Podcast: 10,000 Bugs, 12 That Matter: Using AI to Cut Through Exposure Noise with CTEM

Cyber Resilience Brief — Podcast Transcript SafeBreach Helm & CTEM Launch Episode Tova Dvorin (00:01) Welcome back to the Cyber Resilience Brief, a SafeBreach podcast. I’m your host, Tova Dvorin, joined as always by our resident breaker of things, Adrian Culley. Adrian Culley (00:12) Happy to be here, Tova. Though I have to say, the breaking part of my job is getting a lot more interesting lately. Tova Dvorin (00:27) I bet. Today, we’re diving into a major shift in the industry yet again. That seems to be a theme we’re running into the last couple of months. We’ve all heard the buzz about continuous threat exposure management, or CTEM, but most organizations are still struggling to move past the vulnerability hamster wheel. To talk about how we’re actually solving that and breaking free of the cycle, we have a very special guest, our very own VP of Product at SafeBreach, Koby Bar. Koby Bar (00:52) Thanks, Tova. Great to be on the show. It’s an exciting time at SafeBreach. We’ve been watching industry events closely, and it’s clear that the detect and patch model is shifting and breaking away. It doesn’t work anymore. Teams don’t need more data. They need a pilot. They need someone to guide them through the process. That’s exactly what we’re intending to do here. Tova Dvorin (01:13) That’s right, Koby. That leads us to some big news. We are officially launching SafeBreach Helm, the AI validation layer for CTEM. It’s your co-pilot. SafeBreach Helm is also the bedrock of our new solution, CTEM by SafeBreach. Adrian, as the offensive guy, what was your first thought when Koby showed you the blueprint for this? Adrian Culley (01:32) You always say the nicest things about me, Tova. Honestly, relieved. SafeBreach Helm is a large language model (LLM) driven engine that finally connects the dots between the five pillars of CTEM. It’s the brain that sits on top of our adversarial exposure validation, or AEV, engine. Koby Bar (01:53) Exactly, Adrian. I couldn’t have said it better. Some people say it’s just a chatbot wrapper — we’re not asking an LLM how to do scoping. We actually have a specialized AI designed to navigate the complexity of the exposure lifecycle. Tova Dvorin (02:11) Let’s go into some more detail, and let’s do this by looking at it at a high level through the CTEM pillars. Now, there are five pillars of CTEM — for those of you who aren’t familiar, we’ll go through them a little bit slowly so we can get the full picture. So the first pillar is scoping. Koby, from a product perspective, why is scoping so hard for our customers? Koby Bar (02:30) Because the attack surface is infinite, right? It’s changing all the time, it’s evolving. The attack surface is something that is dynamic, not static, and that’s something that needs to resonate with everyone who is intending to protect an organization. We’re talking about dynamic, proactive security — not something static — and that’s really important to mention. But also, resources are finite. At the end of the day, most CISOs don’t know exactly what their top business-critical digital pathways are. If you don’t know what you’re protecting, you’re just guarding the wind. That’s exactly the point. Scoping is all about knowing what the critical assets are, who owns different assets within the organization, and really understanding what threats are relevant for your organization. Adrian Culley (03:18) Exactly, Koby. If you don’t have visibility — if you don’t know what’s there — how are you going to begin to protect it? And from the offensive side, if I see a company guarding everything equally, I know exactly where to strike. They’re spread too thin. Koby Bar (03:32) That’s where SafeBreach Helm comes in for scoping. It ingests your unique business context and knows how to translate that into a scope you can actually run in your environment. Tova Dvorin (03:47) Absolutely. So what you’re saying is that instead of a manual workshop that’s obsolete in 20 minutes, SafeBreach Helm creates that dynamic scope for you in minutes — and keeps it aligned with the business as it evolves. Koby Bar (04:03) Exactly. It keeps the scope aligned with the business as it evolves. That’s the critical point. It ensures that the rest of the CTEM cycle stays focused on what matters. Tova Dvorin (04:13) Okay. And after scoping, we have the second pillar, which is discovery — refining things a little bit further. Adrian, you often say that vulnerability management is only half the story. Adrian Culley (04:24) That’s right. Our research indicates that nearly 40% of actionable exposures aren’t CVEs at all. They’re toxic combinations — an overprivileged identity paired with a misconfigured cloud bucket and a forgotten VPN entry point. Tova Dvorin (04:42) And we have a name for our next cocktail — toxic combination on five. Koby, how does SafeBreach Helm handle that kind of complexity during the discovery process? Koby Bar (04:51) The point is that traditional scanners are siloed — they don’t talk to each other, and that’s a big gap we’re intending to solve. They see a medium vulnerability and move on. But SafeBreach Helm’s LLM architecture allows it to perform cross-domain analysis — to really read the configuration of your environment and, at the end of the day, find the hidden exposures: the shadow IDs, orphaned accounts, for example, that create a bridge for attackers. You’re not just finding holes — you’re finding the connective tissue of an attack. It’s not just knowing there’s a vulnerable asset in your environment, but understanding the context of that asset. That’s pretty much what discovery means in the context of Helm. Tova Dvorin (05:38) Interesting. And listeners, if you go to the SafeBreach website, you’ll actually be able to see what that looks like in practice — you can see it on a map. It’s very informative and it’s exactly what you need. Now, once you have all of that information in front of you, it’s just a lot of data. It’s important data, but it’s a lot of data. So the biggest pain point here is the next pillar, which is prioritization. We’re all tired of your top 10 list that contains 5,000 items — like a product marketer’s to-do list. So what do we do about that? Adrian Culley (06:06) Yeah, the prioritization paradox. Not everything that counts can be counted. Not everything that can be counted counts. And if everything is a priority, nothing is a priority. Many tools just look at the CVSS score, but context is key. A CVSS 9.8 on an isolated, air-gapped machine is less dangerous than a CVSS 6.0 on a public-facing web server. Context, context, context. Koby Bar (06:39) Absolutely. This is where SafeBreach Helm changes the game. It applies adversarial logic to the prioritization phase. Just like a real attacker, it would identify an air-gapped asset and recognize that’s not where they want to start. So it takes the mountain of data from discovery and asks: is this actually exploitable in this specific environment? That’s how we go after prioritization in context. Tova Dvorin (07:12) And how exactly does it do that? Take us a little bit under the hood. Koby Bar (07:21) It uses LLM to process real-time threat intelligence and maps it against your internal security controls. It identifies the choke points. SafeBreach Helm tells the user: you have 10,000 bugs, but only 12 are validated paths to your crown jewels. It turns a mountain of noise into a specific, focused set of priorities. And it’s not just feed from threat intelligence — it pulls from ASM, EASM, vulnerability management, and any other scanners you have in your environment. Tova Dvorin (07:58) Right. And it’s important to note that this is customized to your specific environment and input. It’s not a general scan of those different feeds — it’s telling you what your specific attack paths are that you need to prioritize right now. And that’s super critical. But that takes us to the next pillar, which is validation. That’s the SafeBreach DNA, the SafeBreach specialty. Adrian, this is where you and SafeBreach Helm have already started working together. Tell us about some of those pilot projects. Adrian Culley (08:27) We get to the eye of the storm here — what actually matters. This is the AEV phase: adversarial exposure validation. Validation is proof of concept — and I want to differentiate that from proof of concept. We don’t just guess if a control works; we test it, we validate it. But the challenge has always been knowing which tests to run out of the thousands of simulations we have in our playbook. Koby Bar (09:03) I want to add to that. On its own, the SafeBreach Exposure Validation Platform delivers very powerful validation capabilities. It’s been leveraged by some of the largest organizations in the world, and this is essentially our bread and butter — we know how to do validation really well. SafeBreach Helm builds on that foundation by incorporating additional context from scoping, integration, and exposure hub tools, and then translating it into actionable inputs for the platform using natural language. The statement I want to make here is: there is no CTEM without validation. That’s something that should resonate with everyone listening today. Validation is where we bring our tremendous value, and it’s how we close the loop on the CTEM cycle. Adrian Culley (09:58) It’s truly powerful, Koby. It moves us from theoretical risk to proven risk. If SafeBreach Helm runs a simulation and the attack is blocked, the priority of that exposure drops. If the attack succeeds, it moves to the top of the list. That’s the ultimate filter for a busy security team. Tova Dvorin (10:20) Right. And at the end of all of those steps — we always want to see security tools actually work, which is why validation is becoming the bedrock that all of CTEM rests on, whether you’re using CTEM terminology or not. If your security stack isn’t working for you, then what’s the point? But ultimately, we want to get to a place where you actually mitigate — and that’s what we call the fifth pillar of CTEM, which is mobilization. That’s where the rubber meets the road. It’s where you get things fixed. Koby, why is this still a point of friction even after all the work we’ve done beforehand? Koby Bar (10:49) That’s a great question. In one word: communication. Think about the different owners within a large organization — different assets, different security controls. With mobilization, the idea is to drive those changes with the relevant team. Research shows that remediation often stalls because IT doesn’t understand the why or the how: why do I need to fix this, and how do I do it? That’s a big gap. There’s a lot of disconnection between the tools and actually getting issues resolved. Tova Dvorin (11:26) Makes sense. SafeBreach Helm, because it connects everything together, fixes that translation gap and the fragmentation — so you have everything in a single pane of glass. Koby Bar (11:34) Exactly. Two things to mention: SafeBreach Helm builds on our existing AI remediation capabilities. We also leverage LLM specifically to understand what needs to be done when a simulation is not being blocked or prevented by a security control. Combined with our ability to drive workflow changes — integration with Jira, with ServiceNow — we can make sure the IT person who owns a specific security control knows exactly what they need to do and how to remediate. That’s a very powerful tool to close the loop on the CTEM cycle. Adrian Culley (12:16) It provides the adversarial evidence. When IT asks, ‘Why do I need to do this now?’ SafeBreach Helm provides the validated simulation result. It shows them the movie of the attack it just blocked or allowed. That level of clarity mobilizes teams faster than any PDF report ever could. Tova Dvorin (12:38) All in all, it sounds like SafeBreach Helm is the missing piece of the CTEM puzzle. It puts everything together in a way that’s clear and easy to understand, and — most importantly — it takes the ‘continuous’ part of CTEM seriously, making it easier than ever to operationalize. But before we move on, I’m going to throw you two a curveball. We’ve been talking a lot about CTEM — it’s the buzzword today, especially for large enterprises. But what would you say are the advantages of Helm for someone who isn’t looking at things through a CTEM lens yet? Adrian Culley (13:25) What CTEM provides is a framework to crystallize activity that you may already be doing parts of, but with gaps. It’s not the only way to look at things — but just like the old joke: the great thing about standards is there are so many to choose from. CTEM is a framework that gives us a consistent way — a philosophy, a strategy — of approaching this challenge in cybersecurity. Koby Bar (14:04) Yeah, I think at the end of the day, with proactive security, you can decide how much to implement. Helm itself really provides the framework to implement CTEM, but every organization will adjust and adopt it differently based on their specific needs and requirements. Tova Dvorin (14:23) And you’d say that’s the ultimate goal of SafeBreach Helm? Koby Bar (14:27) Exactly. Think about SafeBreach Helm as a starting point. It helps you day to day with validation, mobilization, those aspects. But where we’re going very soon into 2026 is to really orchestrate this entire process we’ve described on this call. Adrian Culley (14:48) As an offensive engineer, I can tell you that the days of hiding in the noise are coming to an end. SafeBreach Helm sees the big picture way too clearly. Koby Bar (14:53) Finally — and well overdue. Tova Dvorin (15:02) Koby and Adrian, thank you so much for being here on this episode of the Cyber Resilience Brief. To our listeners: if you’re ready to take the wheel of your exposure lifecycle and do the driving, it’s time to look at CTEM by SafeBreach, time to look at SafeBreach Helm. Go to the website — you’ll hear it at the outro of the show. Take a look. It’s pretty cool. Koby Bar (15:19) Thank you, Tova. Thank you for having me today. Thank you, Adrian. Adrian Culley (15:23) Catch you on the next breach, Tova and Koby. Tova Dvorin (15:25) Always a pleasure. And until next time, listeners — stay safe. Stay safe with SafeBreach.