Skip to content

Level 1 – Ad Hoc

At the Ad Hoc level, organizations are beginning their offensive security journey. Activities are typically driven by compliance or customer requirements, but they provide an important foundation for visibility and awareness. By completing annual assessments, identifying critical assets, and consistently tracking vulnerabilities, organizations establish the first essential steps toward structured practices and build the accountability needed to progress toward more proactive security.

Outcomes

  • Compliance needs are satisfied through at least one penetration test or vulnerability assessment each year.

  • Initial asset awareness is established by identifying core systems, applications, and data critical to business operations.

  • Security visibility is improved by documenting vulnerabilities and exposures, creating a baseline understanding of the attack surface.

  • Basic prioritization of risks occurs using standard severity ratings (e.g., Critical, High, Medium, Low).

Actions

  • Perform an annual penetration test or vulnerability scan to meet regulatory or customer obligations and to gain an initial view of the attack surface.

  • Create a simple asset inventory that includes critical business systems, applications, and data stores. This can be maintained in a spreadsheet, shared drive, or simple asset management tool.

  • Document test results centrally so they are easy to review, reference, and track over time.

  • Prioritize remediation efforts by addressing "Critical" and "High" vulnerabilities first, ensuring the most significant issues are managed.

  • Engage business and IT stakeholders following each test to review results and ensure that findings are understood and connected to operational priorities.

Sustainment Criteria

  • An annual penetration test or vulnerability assessment is consistently completed and retained for records.

  • An asset inventory exists, covering all known critical business systems, and is reviewed at least once per year.

  • All identified "Critical" vulnerabilities are remediated or have a documented mitigation plan.

  • Test results and remediation actions are tracked in a central location accessible to security and IT teams.

Operational Practices

  • Governance: Security testing is scheduled in response to compliance or customer requirements and results are reviewed internally for awareness.

  • People: External vendors typically conduct testing, with IT or security staff providing necessary context and support.

  • Process: Findings are addressed through existing IT workflows, with remediation focused on the most urgent issues.

  • Technology: Basic vulnerability scanning tools and vendor-provided reports form the primary technical foundation.