It’s Super Bowl weekend, and that got me thinking. No, not about Taylor Swift, but about how the evolution of Vulnerability Management, Risk-Based Vulnerability Management (RBVM), and now Continuous Threat Exposure Management (CTEM) parallels the game of football. Seems like a stretch? Hear me out.

I spend a lot of time discussing the benefits of CTEM and how it differs from traditional Vulnerability Management and RBVM. Many people struggle to grasp these differences and why they should evolve. In my search for a relatable analogy, I may have just found the perfect one. Here’s how football strategy mirrors the evolution of cybersecurity practices.

The Importance of Preparation

When Kansas City and Philadelphia take the field on Sunday night, much of the game’s outcome will be determined by the preparation that happened before kickoff. The same holds true for vulnerability and exposure management—success depends on having a solid game plan.

I like to compare the evolution of vulnerability management practices to a football team’s level of preparedness before a game.

Traditional Vulnerability Management: Knowing Only the Basics

Traditional vulnerability management is like a team stepping onto the field knowing only who their opponent is and their win-loss record. While they understand the fundamentals of offense and defense, they lack specific insights into how the opposing team plays. Sure, a team’s record might indicate whether they are good, but that alone doesn’t account for details like key matchups, play calling, and strategies.

Similarly, traditional vulnerability management often relies solely on CVSS base scores. These scores provide a generic assessment of a vulnerability’s severity but lack the necessary context and nuance to take decision making to the next level. They do not reflect the current threat landscape or the specific risks a vulnerability poses to a given organization. Without deeper insights, organizations struggle to prioritize vulnerabilities effectively, much like a football team would struggle without knowing their opponent’s tendencies.

Risk-Based Vulnerability Management: Understanding the Opponent

RBVM builds upon traditional vulnerability management by incorporating additional intelligence—like whether a vulnerability is actively being exploited in the wild by threat actors. This is akin to a football team knowing the other team’s star players or or the ones most likely to pose a threat to their chances of winning (pun 100% intended).

For example, let’s say a team is preparing for a game and recognizes that the opposing team has a star running back. To counteract this, they adjust their defensive strategy to focus on stopping the run. In the same way, cybersecurity teams using RBVM analyze which vulnerabilities are actively being targeted and adjust their remediation priorities accordingly.

Now, imagine if Kansas City wasn’t preparing to defend against Philadelphia’s standout running back, Saquon Barkley. By failing to understand the threats you put yourself at a significant disadvantage. By integrating real-world threat intelligence, organizations can prioritize vulnerabilities more effectively, ensuring their defenses are focused where they matter most.

Beyond just improving accuracy, RBVM also creates efficiency. By focusing remediation efforts on the highest-risk vulnerabilities, security teams spend their time addressing the most pressing threats rather than wasting resources on lower-priority issues. Similarly, a football team that tailors its preparation to spend more time focusing on the biggest threats can significantly improve their chance of winning.

CTEM: The Next Evolution in Strategy

A term introduced by Gartner in 2022, CTEM (Continuous Threat Exposure Management) represents a major evolution beyond both traditional vulnerability management and RBVM. While the definition is still evolving, one thing is clear: CTEM enhances the accuracy, relevance, and timeliness of vulnerability assessments by leveraging more contextual data.

One of the most significant advancements CTEM brings is its improved use of threat intelligence. Instead of simply noting whether a vulnerability is being exploited, CTEM digs deeper—it assesses which threat actors are targeting it, the attack vectors involved, and the techniques they might use for exploitation. This richer context allows organizations to move from reactive vulnerability management to proactive exposure reduction.

Zafran’s Exposure Graph, for instance, connects these data points, among others, to determine not just long-term remediation planning but also short-term mitigation priorities. This ensures vulnerabilities posing an immediate risk are addressed swiftly, reducing exposure before an attacker can exploit them.

Just as CTEM has evolved vulnerability management, football teams have evolved their approach to preparation. It’s no longer just about knowing the opposing team’s players—it’s about understanding their tendencies, formations, and play-calling strategies. Teams now study game film in depth, both before and during the game, to anticipate moves and make real-time adjustments.

To continue the earlier example, if Kansas City knows Saquon Barkley is a great running back, that’s useful. But if they also know that Philly tends to run Saquon right side off-tackle on third down short yardage situations, KC can adjust their defensive alignment accordingly. That’s the difference between basic knowledge and actionable intelligence.

Final Thoughts

The evolution from traditional vulnerability management to RBVM and now CTEM mirrors the way football teams have advanced their game preparation. Cybersecurity teams that rely on basic vulnerability scoring alone are playing at a disadvantage. Those that incorporate risk-based intelligence improve their ability to prioritize threats. But the best teams—just like the best cybersecurity programs—go even further, continuously assessing and adapting to the evolving threat landscape.

So, as you watch the Super Bowl this weekend, think about your organization’s security strategy. Are you simply aware of your vulnerabilities, or are you proactively preparing for the threats that matter most? The difference could mean winning or losing the game.