Skip to content

Level 2 – Repeatable

At the Repeatable level, organizations move beyond single, compliance-driven assessments and establish a regular cadence for offensive security. Testing becomes scheduled and predictable, assets are tracked more thoroughly, and remediation is validated through retesting. By embedding testing into the operational rhythm, organizations gain greater visibility into vulnerabilities, reduce repeated findings, and create the foundation for aligning offensive security with broader business risk.

Outcomes

  • Testing is predictable: Penetration testing and/or vulnerability assessments are scheduled on a recurring basis (at least annually, often biannually or quarterly).

  • Asset visibility improves: Inventories of systems, applications, and data are expanded and updated more frequently, reducing blind spots.

  • Remediation is closed-loop: Vulnerabilities are tracked until resolution, with retesting to confirm effectiveness.

  • Risk awareness grows: Early threat modeling begins, helping to identify potential attack paths and inform scoping decisions.

Actions

  • Establish a testing cadence (e.g., annual, semi-annual, or quarterly) and ensure it is formally documented and budgeted.

  • Maintain an updated asset and application inventory, expanding coverage beyond critical systems identified at Level 1.

  • Introduce a remediation workflow: Use ticketing systems (e.g., Jira, ServiceNow) to log vulnerabilities, assign ownership, and track them through closure.

  • Confirm fixes through retesting, ensuring vulnerabilities are not just marked "closed" but validated by follow-up.

  • Apply basic threat modeling during scoping discussions to identify high-value assets and likely attack vectors.

Sustainment Criteria

  • Security testing occurs on a predictable schedule, not just in response to compliance demands and has appropriate funds/budget assigned.

  • Asset inventories are reviewed and updated at least quarterly.

  • All vulnerabilities have a documented remediation plan and are tracked until resolved.

  • Retesting of remediated vulnerabilities occurs to confirm effectiveness.

  • Threat modeling workshops or exercises are conducted at least annually to inform scoping.

Operational Practices

  • Governance: Security policies or playbooks now include testing cadence and remediation expectations, making these activities part of ongoing governance.

  • People: IT and security staff actively engage in scoping, remediation planning, and retesting, often supported by external testers.

  • Process: Vulnerability management is formalized, with findings logged, tracked, and reported to leadership on a recurring basis.

  • Technology: A vulnerability management platform (commercial or open-source) is typically adopted to track exposures, remediation, and retesting.