Transform CTEM with Zafran’s threat exposure management platform on AWS

By: Len Gomes – AWS Partner Solutions Architect
By: Sriram Mohan – AWS Cloud Architect
By: Yonatan Zerahia – Zafran Director of Product
By: Nick Fisher – Zafran VP of Marketing

ZAFRAN

Vulnerability management has evolved beyond traditional scanning. Modern threat exposure management requires constant, AI-powered approaches that use Amazon Web Services (AWS) security services. Continuous threat exposure management (CTEM) represents a fundamental shift in how organizations address vulnerability management challenges across cloud, hybrid, and on-premises environments. Security teams struggle to manage vulnerabilities while sophisticated threat actors accelerate attack methods. Traditional vulnerability management with periodic scans and Common Vulnerability Scoring System (CVSS) based patching can’t keep pace with current attack patterns. Organizations need a new operating model that is continuous, contextual, and tightly aligned with business priorities.

This post explores how Zafran’s Threat Exposure Management Platform uses generative AI and AWS services to revolutionize vulnerability management through CTEM, so organizations can close the critical period between vulnerability discovery and risk reduction, referred to as the exposure window.

The vulnerability management challenge

As organizations adopt cloud innovations and expand their technology portfolios, their vulnerability to attack grows exponentially. Security teams struggle against both overwhelming volumes of findings and accelerating attack timelines, with threat actors exploiting vulnerabilities within only 5 days of publication and sometimes minutes when using AI tools.

Traditional vulnerability management approaches fail in this environment, creating a widening exposure window between discovery and remediation. Legacy scanners compound this problem through blind spots, fragmented data, and performance impacts across heterogeneous infrastructure. The most dangerous aspect is that attackers now preferentially target CVSS Medium-severity vulnerabilities over Critical and High-severity ones combined. This renders conventional severity-based prioritization ineffective, demanding a fundamental shift from periodic scanning to continuous, context-aware threat exposure management.

Introduced by Gartner in 2022, CTEM reframes vulnerability management through five stages: Scoping, Discovery, Prioritization, Validation, and Mobilization. The CTEM framework focuses finite security resources on exposures most likely to be exploited in specific environments. The following graphic illustrates the constant cycle of moving through these five stages. 

Figure 1: Five stages of CTEM

CTEM helps chief information security officers (CISOs) improve mean time to remediate (MTTR), maintain audit readiness, and prevent breaches through context-aware, continuous operations.

Zafran’s solution: A CTEM engine for hybrid-cloud environments

Zafran’s Threat Exposure Management Platform operationalizes CTEM across AWS services, on premises, and for multi-cloud estates. The Zafran platform is a cloud-based architecture hosted on AWS. Zafran’s architecture uses AWS services for scalability, performance, and reliability.

The platform uses Amazon Bedrock for AI-powered remediation guidance, Amazon Simple Storage Service (Amazon S3) and AWS Lake Formation for scalable vulnerability data storage, AWS Lambda and Amazon EventBridge for real-time workflow orchestration, and Amazon API Gateway with AWS Identity and Access Management (IAM) for secure tool integration.

This architecture delivers elastic scalability, processing vulnerability data across hundreds of thousands of assets while maintaining subsecond query response times. For AWS customers, this means rapid onboarding through API-only, agentless integration and elastic processing for even the largest vulnerability datasets. The following diagram illustrates this architecture.

Figure 2: Zafran Threat Exposure Management Platform cloud-based AWS architecture

Unified exposure graph

Zafran processes signals from multiple security sources. These include vulnerability scanners, endpoint detection and response (EDR) tools, and cloud-based application protection platforms (CNAPP). The Zafran platform also integrates with firewalls and configuration management databases (CMDBs). Zafran creates a unified exposure graph that maps assets, common vulnerabilities and exposures (CVEs), MITRE ATT&CK techniques, and compensating controls, providing a single source of truth for vulnerability data.

Zafran integrates with your existing AWS security infrastructure through API connections, including:

Vulnerability management – Tenable, Qualys, Rapid7, Amazon Inspector

Cloud security (CNAPP) – Wiz, Prisma Cloud, Orca Security, AWS Security Hub

Endpoint protection (EDR) – CrowdStrike, Microsoft Defender, Trend Micro, SentinelOne

Network security – Palo Alto Networks, Fortinet, Cisco

Identity providers – Okta, Microsoft Entra ID (Azure AD), IAM

Ticketing and Security Orchestration, Automation, and Response (SOAR) – Jira, ServiceNow, Splunk

This agentless, API-based approach enables deployment in minutes without infrastructure changes or performance impact on production systems. Security analysts gain visibility into potential attack paths across the environment.

Contextual prioritization

Instead of relying solely on CVSS scores, Zafran evaluates exploitability using five environmental signals:

1.     Runtime presence – Is the vulnerable component running?

2.     Internet reachability – Is the asset exposed externally?

3.     Active threat intelligence – Are attackers actively exploiting this CVE?

4.     Control posture – Do web application firewall (WAF), next generation firewall (NGFW), or EDR policies block exploitation?

5.     Business criticality – Does the asset support mission-critical workloads?

This contextual approach reduces false critical findings by 90%, so security and IT teams can focus resources on actual risk. The following screenshot shows the tool providing contextual risk scoring.

Figure 3: Contextual risk scoring reduces CVSS 9.2 Critical to 5.9 Medium

Proactive exposure hunting

Beyond reactive vulnerability management, security teams can use Zafran to proactively hunt for exposures before attackers exploit them. The platform answers critical questions that traditional scanners can’t:

• Threat actor exposure – Am I exposed to RegreSSHion vulnerability or threats from APT29 or BlackBasta? Zafran surfaces high-profile vulnerabilities and reveals your specific exposure, enabling rapid deployment of fixes or mitigations.
• Security control gaps – Am I exposed to gaps in CrowdStrike coverage? Zafran identifies gaps in security control coverage and exposures from vulnerable or outdated agents across your endpoint protection.
• Identity misconfiguration – Am I exposed to identity attacks? Through integrations with identity providers such as Okta or Entra ID, Zafran discovers misconfiguration such as root users without multi-factor authentication (MFA).

These proactive hunting capabilities help security operations center (SOC) teams, threat intelligence teams, and incident response teams stay ahead of attackers by identifying and mitigating exposures before they become incidents.

Rapid risk mitigation

When patching requires extended change windows, Zafran prescribes fast mitigations through existing security controls, such as WAF rules, EDR policies, and CNAPP guardrails. This approach removes lengthy patch cycles from the critical path for immediate risk reduction. The following screenshot shows a CheckPoint Firewall policy change mitigating 20,000 vulnerabilities across 128 assets, demonstrating rapid risk reduction without patching.

Figure 4: CheckPoint Firewall

Agentic Remediation

CTEM’s fifth phase, Mobilization, represents where vulnerability management programs often stall. Tickets accumulate, ownership remains unclear, and MTTR increases. Zafran’s Agentic Remediation™ solves this challenge with AI-powered automation. Zafran’s generative AI engine, powered by Amazon Bedrock, consolidates overlapping CVEs into streamlined, high-fidelity tickets containing clear, step-by-step remediation actions. This eliminates redundant work and reduces noise for remediation teams. The following screenshot shows the UI for the remediation workflow with step-by-step patching.

Figure 5: Remediation workflow with step-by-step patching

Policy-driven assignment

Automate the assignment and delivery of remediation tickets to the appropriate responsible parties. Through administrator-defined rules, remediation tasks are automatically routed to the correct owners in platforms like Jira or ServiceNow, eliminating manual triage efforts and substantially reducing mean time to communicate (MTTC). This intelligent routing ensures faster response times and more efficient vulnerability management workflows.

Progress and SLA tracking

Zafran tracks MTTR, SLA deadlines, and residual risk in unified dashboards, providing CISOs with real-time evidence of program effectiveness for executive reporting and audit preparation. As patches deploy or mitigations activate, Zafran automatically re-scores exploitability and updates stakeholders, closing the loop between security and IT operations teams.

Real-world results

Organizations implementing Zafran’s CTEM solution across healthcare, manufacturing, and financial services report measurable security improvements:

• A healthcare organization with over 50,000 employees and 200,000 assets reduced CVSS Critical vulnerabilities by 94% while measuring the efficacy and return on investment (ROI) of existing security tools
• Hospital Sisters Health System (HSHS) reduced urgent vulnerabilities by 87% following implementation of contextual scoring and agentic remediation
• Organizations report 90% decrease in false critical findings, 70% fewer remediation tickets through AI-powered deduplication, and workflow creation time reduced from hours to minutes

These results demonstrate measurable improvements in security posture while reducing operational burden on security and IT teams.

What sets Zafran apart?

Zafran delivers a unified Continuous Threat Exposure Management platform purpose-built for modern hybrid cloud environments:

• Comprehensive exposure graph – Creates a unified view that maps assets, vulnerabilities, MITRE ATT&CK techniques, and compensating controls. Security teams can understand attack paths and exposure risks in context.
• Context-driven prioritization – Reduces false critical findings by 90% by analyzing runtime behavior, network exposure, active threats, deployed controls, and business criticality.
• Rapid risk mitigation – Uses existing security controls (such as CNAPP, EDR, and WAF) to prescribe immediate mitigations across thousands of assets, removing lengthy patch cycles from the critical path.
• AI-powered remediation – Uses Amazon Bedrock to consolidate overlapping vulnerabilities into streamlined workflows with clear ownership, step-by-step guidance, and automatic SLA tracking.
• Agentless deployment – Completes deployment in hours through API connections without infrastructure changes, agent deployment, or performance impact.

Built for AWS customers

Zafran’s architecture delivers specific advantages for organizations running workloads on AWS:

AWS integration offers:

• Threat Exposure Management Platform integrates directly with AWS Security Hub for centralized security finding management
• Amazon Inspector vulnerability data flows automatically into Zafran’s Exposure Graph
• IAM identity analysis identifies misconfigurations like root users without MFA

Cloud-based scalability means that:

• Elastic processing through AWS Lambda handles vulnerability datasets from tens to hundreds of thousands of assets
• Amazon S3 and Lake Formation provide cost-effective, durable storage for historical exposure data
• Multi-Region deployment options support global enterprise requirements

Threat Exposure Management Platform offers deployment flexibility and provides:

• Availability through AWS Marketplace with simplified procurement and billing
• Support for both multi-tenant SaaS and single-tenant deployment models
• GovCloud availability for regulated industries and government agencies

For AWS customers extending security operations across hybrid environments, Zafran provides a unified platform that treats AWS findings (Amazon Inspector, AWS Security Hub, Amazon GuardDuty) alongside on-premises vulnerability data with equal depth and contextual analysis.

Conclusion

Modern vulnerability management demands active, contextual, and automated treatment of risk. CTEM provides the strategic framework; Zafran delivers the operational engine, powered by AWS services, enriched by existing security defenses, and accelerated by Agentic Remediation.

Whether you’re starting a CTEM program or scaling existing vulnerability management operations, Zafran provides the tools for you to:

• Identify exactly which vulnerabilities are exploitable in your specific environment
• Reduce exposure rapidly using security controls already deployed
• Automate remediation workflows with AI-driven intelligence
• Demonstrate measurable risk reduction to executives and auditors in real time

The combination of CTEM methodology, AWS Cloud services, and generative AI capabilities represents a fundamental shift in how organizations protect their expanding attack surfaces.

Ready to transform your vulnerability management program? Explore Zafran in AWS Marketplace or request a demo to see Agentic Remediation in action.

Zafran – AWS Partner Spotlight

Zafran is an ISV Partner with AI Software Competency, Zafran Threat Exposure Management Platform automatically maps security findings to controls already in your security stack, so that you know exactly what actions will provide the most risk posture improvement. With Zafran, you can significantly reduce the number of critical vulnerabilities, slash mean time to mitigate, and gain much-needed SLA relief. Contact Zafran | Partner Overview | AWS Marketplace