Frequently Asked Questions⇱
What is the ARMOR Model?
The ARMOR Model is a practical, vendor-agnostic framework that helps organizations evolve from point-in-time testing to continuous, measurable resilience. It shows how to use offensive security outcomes to inform tactical, operational, and strategic decisions.
Why was ARMOR created?
Penetration testing often fails to drive lasting change. Teams fix findings and move on, while attackers move faster than annual schedules. ARMOR connects testing outcomes directly to business risk and readiness so progress compounds over time.
Is ARMOR a compliance framework?
No. ARMOR is not about passing audits. It complements other common frameworks by helping teams operationalize testing and validation so controls are proven in practice.
Who is ARMOR for?
Security leaders, red and purple teams, GRC, and IT owners who want testing to inform decisions and improve resilience. It is designed for organizations of all sizes.
How does the maturity model work?
ARMOR defines five levels: Ad Hoc, Repeatable, Managed, Optimized, Resilient. Each level includes outcomes, sustainment criteria, and governance so teams can advance without turning maturity into a checklist.
What makes ARMOR different?
Most models focus on defensive controls or audit readiness. ARMOR focuses on offensive validation and how it integrates with governance and operations. It is built to turn testing into continuous improvement.
How do I assess my current level?
Start with the Self-Assessment. It maps your answers to the five levels and highlights practical next steps.
Is ARMOR tied to a product or vendor?
No. ARMOR is vendor-neutral and intended to support the broader community. Use whatever tools fit your environment and map your results back to ARMOR’s outcomes.
Can we customize the model?
Yes. Treat ARMOR as a scaffold. Keep the outcomes and sustainment criteria, then tailor actions and cadence to your risk, technology, and staffing.
Where can I get templates and tools?
Templates include the Level 1 asset inventory and pentest tracker, a Level 2+ PASTA-based threat model template, and levels 4/5 AARand TTX templates. Each template aligns to a level and is easy to adapt.
Can I contribute or provide feedback?
Absolutly. You can submit inquireies, feedback and contribution to info@armormodel.
What’s next for ARMOR?
Planned work includes deeper Level 4 and 5 guidance, additional TTX and PDCA templates, and crosswalks to common frameworks.
Who created ARMOR?
ARMOR was created by Greg Anderson, a security professional with more than twenty years of experience across multiple cybersecurity disciplines including offensive security and governance.
What is ARMOR's affilliation with Sprocket Security
The ARMOR Model was created by Greg Anderson as a vendor-agnostic framework for advancing offensive security maturity. While Greg is employed by Sprocket Security and received encouragement and support from CEO Casey Camilleri and the Sprocket team, ARMOR is an independent initiative. It is not owned by, nor does it represent, any Sprocket Security product.