Safeguard.sh Documentation Center

CTEM & EASM

Roadmap — external attack-surface management plus a Gartner-style continuous threat exposure management program that unifies every engine's findings into one prioritized, exploitability-validated exposure list.

CTEM & EASM

Roadmap — not yet available. CTEM and EASM are planned capabilities documented here for direction. They are an orchestration layer over engines that ship today; the layer itself is not yet available.

CTEM (Continuous Threat Exposure Management) and EASM (External Attack Surface Management) are the connective tissue planned to make the platform greater than the sum of its engines: an outside-in sensor that discovers your external footprint, feeding a five-stage exposure-management program that unifies findings from every engine into one prioritized, validated backlog. Almost all of its value is orchestration — it calls the shipped engines, it does not re-implement them.

EASM — external attack surface (planned)

EASM will continuously discover and monitor your internet-facing footprint using safe, rate-limited, non-destructive probing:

Discovery stepMethod
SubdomainsPassive DNS + certificate-transparency log mining
HostsA/AAAA/CNAME resolution
ServicesBounded connect scan of common ports, banner-grab only — no exploit payloads
TechnologyPassive fingerprinting from response headers and banners
TLS postureCertificate expiry, weak ciphers, misissuance, host sprawl
Cloud edgesPublic buckets, load balancers, gateways, and functions (reusing cloud-exposure checks)
Leaked / shadowExposed credentials and documents from breach and dark-web signals, with secrets redacted

Discovered assets are attributed to your org with a confidence score and must pass ownership verification (DNS-TXT challenge, cert SAN, cloud IAM, or manual confirm) before they can ever be actively validated — the safety rail against probing assets you don't own. Exposures surface as easm_exposure findings in the unified findings model.

CTEM — the five-stage program (planned)

CTEM will drive a repeatable cycle over your exposures:

  1. Scope — define crown-jewel assets, in-scope surfaces, and whether active validation is permitted.
  2. Discover — fold the EASM surface plus every engine's findings (SAST/DAST, SCA, cloud, K8s, secrets, API, AI, Red Team) into one exposure set, collapsing correlated findings.
  3. Prioritize — rank by reachability to crown jewels using the shared correlation/attack-path graph and unified risk score (no second scorer).
  4. Validate — safely confirm exploitability by driving the Red Team engine, exclusively through its rules-of-engagement safety kernel; a confirmed exposure gets an exploitability proof.
  5. Mobilize — assign an owner, open a ticket with an SLA, notify, and re-validate on fix to close the loop.

Validation safety (planned)

Active validation is the only attack path in the design, and it is heavily gated. Every precondition must hold or it is refused and audited: validation is allowed for the scope, the target's ownership is verified, a signed rules-of-engagement document exists, rate/blast caps are configured with human approval for high-impact steps, and the global kill-switch is not engaged. There is no new offensive code — validation drives the existing Red Team engine within its kernel, with safe, bounded probes only.

When it ships

CTEM/EASM will be gated by the ff.easm and ff.ctem feature flags, server-side enforced, with exposures in the single findings store and full air-gap parity (passive feeds served from an on-prem mirror).

On this page