Level 2 – Repeatable

At the Repeatable level, organizations move beyond single, compliance-driven assessments and establish a regular cadence for offensive security. Testing becomes scheduled and predictable, assets are tracked more thoroughly, and remediation is validated through retesting. By embedding testing into the operational rhythm, organizations gain greater visibility into vulnerabilities, reduce repeated findings, and create the foundation for aligning offensive security with broader business risk.

Outcomes

  • Testing is predictable: Penetration testing and/or vulnerability assessments are scheduled on a recurring basis (at least annually, often biannually or quarterly).

  • Asset visibility improves: Inventories of systems, applications, and data are expanded and updated more frequently, reducing blind spots.

  • Remediation is closed-loop: Vulnerabilities are tracked until resolution, with retesting to confirm effectiveness.

  • Risk awareness grows: Early threat modeling begins, helping to identify potential attack paths and inform scoping decisions.

Actions

  • Establish a testing cadence (e.g., annual, semi-annual, or quarterly) and ensure it is formally documented and budgeted.

  • Maintain an updated asset and application inventory, expanding coverage beyond critical systems identified at Level 1.

  • Introduce a remediation workflow: Use ticketing systems to log vulnerabilities, assign ownership, and track them through closure.

  • Confirm fixes through retesting, ensuring vulnerabilities are not just marked "closed" but validated by follow-up.

  • Apply basic threat modeling during scoping discussions to identify high-value business functions, assets and likely attack vectors.

Sustainment Criteria

  • Security testing occurs on a predictable schedule, not just in response to compliance demands and has appropriate funds/budget assigned.

  • Asset inventories are reviewed and updated at least quarterly.

  • All vulnerabilities have a documented remediation plan and are tracked until resolved.

  • Retesting of remediated vulnerabilities occurs to confirm effectiveness.

  • Threat modeling workshops or exercises are conducted at least annually to inform scoping.

Governance

  • Governance structures begin to define accountability for testing and remediation activities.
  • Security or IT management assumes responsibility for scheduling, scope, and coordination of assessments.
  • Testing frequency, ownership, and documentation requirements are outlined in policy or standard operating procedures.
  • Leadership reviews test results and progress against previous assessments to ensure follow-through and improvement.
  • Oversight ensures consistency, visibility, and traceability of testing activities, setting the stage for program-level management.

Resources

Resource Description
Threat Model Template Coming soon...