From Theory to Practice: How Armis Customers Embody the CTEM Framework

Security leaders struggle daily with an expanding attack surface and concerns of unknown exposures within their organization. This reality makes it challenging to assess, prioritize, and remediate risks effectively, potentially providing numerous opportunities for bad actors to infiltrate. To address this, Gartner® discusses a strategic approach known as Continuous Threat Exposure Management (CTEM). CTEM is a five-step framework that enables organizations to mitigate cyber risk by continuously assessing and managing their cybersecurity posture. The five steps are Scoping, Discovery, Prioritization, Validation, and Mobilization.

While most Security professionals do not explicitly state implementing the CTEM framework as their goal, their real-world security challenges naturally align with its five phases. Organizations adopt Armis Centrix™ to solve tangible problems, such as gaining visibility into unknown or misbehaving assets and/or their potential attack pathways, contextualizing and prioritizing a massive backlog of vulnerabilities, and protecting their digital footprint. In addressing these pressing needs, they are inherently executing one or more stages of a CTEM program. The Armis Centrix™ Cyber Exposure Management platform is designed to enable an effective, comprehensive CTEM program by providing the visibility and intelligence needed at every stage.

The 5 Phases of Continuous Threat Exposure Management

The CTEM framework is a continuous loop, ensuring that security is not a one-time fix but an ongoing, adaptive process. The 5 phases are:

1. Scoping: During the scoping phase of CTEM, the initial identification and definition of assets are strategically aligned with business relevance from the outset.
2. Discovery: Using the information collected during scoping, target discovery at the relevant assets and risk profiles for that scope, strategically aligned with business relevance from the outset.
3. Prioritization: Prioritizing the treatment of exposures needs to be based on a combination of the urgency, severity, availability of compensating controls, risk appetite and level of risk posed to the organization.
4. Validation: The part of the process by which an organization can validate how potential attackers can exploit an identified exposure and how monitoring and control systems might react.
5. Mobilization: The objective of the mobilization effort is to ensure teams operationalize the CTEM findings by reducing friction in approval, implementation processes and mitigation deployments.

Armis Centrix™ in Action: Customer Success Across the CTEM Lifecycle

Let’s explore how three Armis customers in manufacturing, transportation, and healthcare are already leveraging Armis Centrix™ to execute phases of the CTEM framework.

Scoping

Goal: Determine which parts of the organization to focus on for exposure management, based on business priorities.

For a large International Airport, the scope was massive and complex, spanning a diverse environment of IT, Operational Technology (OT), and Industrial Internet of Things (IIoT) assets. Their initial challenge was a lack of security governance and an inability to prioritize risks according to their business and operational impact. Armis Centrix™ provided the airport’s cybersecurity and operations teams with the comprehensive asset visibility they needed to properly scope their environment, identifying all digital assets and their configurations to establish a foundation for their security program.

Case Study: How an International Airport Management Cyber Exposure Risk with a Diverse IT/OT/IIoT Environment 

Discovery

Goal: Achieve continuous visibility into every asset to uncover vulnerabilities and exposures.

The Cwm Taf Morgannwg (CTM) University Health Board in the UK faced a critical challenge: a lack of visibility into network traffic and the countless devices connected to it, especially mission-critical legacy medical equipment and IoT assets. As Head of Cybersecurity Operations, Thomas Evans noted, “You can’t start fixing stuff or prioritizing what to remediate until you know what you’ve got”. After deploying Armis, they discovered between 65,000 and 70,000 IP-connected assets, including some medical devices they weren’t even aware of, along with their exposures. This newfound visibility was the crucial first step toward securing their environment.

Case Study: UK Healthcare System Relies on Armis to Discover, Segment, and Secure Essential Medical Devices, and Legacy Assets

Prioritization

Goal: Rank exposures by their exploitability and business impact to focus resources where they matter most.

The CTM Health Board mentioned above was also struggling with a significant backlog of vulnerabilities. By deploying Armis Centrix™ for VIPR (Vulnerability, Prioritization, and Remediation), they were able to sort through the noise. The rich business and environmental context provided by Armis Centrix™ allowed them to focus and prioritize the most critical risks, enabling them to make a successful business case for a new third-party patching solution that would relieve their overstretched team.

Similarly, the International Airport mentioned above used Armis Centrix™ to gain a clear, prioritized understanding of its vulnerabilities according to their operational impact, which significantly improved its Mean-Time-to-Detect (MTTD) and Mean-Time-to-Respond (MTTR).

Validation

Goal: Confirm that an exposure is genuinely exploitable and understand the potential impact.

This phase is about answering the question, “Can an attacker really do damage with this?” Armis enables this through attack path visualization and risk simulation. For PGP Glass, a global manufacturing leader, the primary concern was protecting its valuable intellectual property (IP) from exfiltration. Armis Centrix™ deep visibility allowed them to avert potential IP theftת validate the threat of a data leak and proactively secure those assets.

At the CTM Health Board, the Security team is now using Armis to map out critical departments like the blood bank to see “exactly what they do on the network.” This helps them build baselines for normal behavior, making it easier to validate and investigate any deviations that could signal a threat.

Case Study: Armis Helps PGP Glass Gain Full Situational Awareness of OT Devices to Safeguard IP

Mobilization

Goal: Drive timely and measurable remediation of validated threats.

Once a threat is validated, it’s time to act. Armis provides the tools to turn insight into action. The International Airport received actionable, contextualized mitigation steps tailored specifically to its unique environment, along with executable playbooks that fostered tighter collaboration between its security and OT teams.

The CTM Health Board is setting automations in Armis Centrix™ to take action against risky or unapproved devices. “Having Armis act on our behalf instead of having to analyze everything at a granular level will be a massive time saver,” said Thomas Evans.

Enabling Our Customers to Achieve Proactive Security and Operational Resilience

The power of the Armis Centrix™ platform lies not only in its current CTEM capabilities but also in its continuous, customer-centric evolution. Armis actively listens to and consults with our customers who are on the front lines of cyber defense. This direct feedback loop is the driving force behind our ambitious product development calendar and roadmap.

Our continuous efforts include delivering rich orchestration, additional out-of-the-box integrations, and features that empower security teams to automate more of the remediation lifecycle or integrate with their preferred best-of-breed tools. Our roadmap is always focused on delivering rich capabilities that enhance the CTEM cycle for our customers.

Ultimately, our customer-driven approach is what enables Armis customers to achieve true operational resilience. As our customers face new challenges and AI-charged cyber threats, Armis Centrix™ evolves with them, providing the tools and integrations necessary to not only manage but master continuous threat exposure.

To gain a foundational understanding of CTEM, read the Gartner® report, Use Continuous Threat Exposure Management to Reduce Cyberattacks. The report includes recommendations for designing and building a comprehensive CTEM program.

To learn how Armis Centrix™ enables an effective implementation of a CTEM program, check out Aligning with Gartner® Guidance for an Effective CTEM Program.

Gartner, Use Continuous Threat Exposure Management to Reduce Cyberattacks, Jonathan Nunez, Pete Shoard, Mitchell Schneider, 16 July 2025.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.