Level 1 – Ad Hoc

At the Ad Hoc level, organizations are beginning their offensive security journey. Activities are typically driven by compliance or customer requirements, but they provide an important foundation for visibility and awareness. By completing annual assessments, identifying critical assets, and consistently tracking vulnerabilities, organizations establish the first essential steps toward structured practices and build the accountability needed to progress toward more proactive security.

Outcomes

  • Compliance needs are satisfied through at least one penetration test or vulnerability assessment each year.

  • Initial asset awareness is established by identifying core systems, applications, and data critical to business operations.

  • Security visibility is improved by documenting vulnerabilities and exposures, creating a baseline understanding of the attack surface.

  • Basic prioritization of risks occurs using standard severity ratings (e.g., Critical, High, Medium, Low).

Actions

  • Perform an annual penetration test or vulnerability scan to meet regulatory or customer obligations and to gain an initial view of the attack surface.

  • Create a simple asset inventory that includes critical business systems, applications, and data stores. This can be maintained in a spreadsheet, shared drive, or simple asset management tool.

  • Document test results centrally so they are easy to review, reference, and track over time.

  • Prioritize remediation efforts by addressing "Critical" and "High" vulnerabilities first, ensuring the most significant issues are managed.

  • Engage business and IT stakeholders following each test to review results and ensure that findings are understood and connected to operational priorities.

Sustainment Criteria

  • An annual penetration test or vulnerability assessment is consistently completed and retained for records.

  • An asset inventory exists, covering all known critical business systems, and is reviewed at least once per year.

  • All identified "Critical" vulnerabilities are remediated or have a documented mitigation plan.

  • Test results and remediation actions are tracked in a central location accessible to security and IT teams.

Governance

  • Testing activities are managed within existing compliance or IT functions and approved through basic audit or assurance processes. Leadership acknowledges the importance of testing for visibility and external validation.
  • Governance at this stage focuses on maintaining accountability for completion, retaining documentation, and using results to inform future planning.
  • Policies or procedures may be informal but establish an initial foundation for consistent oversight and recordkeeping

Resources

Resource Description
Asset Inventory Template Basic asset inventory template for tracking external and internal assets along with pentest results and frequency.