The 2026 Gartner report titled Emerging Tech: Top Funded Startups for Preemptive Exposure Management, that names Eclypsium in the Domain Specific Exposure Management category, was published in April. While this is only a small part of what the Eclypsium Hardware Supply Chain Security Platform provides, we’re thrilled to see the growing awareness of this critical security discipline.
Exposure management is shifting from finding exposures to validating which exposures matter and reducing risk before attackers can take advantage of them.
Most exposure management programs rely on data from vulnerability scanners, EDR, cloud security platforms, identity systems, application security tools, and CMDBs. These sources provide important context about software, identities, cloud assets, and configuration risk.
What these tools cannot verify is whether the underlying device can be trusted.
Firmware, hardware components, BIOS/UEFI, BMCs, boot processes, and network device firmware operate below the operating system. If those layers contain vulnerable firmware, unauthorized modifications, compromised components, or integrity failures, security teams may be making decisions based on incomplete information, or missing critical early indicators of attack.
Exposure management depends on high-fidelity context. That requires visibility into the infrastructure layers that traditional tools often assume are trustworthy. In our opinion, this is where the Gartner concept of Preemptive Exposure Management comes in. Eclypsium customers have indicated clearly that in order to assess and validate exposure preemptively, security teams need hardware level data about the devices in their infrastructure.
Here’s the Gartner illustration of the overall Preemptive Exposure Management Capability Model:
Gartner DSEM framing matters
In the Gartner report, Emerging Tech: Top Funded Startups for Preemptive Exposure Management, Eclypsium is included in the Domain Specialized Exposure Management category for below-OS infrastructure and digital supply-chain systems.
Our perspective is that this categorization matters because it reflects a practical reality: some exposure domains require specialized telemetry and specialized validation logic. A generalist platform may aggregate findings across many sources, but it cannot always inspect the layers where a specific class of risk actually lives.
Gartner describes DSEM capabilities as follows:
“DSEM solutions leverage advanced techniques, often including agentic AI, domain-specific telemetry, and integration with specialized controls, to continuously map, validate, and neutralize exposures unique to their domain of specialization. They typically excel at understanding the nuanced risks, threat models, and business logic relevant to their domain, enabling precise prioritization and rapid, targeted remediation actions.”
Firmware and hardware risk are domains that cannot be fully understood through conventional software vulnerability management. Security teams need to know what components are present, what firmware is running, whether that firmware matches known-good expectations, whether the boot process has been modified, and whether supplier-provided code introduces exposure into production infrastructure. This may require a mindset shift among security teams that have long trusted vendors to deliver secure and up-to-date hardware. Preemptive exposure management requires validating a layer of the enterprise attack surface that many existing tools and teams have long assumed is trustworthy without needing verification.
Supply chain risk exposure does not stop at delivery
Organizations often treat supply chain risk as a procurement, compliance, or pre-deployment problem. That view is too narrow.
Infrastructure does not remain static after it arrives. Firmware is updated. Components are replaced. Devices are repurposed. Network equipment changes hands. Servers move between environments. Software bills of materials and firmware bills of materials become stale if they are not tied to continuous monitoring. Known-good firmware can drift. Unauthorized modifications can appear long after acquisition.
That means supply chain integrity must be treated as a runtime exposure management problem.
A device that was trusted at purchase can become exposed later through vulnerable firmware, compromised update mechanisms, configuration drift, or changes in component integrity. A supplier risk that looked acceptable during procurement can become a live infrastructure risk once new vulnerabilities are disclosed or firmware behavior changes. A network device, server, or endpoint can continue to pass traditional security checks while still carrying below-OS exposure.
Security teams need a way to verify device and firmware posture continuously, not just at acquisition.
Read more about how Eclypsium delivers complete device lifecycle security.
Preemptive exposure management depends on infrastructure trust
Preemptive exposure management depends on reliable evidence. Automated remediation, risk prioritization, and mobilization workflows are only as trustworthy as the infrastructure signals feeding them.
If firmware has been modified, if boot integrity has been compromised, or if a network device is running vulnerable embedded code, OS-level telemetry may not be enough. In some cases, the layer that security tools rely on to observe the environment may itself be sitting above the compromised layer.
Security teams need to establish a baseline of known-good firmware and hardware-level posture. They need to detect drift from that baseline. They need to identify vulnerable firmware, unauthorized modifications, and compromised infrastructure. They need to correlate firmware and component-level risk with asset criticality, business context, and operational workflows.
That is how infrastructure trust becomes actionable.
Not just “what assets do we have?”
Not just “which CVEs map to those assets?”
But: “Can we attest that the infrastructure itself is running the firmware and components we expect, and can we prioritize the exposures that put critical systems at risk?”
From inventory to integrity
An asset inventory can tell security teams that a device exists. It may identify the operating system, installed software, or cloud context. But device integrity requires deeper inspection. Teams need evidence from the hardware level of the device: firmware versions, component identity, firmware lineage, boot process state, SBOM and FBOM data, and signs of tampering or unauthorized modification.
That evidence changes how exposure management works. It allows teams to validate whether devices match known-good expectations. It helps identify systems running vulnerable or outdated software/firmware. It supports supply chain integrity by verifying what is actually deployed in production, not only what was expected at purchase. It gives security and infrastructure teams a shared basis for monitoring drift and prioritizing foundational risk, with a way to detect exposure earlier, reduce uncertainty, and coordinate remediation before device-level threats become infrastructure-level compromise.
Why this layer is different
Hardware-level exposures are difficult because they sit beneath the layers where most security controls operate.
Attackers target these layers because they can provide persistence, privilege, and stealth. Firmware implants, malicious modifications, vulnerable BMCs, and compromised network device firmware can survive reimaging, bypass OS-level controls, and undermine assumptions used by detection and response tools.
This does not mean every hardware issue is an active implant. It means security teams need the ability to distinguish normal from abnormal, known-good from drifted, vulnerable from validated, and authorized from unauthorized. That requires hardware-level visibility and firmware integrity verification.
Closing the Exposure Management Gap
Exposure management is becoming more focused on validation, prioritization, and response. Those workflows depend on accurate information about the systems they are designed to protect. This includes not only the applications running on a device, and the users of those applications, but the devices themselves.
Security teams need to verify what hardware components, software/firmware are present, establish a baseline of known-good, detect drift from that baseline, and identify vulnerable firmware, unauthorized modifications, and integrity failures across endpoints, servers, network devices and AI infrastructure.
In our view, Eclypsium’s inclusion in the Gartner Domain Specialized Exposure Management category highlights a security domain that requires specialized visibility and verification. Firmware, hardware, and supply chain integrity cannot be evaluated solely through application-level telemetry.
Exposure management does not end at the operating system. Organizations also need evidence that the underlying device is authentic, current, and operating as expected.
That verification is the basis for exposure management that starts from knowing your foundation, the hardware layer, is secure first.
Learn more about how Eclypsium enables Cyber Supply Chain Risk Management (C-SCRM).
Source: Gartner Report, Emerging Tech: Top Funded Startups for Preemptive Exposure Management, By Luis Castillo, Elizabeth Kim, April 2026.
GARTNER is trademarks of Gartner, Inc. and/or its affiliates.
Gartner does not endorse any company, vendor, product or service depicted in its publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner publications consist of the opinions of Gartner’s business and technology insights organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this publication, including any warranties of merchantability or fitness for a particular purpose.
FAQ: Preemptive Exposure Management and Infrastructure Trust
Preemptive exposure management is the practice of identifying, validating, and prioritizing exposures before they become active paths for attack. Instead of waiting for a vulnerability disclosure or relying only on CVE matching, security teams use evidence from across the environment to determine which exposures actually matter.
For infrastructure security, that evidence needs to include the layers below the operating system: firmware, hardware components, BIOS/UEFI, BMCs, boot integrity, and network device firmware. Gartner members can read the full report, Emerging Tech: Top Funded Startups for Preemptive Exposure Management.
Exposure management depends on accurate asset and risk context. EDR, vulnerability scanners, CMDBs, and cloud tools provide useful OS, application, identity, and configuration data, but they generally do not verify whether the underlying device is trustworthy.
Firmware and hardware-level visibility helps security teams identify what components are present, what firmware is running, whether firmware matches known-good expectations, and whether unauthorized modifications or integrity failures have occurred. For a deeper look at this layer, see Eclypsium’s resources on firmware security for enterprises.
Supply chain risk does not stop when a device is purchased, shipped, or deployed. Firmware gets updated, components change, devices are repurposed, and known-good firmware can drift over time. A device that passed procurement checks can later become exposed through vulnerable firmware, compromised update mechanisms, or unauthorized component changes.
That is why supply chain integrity needs to be monitored continuously across the device lifecycle. Eclypsium explains this approach in more detail in its page on digital supply chain security and its guide to secure device lifecycle management.
Known-good firmware is a verified baseline for what firmware should be running on a device or component. Once that baseline is established, security teams can detect drift, identify vulnerable or outdated firmware, and investigate unauthorized modifications.
This matters because firmware runs below the operating system. If it is compromised, outdated, or modified, OS-level tools may not detect the issue. Eclypsium helps organizations validate device and firmware posture continuously across endpoints, servers, network devices, and other infrastructure assets. Learn more about the Eclypsium platform.
Start by identifying the infrastructure assets where trust matters most: endpoints used by privileged users, servers running critical workloads, network edge devices, BMCs, VPNs, firewalls, routers, switches, and systems tied to regulated or mission-critical environments.
From there, establish a baseline of firmware and hardware posture, monitor for drift, correlate findings with business criticality, and prioritize remediation based on exposure and operational impact. For more technical resources, visit Eclypsium’s resource library or review how Eclypsium secures network infrastructure.
