CTEM Scoping and Discovery Automation

CTEM Scoping and Discovery Automation is the foundational first phase of the Continuous Threat Exposure Management (CTEM) program. It refers to the use of technology to autonomously and continuously map, inventory, and classify an organization’s entire digital footprint, replicating an adversary's reconnaissance efforts.

Three key components characterize this process:

1. Continuous Asset Discovery

This involves continuous scanning of the internet, cloud environments, code repositories, and public records to identify any assets associated with the target organization. Automation is crucial here because the digital footprint is constantly changing due to mergers, shadow IT, DevOps pipelines, and cloud elasticity.

• Key Functions:

  • Domain and Subdomain Enumeration: Identifying all variations, typosquats, and associated subdomains (e.g., dev.company.com, company-support.net).

  • External Infrastructure Mapping: Discovering IP ranges, open ports, and technologies used by public-facing assets.

  • Cloud Service Visibility: Automatically finding and inventorying unmanaged or misconfigured cloud resources like public S3 buckets, Azure blobs, or exposed container registries.

  • Code and Credential Exposure: Searching public platforms (e.g., GitHub, GitLab) and dark web sources for leaked code, keys, or credentials.

2. Scoping and Classification

Once an asset is discovered, automation categorizes it and assigns relevant context, which is the "scoping" aspect of CTEM.

• Key Functions:

  • Ownership and Business Unit Assignment: Automatically determining which team or business unit owns the asset.

  • Asset Criticality and Function: Classifying the asset's importance (e.g., mission-critical production server vs. retired staging environment) to inform later prioritization.

  • Technology Stack Identification: Fingerprinting the technologies, operating systems, and versions used to enable risk assessment (e.g., identifying outdated versions of WordPress or Apache).

3. Automated Inventory Management

The platform maintains a real-time, consolidated database of all discovered assets. This automated, single source of truth eliminates the need for manual spreadsheets. It ensures that, as soon as an asset comes online or changes status, it is immediately entered into the CTEM lifecycle for assessment.

CTEM Scoping and Discovery Automation ensures the organization has a complete, up-to-the-minute, and adversarial view of its attack surface, eliminating blind spots before attackers can exploit them.

ThreatNG is fundamentally intended to execute this automation through its core capabilities:

External Discovery and Continuous Monitoring (The Automation Engine)

ThreatNG’s External Discovery is the automation engine for the CTEM Scoping and Discovery phase. It performs purely external, unauthenticated discovery with no connectors, mirroring a threat actor’s initial reconnaissance. Continuous Monitoring ensures the automation never stops, preventing new assets or changes from becoming blind spots.

• Example of ThreatNG Helping (Discovery): A DevOps team spins up a new staging-api.mycompany.com subdomain for a temporary project but forgets to secure it. Because ThreatNG continuously monitors the domain space, its External Discovery automatically finds and inventories this shadow IT asset within minutes of deployment.

• Example of ThreatNG Helping (Scoping/Classification): When the asset is discovered, ThreatNG automatically classifies its Technology Stack (e.g., identifying that it runs an older version of NGINX and a specific JavaScript framework). This automatic tagging immediately provides the asset's scope and initial risk context.

External Assessment (Automated Contextual Scoping)

While primarily for prioritization, the External Assessment phase automatically adds deep contextual scoping to the discovered assets by testing for specific risks and confirming their potential for exploitation.

• Example of ThreatNG Helping: An assessment identifies high Web Application Hijack Susceptibility on a discovered subdomain. This scoping indicates that the asset's risk is not just general exposure but a specific, high-impact threat that could lead to unauthorized control. This helps automate the classification of the asset as a High-Risk Digital Asset in the inventory.

Investigation Modules (Validating Scope and Boundaries)

The Reconnaissance Hub provides the tools used to validate the scope and boundaries of the discovery, ensuring comprehensive coverage and eliminating false positives or negatives.

• Example of ThreatNG Helping: The Sensitive Code Exposure module automatically scans publicly available code repositories associated with the organization. When it finds a Code Repository Exposure, it immediately scopes the finding to confirm that the Access Key ID is present, automatically defining the digital risk boundary to include developer platforms outside the traditional network perimeter.

Intelligence Repositories (Automated Risk Context for Scope)

The Intelligence Repositories provide the automatic risk context for every discovered and scoped asset, enabling informed decision-making in the subsequent prioritization phase.

• Example of ThreatNG Helping: For every discovered technology, the DarCache Vulnerability repository is automatically cross-referenced. If the discovered staging-api.mycompany.com runs a web server with a known CVE, ThreatNG instantly overlays NVD, EPSS, and KEV status on the asset's profile, automating initial risk scoring during the discovery phase.

Cooperation with Complementary Solutions

ThreatNG’s automated scoping and discovery is invaluable because it provides an immediate, external-validated asset inventory to solutions that manage internal or remediation workflows.

• ThreatNG and a Configuration Management Database (CMDB) Solution:

  • Cooperation: ThreatNG provides the external view of the asset inventory, while the CMDB maintains the internal view. ThreatNG can automatically feed any newly discovered or changed external asset into the CMDB.

  • Example: When ThreatNG discovers a new, publicly exposed cloud IP range that was not registered in the CMDB (a shadow IT finding), it sends a structured data entry to the CMDB. The CMDB can then use this external record to trigger an alert to the IT Operations team, forcing the reconciliation and proper internal management of the asset, closing the IT/security visibility gap.

• ThreatNG and a Cloud Security Posture Management (CSPM) Tool:

  • Cooperation: ThreatNG confirms what is exposed to the public internet, and the CSPM tool focuses on misconfigurations within the cloud environment. ThreatNG can share the discovered Domain Intelligence and public-facing IPs.

  • Example: ThreatNG discovers an exposed S3 bucket (via External Discovery). It sends the bucket name or URL to the CSPM tool. The CSPM tool can then use this validated external exposure to focus its scan on that specific resource, allowing it to quickly check internal cloud settings for public access policies and granular permissions that ThreatNG's external view cannot see.