Cyber Defense Matrix 2.0 · Function · AN
ANTICIPATE(AN)SS Extension
Threat intelligence, attack-surface management, threat exposure. The proactive column that operates upstream of IDENTIFY.
ANTICIPATE is a SecurityStack extension — not part of NIST CSF 2.0. It names the proactive capabilities that operate upstream of IDENTIFY: threat intelligence (AN.TI), attack-surface management (AN.ASM), and threat exposure (AN.TE). These disciplines are not detection (the threat has not occurred) and not identification (the asset may not yet be inventoried), which is why forcing them into either column has always been a lossy compression.
Provenance note: This row/column is a SecurityStack extension and is not part of NIST CSF 2.0. Practitioners citing it externally should label it as such.
Why ANTICIPATE needed its own column
NIST CSF starts the lifecycle at IDENTIFY — after an asset exists on the network and is therefore inventoriable. In practice most security programs invest heavily in work that happens earlier than that. Threat intelligence feeds that tell you which adversary groups are active against your industry, attack-surface management platforms that continuously discover externally-visible systems you did not know you owned, and threat-exposure tools that assess whether a specific vulnerability is actually reachable by any real attacker — none of these fit neatly into IDENTIFY or DETECT.
For years practitioners compromised by forcing threat intel into IDENTIFY and attack-surface management into DETECT. Both assignments were defensible and both were wrong. The CDM 2.0 ANTICIPATE column gives these disciplines a home and preserves their proactive character. The cost is one extra column on the matrix; the benefit is that organizations can reason about their proactive investments separately from their reactive ones.
The three subcategories: AN.TI, AN.ASM, AN.TE
AN.TI — Threat Intelligence. External context about adversaries, campaigns, TTPs, and indicators of compromise. Tools here include commercial threat intel platforms (Recorded Future, Mandiant Advantage, CrowdStrike Falcon Intelligence, Flashpoint, Intel 471), ISAC feeds, open-source intel collection, and internal intel teams that author product.
AN.ASM — Attack Surface Management. Continuous discovery of externally-visible assets and the exposures that live on them, from the attacker's vantage point. Randori, Censys, Bishop Fox Cosmos, Microsoft Defender EASM, Palo Alto Xpanse, runZero for internal discovery. The defining characteristic is 'outside-in' — the platform does not read your CMDB, it scans the internet and tells you what it finds.
AN.TE — Threat Exposure. Continuous assessment of which exposures a known threat could actually reach. CTEM platforms (Cymulate, XM Cyber, Pentera, AttackIQ, SafeBreach), exposure assessment tools, and attack-path analysis. The distinction from AN.ASM is that ASM surfaces exposures; TE evaluates whether those exposures matter given real adversary behavior.
Coverage patterns and anti-patterns
The most common anti-pattern: buying a CTEM platform and using it as a vulnerability scanner. Organizations pay for exposure-assessment platforms and configure them to run once per quarter, producing a list of CVEs the vulnerability team was already tracking. The value is in the continuous assessment and the attack-path context, neither of which is captured by quarterly CVE lists.
A second anti-pattern: threat intel as a newsletter. Intel platforms generate huge volumes of alerts; if those alerts are not being operationalized — feeding the SIEM, driving hunt queries, informing control tuning — then ANTICIPATE is a paper capability. The matrix will show coverage (the tool is deployed) while the program is getting no effective uplift.
The honest signal that ANTICIPATE is working: at least one operational change in the last quarter attributable to intel or exposure findings. A detection rule tuned against a specific adversary, a control deployed in response to an attack-path finding, a vulnerability re-prioritized because an exposure-assessment platform said it was reachable. If the answer is 'we get good reports,' the column is decorative.
How ANTICIPATE feeds the rest of the matrix
ANTICIPATE is the only column whose output is consumed directly by other columns. Threat intel informs DETECT (tune rules for observed TTPs), RESPOND (playbook prioritization), and GOVERN (board-level adversary context). ASM findings feed IDENTIFY (inventory gaps) and PROTECT (harden newly-discovered assets). Exposure assessments prioritize PROTECT and DETECT investment.
The clearest 'You Already Own the Fix' recommendations in this column are usually not about buying more tools. They are about extracting more output from the platforms already deployed — wiring intel feeds into the SIEM, turning ASM findings into tickets, using exposure-assessment output as input to patch prioritization. The matrix's ANTICIPATE column lights up only when that downstream consumption is happening.
Frequently asked
Is ANTICIPATE part of NIST CSF 2.0?
No. ANTICIPATE is a SecurityStack extension. NIST CSF 2.0 has six functions: GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER. We label ANTICIPATE as an extension in every report and screen so practitioners citing it externally can preserve the distinction.
Why not put threat intel in DETECT?
Detection presumes a threat has occurred and is now observable in your environment. Threat intelligence tells you what adversaries are doing globally — most of that activity will never touch you. Merging the two collapses the distinction between 'we saw an attack' and 'someone in our industry saw an attack,' which matters for both prioritization and metrics.
How is ASM different from IDENTIFY?
IDENTIFY is inside-out: inventory what you own via CMDB, agents, and administrative records. ASM is outside-in: scan the internet and see what's attributable to you. The Venn diagram overlaps, but ASM consistently finds 15–30% more externally-visible assets than any internal inventory — shadow deployments, developer experiments, M&A residue, forgotten domains.
Is exposure assessment (AN.TE) the same as penetration testing?
No. Pen testing is a point-in-time engagement by humans. AN.TE is continuous, automated, and focused on validating whether specific exposures are actually reachable given current controls. A good program runs both: AN.TE continuously for signal; pen testing annually for adversarial creativity.
Is ANTICIPATE on the roadmap for NIST CSF 3.0?
There is no announced NIST CSF 3.0. If and when the framework is revised again, the proactive-capability gap is an obvious candidate for reconsideration. Until then, CDM 2.0 is one of several practitioner frameworks (Gartner CTEM, others) that name this discipline explicitly.