Organizations struggle to prioritize known cyber risks
Organizations collect more cyber risk data than ever, with many still struggling to build a unified view of their exposure. The latest State of Threat Management report from Filigran found that security teams continue to work across disconnected tools, leaving important context spread across multiple systems.

Cloud infrastructure, on-premises environments, third-party services, vulnerability scanners, threat intelligence feeds, and attack surface management platforms all generate information about potential risk.
93% of organizations experience challenges maintaining an accurate and up-to-date view of their attack surface, and only 41% have a consolidated view of their cyber risk exposure. Visibility across assets, consolidation of attack surface data, and adding meaningful risk context remain common obstacles.
Collecting more information does not automatically improve decision-making. Connecting internal telemetry about assets and configurations with external telemetry about attacker activity and targeting provides a contextualized view of cyber risk exposure.
“Organizations are drowning in threat data from dozens of feeds and tools. Without continuous validation and intelligent prioritization, that data creates noise rather than clarity. Closing the exposure gap requires connecting threat intelligence directly to exposure validation and risk reduction in a continuous workflow,” said Julien Richard, CTO of Filigran.
Threat intelligence sees broad adoption
Threat intelligence is widely used across security operations centers. Ninety-nine percent of organizations use it in the SOC, although only 45% report that it is integrated and operationalized. Organizations consume an average of 14 threat intelligence feeds, including nine open source feeds.
Managing information from multiple sources remains a manual process for many organizations. Teams structure, contextualize, and prioritize intelligence before it can support security operations. Exposure data and remediation workflows remain separated across multiple systems, limiting the ability to build a unified view of risk.
Visibility alone does not help organizations decide which risks require immediate attention. Attacks frequently exploit risks that are already known and have not been prioritized, and 97% of organizations report difficulties determining whether exposures are exploitable. Manual processes continue to slow vulnerability assessment, threat analysis, and validation, extending the time between identifying risk and taking action.
Concerns about unintended disruption, manual effort, limited process integration, skills shortages, and time-consuming workflows rank among the most common obstacles. Practitioners report more operational friction than senior decision-makers, particularly around integrating validation into existing security processes and securing leadership support for exposure management.
Analysts spend considerable time investigating risks that later prove to be low priority or not exploitable. On average, these investigations account for 42% of the working week, or about 17 hours per analyst.
CTEM adoption changes assessment practices
Organizations with established Continuous Threat Exposure Management (CTEM) programs use a different mix of cyber risk assessment tools than organizations planning to implement the framework. Governance, risk, and compliance platforms, cloud security posture management, breach and attack simulation, and external attack surface management all record higher adoption among organizations with established programs.
Penetration testing appears less frequently, and the use of custom internally developed tools remains largely unchanged. CTEM maturity correlates with a more mature approach to cyber risk assessment tooling.
Automation is expected to become a larger part of exposure management over the next two years. Organizations estimate that AI currently supports about one-third of exposure management activities and expect its role to expand significantly. Exposure detection, exploitability validation, and remediation prioritization rank among the areas where respondents expect AI to deliver the greatest benefit.
Regional differences continue
Regional differences appear in cyber risk exposure visibility. North America reports the highest share of organizations with a consolidated view of cyber risk exposure at 52%, compared with 37% in EMEA and 31% in APAC.
North America reports the highest use of threat intelligence within a continuous, automated validation process. These differences indicate that organizations are at different stages in their exposure management journey, particularly in connecting threat intelligence with risk validation.