SaaS has introduced vulnerabilities that conventional CVE scans can’t catch. Third-party dependencies can contain hidden risks and proliferate shadow IT assets. With the speed enabled by AI-powered automation, hackers can exploit these gaps faster than security teams can fix them.
Continuous Threat Exposure Management (CTEM) mitigates this dilemma by using real-time monitoring to find, prioritize, and validate hidden threats that evade CTE scans. Learn how CTEM can help your security team expose and intercept invisible threats.
Why Traditional Scanners Aren’t Enough
Conventional compliance scans for Common Vulnerabilities and Exposures represent an outdated desktop software approach to security that no longer works in today’s fast-paced, cloud-heavy SaaS environment. The scope, scale, and frequency of traditional CVE scans are insufficient for protecting cloud attack surfaces.
Vulnerability scanning came onto the cybersecurity scene in the late 1990s, when the Internet was still maturing, mobile technology was in its infancy, and no one was talking about cloud-based apps. CVE scanning was designed to catch software vulnerabilities on local devices and networks. Cloud vulnerability scanning didn’t emerge until Qualys introduced virtual scanners for Amazon services in 2011, and cloud security requirements have changed dynamically since then.
Scope
One major change is scope. Traditional scans cover local devices, networks, apps, and data. SaaS security also must encompass remote infrastructure, apps, and data. This includes third-party dependencies, shadow IT assets introduced by SaaS apps or third parties or BYOD devices, and API interfaces with AI tools. Today’s attack surface is much more complex than that envisioned by conventional CVE scans.
Scale
Another significant change is scale. Cloud infrastructures span more servers and endpoints than traditional network environments and handle larger databases and workloads. Cloud apps may interface with dozens or hundreds of other apps via APIs.
Speed
Finally, cloud security calls for far more frequent scans and far faster response times than conventional CVE scans. Security teams typically run CVE scans quarterly to meet compliance requirements. Teams with more rigorous standards may run them monthly, weekly, or even daily. But today’s AI-powered attacker is prepared to pounce on SaaS vulnerabilities within hours or minutes. In the first quarter of 2025, 28.3% of vulnerabilities were exploited within a day of CVE disclosure. Cobalt pentesting data shows that the mean time to response for mitigating vulnerabilities across all industries is 67 days, giving attackers months to operate even after detection. In an SaaS environment, waiting a quarter to run CVE scans is waiting too long.
CTEM: Closing Scanner Security Gaps
Continuous Threat Exposure Management meets SaaS security challenges with an approach that promotes real-time visibility and response in a remote-first, cloud-heavy environment. The CTEM methodology takes a five-step approach to rapidly diagnosing and mitigating risks:
- Scope: The CTEM process begins by reviewing your security needs in light of your business priorities to identify the assets, infrastructure, and attack surfaces to be protected.
- Discover: Within the scope you’ve specified, discovery implements continuous monitoring of attack surfaces, vulnerabilities, and attack paths.
- Prioritize: The prioritization phase ranks vulnerabilities based on criteria such as threat intelligence, exploitability, and business disruption potential.
- Validate: The validation phase uses methods such as penetration testing (pentesting) and red teaming to evaluate which vulnerabilities represent realistic threats and recommend practical remediations.
- Mobilize: Based on validation findings and recommendations, the mobilization phase mitigates priority threats through steps such as triggering alerts, orchestrating remediation workflows, and delivering reports to cybersecurity teams and organizational stakeholders.
When CTEM is applied to SaaS attack surfaces, the results enable real-time monitoring and rapid remediation of cloud threats. The benefits of CTEM for SaaS security become particularly pronounced in the discovery and validation phases of the process.
How CTEM Discovery Uncovers Hidden Assets and OAuth Worms
In the discovery phase, CTEM contributes to SaaS security by helping identify cloud-based vulnerabilities stemming from sources such as hidden assets and OAuth worms. In a cloud environment, shadow assets can accumulate from numerous sources:
- Bring Your Own Device policies expand attack surfaces and can introduce unauthorized apps or connect company data to workers’ personal accounts.
- SaaS freemium and free trial apps allow workers to subscribe to services and create accounts without IT oversight.
- Third-party integrations can connect accounts to unauthorized apps and users through weak permissions, API tokens, and data sharing.
- Misconfigured cloud settings can create data silos open to unauthorized parties.
- Cloud storage services can expose company data to unauthorized users.
- Weak offboarding processes can leave unmonitored accounts open in the cloud after workers leave.
OAuth worms represent a notable case of third-party risks. The OAuth standard is designed to enhance efficiency and security by enabling websites and apps to share information without requiring individual log-ins that potentially compromise passwords. But if hackers use phishing emails to lure workers into logging into malicious websites, they can exploit OAuth authorization and use it to bypass normal two-factor authentication checks.
For example, in December 2024, security providers disclosed that a consent phishing attack on Chrome Web Store browser extension publishers had tricked targets into providing permissions to a malicious OAuth application called “Privacy Policy Extension”, enabling hackers to insert malicious code into extensions. The attack compromised at least 35 extensions and exposed 2.6 million users to credential and data theft. Despite disclosure, this attack wave continues in 2026, believed to be part of an espionage campaign launched in 2018 by Chinese hacking group ShadyPanda.
CTEM plugs these types of security gaps by including cloud-based attack surfaces in vulnerability scans and mapping. This allows the discovery process to identify hidden assets and assess potential vulnerabilities.
How CTEM Validation Verifies Vulnerabilities
In the validation phase, CTEM enhances the effectiveness of pentesting and red teaming methodologies by focusing them on SaaS attack surfaces. Studies have shown that pentesting-as-a-service (PTaaS) providers can detect complex web and API vulnerabilities typically undetected by automated CVE scanning, such as:
- API accessibility without authentication or with weak authentication
- Unauthenticated access to sensitive resources
- Business logic vulnerabilities
- Undefended access to administrative functionality
- Multistep executable code injection
- Broken access control
- Bypass of client-side controls
- Account hijacking
- Privilege escalation
- Multistep cross-site scripting
- Broken object level authorization
- Weak multifactor authentication
- Business logic authorization vulnerabilities
- Multistep malicious file uploading
Automated CVE scanning can fail to detect these vulnerabilities due to reliance on predefined rules and signatures, difficulty following complex business logic, lack of coverage, false positives, and unrecognized attack methods. Pentesting by expert human testers assisted by automated tools can identify these blind spots and evaluate the real-life risk they pose.
Similarly, CTEM pentesting helps identify and probe hidden factors that can create shadow IT vulnerabilities. For instance, pentesters can detect and test vulnerabilities such as cloud misconfigurations and signs of lateral movement across a system.
Secure Your Hidden SaaS Vulnerabilities with Cobalt Pentesting
Relying on CVE and conventional security scanning alone can leave your SaaS assets vulnerable to hidden risks that can cripple your business, from account takeovers and data theft to ransomware attacks and operational disruption. Pentesting empowered by CTEM methodologies can protect your SaaS environment by providing real-time risk detection and rapid remediation.
Cobalt’s Pentesting-as-a-Service platform helps you secure your SaaS infrastructure by giving you on-demand access to elite pentesters with CTEM expertise. Our world-class pentesters work with your team through our user-friendly interface, integrating with the security tools you’re already using to communicate and manage your workflow. Schedule customized pentests tailored to your specs in as little as a day, not weeks or months. Talk to our pentesting team today about how we can help you secure your SaaS infrastructure from hidden vulnerabilities.
