Skip to main content

An Open Standard for Continuous Threat Exposure Management

CVE-style clarity for security exposures

What is CTEM?

Continuous Threat Exposure Management (CTEM) is the practice of continuously discovering, prioritizing, and remediating security exposures across your entire attack surface—from cloud workloads to leaked credentials. CTEM.org makes that mission practical by delivering a public, version-controlled catalog of numbered identifiers that anyone can use to label real-world exposures with the same clarity that CVE numbers bring to vulnerabilities.

What the Project Is

PurposeCreate a CVE/CWE-style reference set for exposures rather than software flaws.
ScopeAnything that puts data, identity, or infrastructure at risk—credential leaks, look-alike domains, infected devices, cloud misconfigurations, and more.
Deliverables• Human-readable docs
• Machine-readable JSON feed
• Community review process (GitHub PRs)
LicenseCreative Commons BY-NC-SA 4.0—free for non-commercial use
CTEM Logo

Why We Created CTEM Identifiers

🏊‍♂️ Kill the "data swamp" problem

Security feeds dump thousands of raw indicators; CTEM IDs roll them up into a single, understandable label.

📊 Prioritization that talks business

Each ID comes with severity hints and response tips, so teams fix issues in the order that matters.

🔄 Vendor-neutral language

Whether you use one tool or ten, everyone can map findings to the same ID and benchmark progress.

⚡ Community velocity

New exposure types surface weekly. An open standard lets practitioners propose, debate, and ratify new IDs in days, not years.

How to Use CTEM Identifiers

For...How to Get Value Fast
Security Ops & IRTag tickets with CTEM-IDs (CTEM-EXP-3, CTEM-DOM-2, etc.) so analysts know exactly what they're dealing with and can pull ready-made playbooks.
Risk & ComplianceTie CTEM categories to KRIs/KPIs to quantify exposure trends quarter-over-quarter.
Security VendorsEmbed CTEM IDs in alert payloads or dashboards to give customers a common language out-of-the-box.
ResearchersCite CTEM IDs in write-ups to help CISOs connect academic findings to operational risks.
The CommunityUse the "Propose Identifier" form or open a GitHub PR to add new exposure types; review meetings happen monthly.

Quick-Start Workflow

  1. Download the JSON feed at ctem.org/source.json.
  2. Map your existing alerts to CTEM IDs (regex, category lookup, or internal CMDB tags).
  3. Start reporting using IDs in SOC tickets, dashboards, and executive decks.
  4. Contribute back when you spot an exposure we missed.

Current Catalog Snapshot

29
Identifiers
8
Categories

CTEM.org publishes identifiers across eight top-level categories that cover the most common security exposures organizations face today.

Explore All Identifiers

CategoryDescription
Brand ImpersonationCounterfeit product or site using your branding.
Credential DumpLeaked credentials tied to a corporate hostname.
Financial Info ExposureCorporate bank-routing data published online.
Infected DeviceEmployee-owned device on internal network, malware present.
Look-alike DomainsDomain seeded for phishing campaigns.
RansomwareCustomer data leaked on extortion site.
Source-Code ExposureSensitive code referenced in third-party issue comments.
System ExposureUnprotected internet-exposed gateway device.