Skip to content

The Levels of ARMOR

The ARMOR Model defines five Levels of offensive security maturity, progressing from foundational readiness to continuous, intelligence-driven validation. These Levels form the core structure of the Offensive Security Maturity Model and help organizations measure where they are, and where they should go next.

  • From Ad Hoc to Repeatable: Organizations move from compliance-driven testing toward predictable, recurring practices, creating the operational rhythm necessary for consistency.

  • From Repeatable to Managed: Testing becomes strategic, broadening in scope to include cloud, SaaS, and supply chain exposures, while remediation is governed by SLAs. Organizations begin to connect offensive security to business risk.

  • From Managed to Optimized: Red and purple teaming, adversary simulations, and resilience metrics are introduced. The A/B split provides achievable milestones, allowing organizations to begin with annual exercises and structured tabletop reviews (4A) before scaling to quarterly, intelligence-driven simulations that include business and executive participation (4B).

  • From Optimized to Resilient: Validation becomes continuous, adaptive, and fully integrated into enterprise governance. Foundational resilience (5A) includes regular crisis-focused tabletop and simulation exercises, while advanced resilience (5B) represents the aspirational standard where these exercises are institutionalized across technical, operational, and executive functions.

Each level introduces new capabilities while reinforcing the practices that sustain maturity. The goal is not to reach perfection, but to continuously improve through measurable, repeatable progress.

The Four Elements of Each Level

Each ARMOR level is described through four consistent elements:

  • Outcomes define what the organization achieves at that stage.

  • Actions describe the steps organizations must take to reach those outcomes.

  • Sustainment Criteria outline what must be in place to hold maturity before advancing.

  • Governance ensures the outcomes and sustainment criteria are institutionalized as part of normal business operations.

Together, these elements provide a holistic view of maturity. Outcomes describe the "what," actions outline the "how," sustainment ensures stability, and governance connects offensive security to the broader organization.

See Where to Begin

Use the ARMOR Self-Assessment to determine your organization's current maturity level.