Exposure validation emerges as critical cyber defense component

Organizations have implemented various aspects of threat exposure validation, including security control validation (51%) and filtering threat exposures based on the effectiveness of security controls to mitigate threats (48%), according to Cymulate.

At the same time, nearly all respondents say they have implemented exposure validation in one or more areas, including cloud security (53%), security controls (49%), response (36%) and threats (34%).

Optimizing defense with exposure validation

The report surveyed 1,000 security leaders, SecOps practitioners, and red and blue teamers from around the world to assess how they engage in security validation across cloud, on-premises and hybrid environments. The findings indicate that exposure validation is evolving into a pillar of modern cybersecurity, with more organizations leveraging its capabilities to optimize defense and increase threat resilience.

71% of those surveyed consider threat exposure validation to be “absolutely essential.” Organizations that run exposure processes at least once per month reported a 20% reduction in breaches, with improved mean time to detection and increased resilience against immediate threats.

Respondents stated that automated security validation enabled them to test over 200x more threats than manual testing, and 97% of respondents who use automated security control validation and measure their cyber effectiveness reported a positive impact since implementation.

“This research confirms what we have always known: it’s not enough to have the right solutions in place. You must ensure they are performing as expected,” said Avihai Ben-Yossef, CTO, Cymulate.

“Today’s organizations cannot afford to be reactive. The scale, speed and sophistication of new and emerging threats mean organizations need to evolve beyond legacy best practices like manual penetration testing. A proactive, offensive approach that leverages automation and AI to achieve continuous testing and monitoring is critical for those that want to achieve true cyber resilience with pressure-tested defenses,” Ben-Yossef continued.

The use of automation and AI in exposure validation

98% of organizations plan to invest in exposure management in the future, with 89% planning to invest in the next 12 months. 90% of security leaders apply validation to their exposure management process at least once a month. 72% believe AI will play a significant role in exposure management and 89% of security teams have already begun to implement AI into their exposure validation processes.

Almost two-thirds of security leaders say that missing exposures due to manual pen testing is an issue, while 67% say infrequent pen testing has left concerning gaps in security assessments.

61% of security leaders agree their organization lacks the ability to identify and remediate exposures in their cloud environment, 37% say it can take up to 24 hours to validate cloud exposure and only 9% of organizations run exposure validation in their cloud environment daily.

The state of exposure management

With 96% of surveyed organizations experiencing at least one security breach in the last year, and long testing times leaving them vulnerable, it’s critical that SecOps teams know that their security controls are effective and working as intended. However, the research highlights widespread concern from CISOs over their ability to prevent complex threats.

What’s more, SecOps may be left with no choice but to ignore some vulnerabilities due to a lack of resources. Just over 3 in 10 (31%) state that a lack of resources or capacity is one of the biggest challenges they face when remediating identified exposures, while 49% cite this as a factor that influences their decision to deprioritize exposure remediation.

An additional 47% say the effectiveness of compensating controls to prevent or detect an exploit is a key factor in their decision to deprioritize exposure remediation.

In fact, 84% of security leaders say they are concerned about their security defenses withstanding an attack from a sophisticated threat actor, with 42% saying they are very concerned about this. Offensive security processes, such as threat exposure validation, are key.