The cybersecurity landscape is undergoing a seismic shift as threat volumes explode beyond human capacity to manage. Filigran’s introduction of XTM One marks a pivotal moment where artificial intelligence moves from being a supplementary feature to becoming the core operating system for threat management. Security teams today drown in a deluge of CVEs, threat actor profiles, and attack campaigns, making manual triage not just inefficient but dangerously inadequate. By embedding an agentic AI layer directly into the XTM Platform, Filigran promises to close the gap between intelligence ingestion and defensive action, offering a glimpse into how automation can scale with adversary sophistication. This launch reflects a broader industry recognition that point‑solution AI enhancements are insufficient; what is needed is a cohesive, end‑to‑end orchestration that mirrors the workflow of a seasoned analyst while removing repetitive friction.
Continuous Threat Exposure Management (CTEM) has emerged as a framework designed to keep pace with dynamic threats by constantly identifying, prioritizing, validating, and remediating exposures. Yet, in practice, many organizations still rely on a patchwork of disconnected tools: one platform for ingesting threat intelligence, another for building attack scenarios, and yet another for tracking remediation tickets. This fragmentation forces analysts to context‑switch constantly, eroding productivity and increasing the risk of missed signals. XTM One directly addresses this pain point by introducing a dedicated AI orchestration layer that stitches together OpenCTI and OpenAEV into a single, continuous workflow. Rather than merely adding smart assistants inside each product, the new layer operates as a sovereign conductor, ensuring that data flows seamlessly from raw intel to validated mitigation steps without human hand‑offs.
The architectural distinction between XTM One and existing AI capabilities within the XTM Platform is subtle but profound. Earlier AI enhancements focused on point‑specific tasks—such as automating enrichment within OpenCTI or suggesting remediation steps inside OpenAEV—while leaving the overarching process under human control. XTM One flips this model by treating the entire CTEM lifecycle as an orchestrated system where autonomous agents cooperate across product boundaries. Each agent is responsible for a specific functional block, yet they communicate through a shared context model that preserves full visibility and control for security leaders. This approach transforms AI from a collection of clever utilities into a true operating system that schedules, executes, and monitors work the way a human team would, but at machine speed and scale.
Julien Richard, CTO at Filigran, captured the vision succinctly when he described XTM One as “AI as the operating system for threat management.” His comment underscores a fundamental belief that the sheer volume of modern threat data has rendered manual processing obsolete. Rather than viewing AI as a shiny add‑on, Richard advocates for a paradigm where the platform itself becomes intelligent, capable of interpreting analyst intent, prioritizing work, and executing complex multi‑step processes autonomously. This perspective aligns with emerging trends in enterprise software where AI‑native architectures are replacing legacy, human‑centric designs. For security leaders, the promise is clear: an environment where the system anticipates needs, reduces cognitive load, and allows analysts to focus on strategic decision‑making rather than rote data wrangling.
At the heart of XTM One lies a coordinated suite of prepackaged AI agents designed to automate the most labor‑intensive segments of the CTEM loop. These agents handle tasks such as ingesting and normalizing threat feeds, scoring vulnerabilities based on exploitability and asset criticality, generating realistic attack scenarios, and verifying the effectiveness of existing controls. By chaining these capabilities together, the platform creates a self‑reinforcing cycle: intelligence feeds into scenario generation, scenario output drives validation tests, validation results inform remediation priorities, and remediation completion updates the threat landscape view. The result is a continuous feedback loop that keeps defenses aligned with the latest adversary tactics without requiring analysts to manually trigger each stage.
One of the most tangible benefits of XTM One is the creation of a single interface through which security teams can navigate the entire CTEM journey. Instead of jumping between consoles to ingest data, build models, and track tickets, analysts now interact with a unified dashboard that reflects the current state of the orchestrated workflow. This consolidation not only reduces the time spent on navigation but also enhances situational awareness, as correlated data from disparate sources is presented in a coherent narrative. Teams can quickly identify which threats are most relevant, test their exploitability in a safe sandbox, and validate that patches or configuration changes have indeed mitigated risk—all from one screen, dramatically accelerating the mean time to remediation.
Early benchmark data shared by Filigran indicates that organizations adopting the XTM Platform have already observed measurable improvements in operational efficiency. While specific numbers were not disclosed in the source, the implication is that the AI‑driven orchestration reduces manual effort by a substantial margin, freeing analyst hours for higher‑value activities such as threat hunting and strategic planning. Furthermore, the continuous validation aspect helps prevent the common pitfall of deploying remediation that appears successful on paper but fails in practice due to overlooked attack vectors. By continuously testing defenses against evolving scenarios, XTM One helps maintain a realistic security posture that adapts as the threat landscape shifts.
Industry analyst Melinda Marks from Omdia reinforced the necessity of this shift, noting that security teams are increasingly hitting a wall when trying to optimize remediation amid overwhelming alert volumes. Her observation that the move toward an agentic AI orchestration layer is needed for CTEM to scale echoes a growing consensus that traditional SIEM‑centric approaches are insufficient for modern exposure management. Marks highlighted that leveraging an open‑source foundation allows Filigran to inject essential context—such as asset topology and mitigation status—into AI decision‑making, thereby enabling speed, transparency, and evidence‑based risk reduction. This aligns with the broader market demand for solutions that not only automate but also provide auditable, understandable logic behind each automated step.
XTM One places a strong emphasis on organizational control over AI behavior, a critical factor for adoption in regulated environments. Security teams can build and deploy custom agents, tailor workflows, and integrate proprietary tools or data sources, ensuring the platform adapts to unique operational needs. The Bring Your Own LLM (BYOLLM) feature further empowers enterprises to either use Filigran‑provided language models or bring in their own, addressing concerns about data sovereignty, model bias, and vendor lock‑in. Additionally, the platform supports on‑premises deployment, allowing government agencies and heavily regulated industries to keep sensitive threat data within their own infrastructure while still benefiting from AI‑driven automation—a combination that addresses both security and compliance imperatives.
Jean‑Philippe Salles, VP of Product Management at Filigran, highlighted that complexity has long been the biggest barrier to effective threat intelligence adoption. By introducing natural language interaction into XTM One, the platform lowers the entry barrier for junior analysts, enabling them to become productive faster through intuitive queries and guided workflows. Simultaneously, seasoned practitioners gain relief from repetitive tasks such as data enrichment and ticket updates, allowing them to devote more energy to complex threat hunting and strategy formulation. This dual‑level accessibility helps organizations close the skills gap while maximizing the value of both novice and expert talent.
The endorsement from Karine Peters, Managing Director at T.Capital, underscores the strategic confidence investors have in Filigran’s direction. Peters points to the company’s AI‑native approach to extended threat management, bolstered by one of the strongest open‑source communities in cybersecurity, as a differentiator that positions Filigran to lead a market segment where legacy vendors have struggled to modernize. This vote of confidence reflects a broader venture‑capital trend: backing firms that combine deep technical expertise with community‑driven innovation to solve entrenched security challenges. For the market, it signals that AI‑orchestrated CTEM is not a niche experiment but a forthcoming standard of practice.
For security leaders evaluating XTM One or similar platforms, the path forward begins with a clear assessment of current CTEM pain points—particularly the manual hand‑offs between intelligence, modeling, and remediation teams. Pilot the solution in a high‑volume environment, measure reductions in mean time to detect and respond, and validate that the AI’s decisions are transparent and auditable. Ensure that the chosen deployment model (cloud, hybrid, or on‑prem) aligns with data governance requirements, and invest in training that leverages natural language interfaces to upskill junior staff quickly. Finally, establish a feedback loop where insights from the AI agents inform continuous improvement of threat models and mitigation playbooks, turning automation into a sustainable competitive advantage.