longer valid. For security leaders working in high-risk environments, the question is no longer whether CTEM is necessary – whether their current approach can continue without it.
Download the full market research here.
