KEV-TICKERcves_ytd=28,720kev_total=1,289added_7d=+7[CISA KEV ↗]
// taxonomy

VM vs CSPM vs CTEM: scope, vendors, when each is needed

Vulnerability Management scans assets for CVEs. Cloud Security Posture Management scans cloud configuration. Continuous Threat Exposure Management orchestrates validation against attacker pathways across both.

author: Oliver Wakefield-Smith · verified 2026-06-26
// direct-answer

What is the difference between VM, CSPM, and CTEM?

VM finds CVEs on assets (network and host). CSPM finds misconfigurations in cloud accounts (open S3 buckets, over-permissioned IAM). CTEM orchestrates continuous validation of which findings are actually exploitable in your environment, across VM, CSPM, and threat intelligence. Most mid-market shops need VM + CSPM; CTEM is for mature programmes.

VM

Vulnerability Management. CVEs on hosts and network. Tenable, Qualys, Rapid7, OpenVAS.

CSPM

Cloud Security Posture Management. Cloud config misconfigs. Wiz, Orca, Tenable Cloud Security.

CTEM

Continuous Threat Exposure Management. Validates attacker pathways. Tenable One, Wiz Defend, XM Cyber.

Gartner's framing

Gartner formalised CTEM in 2022. It is now a real category, not just marketing, with five phases: scoping, discovery, prioritisation, validation, mobilisation. Tools that genuinely operate all five include Tenable One, XM Cyber, and Pentera.

// faq

FAQ

  • Is CTEM a product or a process?
    Both. Gartner defines CTEM as a five-phase process; vendors ship CTEM platforms that automate parts of it. Tenable One, Wiz Defend, XM Cyber, and Pentera all claim it.
  • Do I need CTEM if I run VM + CSPM?
    Only at scale. CTEM adds value when you have so many findings that prioritisation by attacker-pathway becomes the bottleneck.
  • Which vendor leads VM + CSPM + CTEM in one platform?
    Tenable One bundles VM, CSPM, EASM, and CTEM. Wiz covers CSPM, container, code, and adds CTEM via Wiz Defend.
  • What is the buyer's renewal cycle for these?
    VM tools tend to renew annually with long cycles (multi-year commits common). CSPM and CTEM are increasingly bundled into multi-product platform deals.
  • Is CTEM Gartner hype?
    Partly. The category is real and useful at scale; many tools that claim CTEM are just renamed VM + CSPM.
Related: Cloud scanners Tenable.io Wiz