Background
Our team recently released Tamnoon Reporting—a set of reporting capabilities that allows our customers to continuously visualize and measure their cloud security remediation efforts.
This reporting system provides cloud security leaders with x-ray vision into the managed Cloud Threat Exposure Management (CTEM) process that Tamnoon drives for its customers.
This blog builds on this by exploring how Tamnoon’s experts, who either augment or act on behalf of customer cloud security teams, carry out effective CTEM programs.
We’ll explore the types of figures you can expect when combining intelligent automation with expert human guidance, creating what can only be described as the “robocop” of cloud security remediation.
Or, at least, so we’re told.
What is CTEM
Cloud Threat Exposure Management (CTEM) represents a shift in how organizations approach cloud security posture.
As Gartner puts it:
“The objective of CTEM is to get a consistent, actionable security posture remediation and improvement plan that business executives can understand and architecture teams can act upon.”
Gartner®, “Implement a Continuous Threat Exposure Management (CTEM) Program” (Published 21 July 2022)
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
In other words, CTEM is a framework—a way of thinking—that enables security teams to continuously identify, assess, prioritize, and remediate cloud security exposures systematically.
CTEM is a combination of multiple cloud security disciplines, but can, in essence, be broken down into four steps that together provide a comprehensive view of cloud environments:
- Identifying cloud misconfigurations and vulnerabilities
- Contextualizing exposures within the specific business environment
- Prioritizing remediation efforts based on actual risk
- Driving efficient resolution while balancing security needs with operational constraints
The emergence of CTEM reflects a recognition that cloud security requires more than just detection tools. It needs processes that can transform overwhelming alert backlogs into actionable remediation plans.
For Tamnoon’s customers, this transformation begins with reimagining CTEM for the AI era—where humans and machines collaborate more effectively to provide true visibility into cloud security posture, while also delivering a proven methodology for exposure reduction.
Understanding Tamnoon’s New Approach
Tamnoon’s approach to Cloud Threat Exposure Management (CTEM) looks at the problem from a new perspective.
Instead of adding more tools to cloud security teams, let’s instead work with the existing tooling while augmenting the team that’s already there.
Tamnoon integrates a powerful CTEM platform with skilled cloud security experts who drive the entire remediation lifecycle.
In practice, this means two things:
- We use AI extensively to do the heavy lifting of triaging, contextualizing, researching, and prioritizing all the alerts in our customers’ CNAPPs & CSPMs.
- We use humans sporadically to perform the nuanced tasks that machines are still unable to perform and to provide guidance on truly complicated tasks.
At the core of our methodology is the recognition that effective CTEM requires more than just detection capabilities—it demands processes, context, and smart decision-making. By combining AI and human experts, we easily transform security insights into actual, tangible risk reduction.
Also, by removing the burden of manual triage and remediation from internal teams, organizations can exponentially accelerate their workflows while keeping linear budget growth; each of Tamnoon’s experts who use our CTEM processes is about 10x more efficient, finger in the wind, than a comparable cloud security engineer without the system.
Measuring: Tamnoon’s Secret Sauce
Tamnoon’s new reporting capabilities started as a neat trick to allow us to prove, without a doubt, just how effective our own CTEM program is.
By leveraging actual customer use cases, we can now demonstrate concrete evidence of how Tamnoon’s assisted and managed remediation services transform cloud security postures through measurable outcomes.
Our reporting focuses on two critical Key Performance Indicators (KPIs): MTTR and exposure reduction. These KPIs directly reflect the impact of implementing a structured CTEM approach with expert oversight.
Let’s dive into both for a little bit.
MTTR
Mean Time to Remediate (MTTR) is one of the most significant metrics in cloud security. It is directly correlated with how long environments remain vulnerable to potential exploitation.
The data below speaks for itself:
| Customer | Time to Fix Without Tamnoon (days) | Median Time to Fix With Tamnoon (days) | MTTR Improved By |
| Customer 1 | 115 | 13 | 88.70% |
| Customer 2 | 110 | 10 | 90.91% |
| Customer 3 | 287 | 85 | 70.38% |
| Customer 4 | 87 | 7 | 91.95% |
These results reveal a consistent pattern across diverse customer environments—Tamnoon’s managed CTEM approach reduces remediation timelines by 85.4% on average.
This acceleration isn’t just about operational efficiency—it’s an actual financial metric that can be measured both in the productivity of the cloud security team and the reduction of risk from cloud threats.
Speaking of risk reduction…
Cloud Exposure Reduction
The second critical KPI we measure is the actual reduction in cloud security exposures during the first year of implementation.
This metric demonstrates the effect the following:
- Combining business and infrastructure context for prioritization
- Using AI and human-driven investigation
- Using AI and human-driven remediation
Here is the exposure reduction efforts of some of our customers:
| Category | Open Alerts | Closed Alerts | Exposure Reduction (%) |
| Customer 1 | 93,686 | 82,119 | 87% |
| Customer 2 | 61,561 | 58,211 | 94% |
| Customer 3 | 2,024 | 1,822 | 90% |
The way to read this table:
- Open & Closed Alerts – the amount of alerts opened and closed in the previous 12-month period (12 months ago to today).
- Exposure Reduction – The percentage of closed alerts out of all opened alerts in the same period of time.
The numbers speak for themselves.
By continuously tracking and reporting on these KPIs, we provide customers with transparent visibility into their evolving security posture—transforming theoretical security improvements into concrete metrics that demonstrate real risk reduction.
This data-driven approach enables security leaders to clearly communicate the ROI of their CTEM investments to key stakeholders while also making sure that their cloud environments are becoming progressively more secure under Tamnoon’s management.
MTTR and SLAs
As we’ve seen, MTTR reveals not just the efficiency of security workflows, but also the duration of vulnerability exposure across cloud environments.
Once you can properly measure the metric, though, the next logical step is to set up Service-Level Agreements (SLAs) to continuously strive for improvement.
Service Level Agreements represent formal commitments to remediate cloud security findings within specific timeframes. However, their true power lies not in their existence but in how they’re developed. The most effective CTEM programs follow a methodical approach:
- Baseline Establishment: Start by defining SLAs that encompass all security alerts, including even the most complex remediation scenarios.
- Refinement: Adjust SLAs based on actual, continuous evaluation of your environments as they change, factoring in the efforts of your cloud security team.
- Optimization: Systematically reduce SLA timeframes as your remediation workflows and processes mature.
This progressive approach transforms SLAs from static requirements into dynamic tools for your cloud security practice. By initially ensuring all alerts fall within defined SLAs and then methodically reducing those timeframes, organizations can actually improve rather than stay in place.
But what does that process look like in practice?
Step 1: Make Your Reds Green
When done right, using a proper CTEM methodology, the evolution from predominantly red to predominantly green indicators follows a predictable pattern:
- Assess: Get visibility into the true security posture, often revealing more red indicators than previously recognized.
- Remediate (rapidly): Address high-impact vulnerabilities through quick, successive workflows – creating initial momentum.
- Stabilize: Eliminate medium-priority findings while making sure not to slide back into a sea of red alerts.
Optimize: Transition to be more prevention-focused and work on root causes, rather than on symptoms.
This workflow creates a measurable shift in security dashboards, from screens dominated by urgent red alerts to displays primarily showing green compliance indicators.
Through Tamnoon’s combination of technological intelligence and human expertise, organizations can not only achieve this state, they can sustain it, over time.
By the way, that last optimization step is actually more complex than you might think. Let’s unpack it further.
Step 2: Open vs. Closed Ratio < 1
The ratio between open and closed findings is a powerful indicator of CTEM effectiveness.
It’s a simple comparison that reveals deep insights, including:
- Closed < Open: Correlates with security debt accumulation (and expanding attack surface).
- Closed ≈ Open: Correlates with a steady maintenance mode (and limited forward progress).
Closed > Open: Correlates with genuine security posture improvement (and shrinking attack surface).
In high-performing CTEM implementations, the goal is to maintain closure rates that exceed discovery rates systematically. Not temporarily, but as an operational pattern.
Step 3: Reach The Tipping Point
Organizations eventually encounter a critical inflection point—a moment when security posture shifts from predominantly reactive to fundamentally proactive. This tipping point represents more than incremental improvement; it marks a transformation in how cloud environments are protected and managed.
Organizations approaching this security inflection point exhibit several characteristics:
- Remediation Speed Exceeds Detection Speed: Closure rates outpace new finding discovery.
- Mean Time to Remediate (MTTR) Stabilizes: After some initial dramatic “wins,” remediation timelines reach an optimized steady state aligned with your risk tolerance.
- Security → Architecture: Security shifts from mostly after-the-fact fixes to embedded design principles.
These indicators signal the approaching tipping point—the moment when security transitions from a game of catch-up to, well, real security.
No Capacity? Let Tamnoon Fix Things for You
The mathematics of remediation capacity presents a problem.
With the average cloud deployment generating hundreds of security findings daily across multiple environments, internal teams frequently find themselves in an unsustainable position where:
- Newly discovered vulnerabilities outpace remediation speed
- Complex issues require specialized expertise not readily available internally
- Security engineers are firefighting, not working on strategic initiatives
These capacity constraints don’t merely slow security work, they fundamentally limit an organization’s ability to reach the security tipping point.
Rather than requiring organizations to scale internal teams or compromise on security coverage, Tamnoon offers an alternative: comprehensive managed remediation services that combine human and AI cloud security experts working in tandem to address the capacity challenge.
Tamnoon does this through several deeply interconnected mechanisms:
- Deep Expertise: Our cloud security engineers have deep, far-reaching knowledge of vulnerability remediation across all major cloud providers.
- Deep Context: Tamnoon uses business-aware remediation approaches that take into consideration what actually matters to your business (and not what your CNAPP thinks is important for your business).
- Deep AI: Tamnoon’s AI handles both routine remediation tasks and deep investigation work, while preserving human oversight for complex scenarios.
While the immediate value of managed remediation lies in addressing capacity constraints, its long-term impact runs much deeper. Delegating this cherished work to a trusted provider helps you continuously improve, regardless of how complex your infrastructure gets over time.
