Exposure management is the answer to: “Am I working on the right things?”

In this Help Net Security interview, Dan DeCloss, Founder and CTO at PlexTrac, discusses the role of exposure management in cybersecurity and how it helps organizations gain visibility into their attack surface to improve risk assessment and prioritization. He also explains how PlexTrac’s platform streamlines the reporting process and enables teams to collaborate more effectively to speed up remediation.

DeCloss looks forward to widespread adoption of Continuous Threat Exposure Management, believing it will help close the gap on unidentified vulnerabilities through continuous, contextual, and risk-informed security programs.

First and foremost, can you tell us a little bit about yourself and why you founded PlexTrac? What problems were you trying to solve?

I’ve spent the last couple of decades in cybersecurity, and I’ve had the opportunity to witness, and be part of, the industry’s evolution. I started out in vulnerability management and security program development at a time when most of the work was manual. There weren’t many venture-backed solutions in the space yet, so we were building and figuring things out on our own.

As I grew in the field, I found my niche in penetration testing and security assessments. I’ve always believed in being proactive rather than reactive. I’m a strong proponent of incident response, but it’s equally important to identify and remediate risks before they’re exploited. Penetration testing gives organizations that proactive edge, showing the real, exploitable risks and providing the insight to focus efforts where it matters most. But for pentesters, there’s a major pain point: reporting.

Writing pentest reports was, and still can be, painful and time-consuming. My peers and I were spending countless hours formatting documents, inserting screenshots, and ensuring everything looked right, only to deliver a bulky report that more times than not got shelved. Twelve months later, we’d come back and essentially write the same report again. That cycle didn’t help anyone. Valuable insights got lost, and meaningful collaboration was almost non-existent.

That’s the problem I set out to solve when I founded PlexTrac.

I wanted to build a platform that not only streamlined the reporting process, but also enabled collaboration between offensive and defensive teams—so issues could be understood, reproduced, and fixed faster. At its core, PlexTrac helps bridge the gap between finding vulnerabilities and fixing them.

Since then, our vision has expanded. While we remain the industry leader in penetration test reporting, we also help teams proactively manage exposure risk with PlexTrac for Continuous Threat Exposure Management (CTEM). The goal is to help teams automate workflows, prioritize remediation based on business context, and answer the questions, “Am I working on the right things?” and “Are we getting better over time?”

We help organizations aggregate and normalize data from pentests, scanners, code reviews, and assessments, then apply business-specific risk scoring and automation to accelerate remediation. With PlexTrac, teams reduce manual effort, track coverage, and deliver results faster and more efficiently than ever before.

Today, we’re pushing that vision even further with AI. From automated report writing to intelligent workflow suggestions and coverage analysis, we’re building the future of exposure management.

You mentioned that part of your goal with PlexTrac is to help organizations answer the questions: “Am I working on the right things?” Why do you think so many teams struggle to answer this question?

In talking with CISOs, I’ve found that many struggle to see their full attack surface due to data silos. In fact, according to a recent Ivanti report, 55% of IT professionals say their organizations’ security and IT data are siloed, hindering threat detection and response.

Companies desperately need to look at the full picture of their risk exposure before investing resources into fixes. That’s where exposure management comes into play. Exposure management is a proactive cybersecurity method that focuses on finding, assessing, and mitigating potential security risks across an organization’s full attack surface. This includes all access points and attack vectors.

By leveraging an exposure management platform—like PlexTrac—you can see all of your findings in one place so that you can properly assess, prioritize, and devise a go-forward mitigation plan. In fact, a recent Gartner Peer Survey found that 60% of organizations are actively pursuing or considering a Continuous Threat Exposure Management (CTEM) program.

What’s the biggest mistake you see organizations make when it comes to prioritizing findings?

I’m going to give it to you straight. If your pentesters are relying solely on the Common Vulnerability Scoring System (CVSS) for remediation recommendations, that’s not enough. CVSS is used to rank CVEs on severity. The scale, which goes from 0-10, determines if a vulnerability’s severity—if exploited—is low, medium, high, or critical. It does not account for your unique business priorities. For example, a risk labeled “medium” by CVSS might actually be critical for an organization.

Context-based risk scoring is arguably the most effective way to prioritize vulnerabilities. Context-based scoring is a calculated risk score based on the corporate risk equation that your organization sets. It enables you to determine how much weight to give various factors like asset criticality, finding severity, tags, and active exploits, among others. It goes beyond the industry-standard Common Vulnerability Scoring System (CVSS), considering the unique needs of the given organization.

And of course, going back to the previous question on “Am I working on the right things?” You should have a central repository for all your findings prior to scoring them. I can’t tell you how many times I’ve seen organizations prioritizing and fixing findings in silos. This could easily result in resources spending time on less critical fixes which leaves you susceptible to a breach for longer than necessary.

How can a shift to Continuous Threat Exposure Management help organizations gain real-time visibility into their attack surface?

We like to call PlexTrac the “data control center” because it’s a one-stop shop for all of your scanner data. Regardless of whether you’re using PlexTrac or another CTEM-optimized platform, when all data is in one location, you can see—and begin to understand—your full attack surface.

CTEM-optized platforms enable you to follow the trail of data in real time. If a finding is assessed and scored as critical, it moves to a developer to be fixed. With tools like PlexTrac that integrate with developers’ existing ticketing systems (Jira and ServiceNow), you can use webhooks to auto-push tickets to the developers as “high” or “critical” findings emerge. You can also auto-trigger retesting workflows post-fix.

As a CISO, real-time visibility into every finding is invaluable. It gives the ability to measure the current state of your attack surface and answer one of the questions I set out to solve with PlexTrac, “Are we getting better over time?”

Not only is it invaluable for CISOs, but it’s also invaluable for the team members finding and fixing vulnerabilities. As a former pentester, I can remember how mundane the work can feel if you’re not seeing the fruits of your labor. When you’re able to see that your findings are being fixed and making a difference, it’s a truly rewarding experience.

I’m truly looking forward to the day that the majority of organizations adopt and mature their CTEM programs. As CTEM becomes more widely adopted, I believe that we will become closer to lessening the gap of unidentified vulnerabilities by making security programs continuous, contextual, and risk-informed.