GPSec Boston 2025 - CTEM: How to Start When You Haven't Started

What does it really take to start a Continuous Threat Exposure Management (CTEM) program—especially if your organization hasn’t formally begun? In this GPSec Boston 2025 session, Scott Kuffer, COO and Co-founder of Nucleus Security, joins Chris Peltz, Director of Security Strategy at GuidePoint Security, to demystify CTEM by stripping away the buzzwords and breaking down the practical steps for getting started.

This session walks through real-world examples, implementation insights, and hard-earned lessons from the field. Whether you're grappling with prioritization, struggling to align with business objectives, or trying to understand where to begin with scoping and discovery—this talk has you covered.

Ideal for vulnerability management practitioners, exposure management leads, and security decision-makers trying to align their program to modern best practices.

Key Moments

00:00 – Intro

06:18 – Why CTEM? Why Now?

08:48 – Breaking Down the CTEM Lifecycle

11:08 – Scoping: The Real Starting Point

19:43 – Discovery: What You Might Already Be Doing

23:32 – KPIs and Exposure Coverage

25:10 – What Counts as Exposure Data?

25:48 – Prioritization: Getting Practical

29:59 – Avoiding Analysis Paralysis

32:07 – Adding New Data Types into Prioritization

33:21 – Validation: The Most Misunderstood Step

34:19 – Start with What You Have