An Open Standard for Continuous Threat Exposure Management
CVE-style clarity for security exposures
What is CTEM?
Continuous Threat Exposure Management (CTEM) is the practice of continuously discovering, prioritizing, and remediating security exposures across your entire attack surface—from cloud workloads to leaked credentials. CTEM.org makes that mission practical by delivering a public, version-controlled catalog of numbered identifiers that anyone can use to label real-world exposures with the same clarity that CVE numbers bring to vulnerabilities.
What the Project Is
Purpose | Create a CVE/CWE-style reference set for exposures rather than software flaws. |
Scope | Anything that puts data, identity, or infrastructure at risk—credential leaks, look-alike domains, infected devices, cloud misconfigurations, and more. |
Deliverables | • Human-readable docs • Machine-readable JSON feed • Community review process (GitHub PRs) |
License | Creative Commons BY-NC-SA 4.0—free for non-commercial use |

Why We Created CTEM Identifiers
🏊♂️ Kill the "data swamp" problem
Security feeds dump thousands of raw indicators; CTEM IDs roll them up into a single, understandable label.
📊 Prioritization that talks business
Each ID comes with severity hints and response tips, so teams fix issues in the order that matters.
🔄 Vendor-neutral language
Whether you use one tool or ten, everyone can map findings to the same ID and benchmark progress.
⚡ Community velocity
New exposure types surface weekly. An open standard lets practitioners propose, debate, and ratify new IDs in days, not years.
How to Use CTEM Identifiers
For... | How to Get Value Fast |
---|---|
Security Ops & IR | Tag tickets with CTEM-IDs (CTEM-EXP-3, CTEM-DOM-2, etc.) so analysts know exactly what they're dealing with and can pull ready-made playbooks. |
Risk & Compliance | Tie CTEM categories to KRIs/KPIs to quantify exposure trends quarter-over-quarter. |
Security Vendors | Embed CTEM IDs in alert payloads or dashboards to give customers a common language out-of-the-box. |
Researchers | Cite CTEM IDs in write-ups to help CISOs connect academic findings to operational risks. |
The Community | Use the "Propose Identifier" form or open a GitHub PR to add new exposure types; review meetings happen monthly. |
Quick-Start Workflow
- Download the JSON feed at ctem.org/source.json.
- Map your existing alerts to CTEM IDs (regex, category lookup, or internal CMDB tags).
- Start reporting using IDs in SOC tickets, dashboards, and executive decks.
- Contribute back when you spot an exposure we missed.
Current Catalog Snapshot
CTEM.org publishes identifiers across eight top-level categories that cover the most common security exposures organizations face today.
Category | Description |
---|---|
Brand Impersonation | Counterfeit product or site using your branding. |
Credential Dump | Leaked credentials tied to a corporate hostname. |
Financial Info Exposure | Corporate bank-routing data published online. |
Infected Device | Employee-owned device on internal network, malware present. |
Look-alike Domains | Domain seeded for phishing campaigns. |
Ransomware | Customer data leaked on extortion site. |
Source-Code Exposure | Sensitive code referenced in third-party issue comments. |
System Exposure | Unprotected internet-exposed gateway device. |