Skip to content

The Levels of ARMOR

ARMOR defines five stages of offensive security maturity that move from reactive testing to continuous validation.

Organizations cannot skip levels. Each one establishes a foundation for the next, building resilience through consistent visibility, process, and governance.

  • From Ad Hoc to Repeatable (Levels 1-2): Organizations move from compliance-driven testing toward predictable, recurring practices, creating the operational rhythm necessary for consistency.

  • From Repeatable to Managed (Level 3): Testing becomes strategic, broadening in scope to include cloud, SaaS, and supply chain exposures, while remediation is governed by SLAs. Organizations begin to connect offensive security to business risk.

  • From Managed to Optimized (Level 4): Red and purple teaming, adversary simulations, and resilience metrics are introduced. The A/B split provides achievable milestones, allowing organizations to begin with annual exercises and structured tabletop reviews (4A) before scaling to quarterly, intelligence-driven simulations that include business and executive participation (4B).

  • From Optimized to Resilient (Level 5): Validation becomes continuous, adaptive, and fully integrated into enterprise governance. Foundational resilience (5A) includes regular crisis-focused tabletop and simulation exercises, while advanced resilience (5B) represents the aspirational standard where these exercises are institutionalized across technical, operational, and executive functions.

Each level introduces new capabilities while reinforcing the practices that sustain maturity. The goal is not to reach perfection, but to continuously improve through measurable, repeatable progress.

The Four Elements of Each Level

Each ARMOR level is described through four consistent elements:

  • Outcomes define what the organization achieves at that stage.

  • Actions describe the steps organizations must take to reach those outcomes.

  • Sustainment Criteria outline what must be in place to hold maturity before advancing.

  • Operational Practices highlight the governance, people, process, and technology needed to support advancement.

Together, these elements provide a holistic view of maturity. Outcomes describe the "what," actions outline the "how," sustainment ensures stability, and supporting practices connect offensive security to the broader organization.