Skip to content

Level 3 – Managed

At the Managed level, offensive security evolves into a deliberate program aligned with organizational goals. A documented strategy guides testing, the scope expands to include cloud, SaaS, and third-party environments, and results are tied to structured remediation and governance. Offensive security becomes integrated into IT and business change cycles, ensuring new initiatives are validated before introducing risk. This marks a turning point: security is no longer performed just for compliance or consistency, but as a strategic discipline that supports business priorities and acts as a proactive partner in innovation.

Outcomes

  • Documented offensive security strategy: A written strategy exists and is reviewed regularly to ensure alignment with business objectives.

  • Broader coverage: Testing expands beyond traditional IT infrastructure to include cloud, SaaS, APIs, and third-party services.

  • Threat-informed scoping: Threat modeling is structured and formalized, ensuring test scenarios reflect realistic attack paths.

  • Change-driven testing: Security testing is triggered not only by cadence but also by significant business or IT changes (e.g., acquisitions, application launches, infrastructure shifts).

  • Formal remediation governance: Service-level agreements (SLAs) define timelines for fixing vulnerabilities by severity.

Actions

  • Develop and maintain an offensive security strategy that ties testing to organizational risk and business objectives, review annually.

  • Expand testing scope to include cloud environments, SaaS platforms, APIs, and critical supply chain integrations.

  • Formalize threat modeling using methodologies such as STRIDE, PASTA, or MITRE ATT&CK to guide test planning.

  • Integrate testing into change cycles, making offensive security part of ITIL, DevOps, or digital transformation workflows.

  • Define remediation SLAs (e.g., Critical issues fixed within 15 days, High within 30 days) and hold teams accountable.

  • Introduce social engineering testing to evaluate user and process resilience.

Sustainment Criteria

  • A documented and approved offensive security strategy is reviewed and updated annually.

  • Testing covers on-premises, cloud, SaaS, and third-party environments.

  • Remediation SLAs are consistently applied and tracked for accountability.

  • Security testing is formally included in IT and business change management processes.

  • Social engineering assessments (e.g., phishing, pretexting) are part of the testing program.

  • Threat modeling sessions are conducted before major initiatives and at least annually for core assets and are used to inform both scoping and scenario-based exercises and associated incident response procedures in future stages.

Operational Practices

  • Governance: A security steering committee or similar governance body reviews strategy, results, and remediation progress.

  • People: Internal security staff take ownership of strategy and coordination, supported by specialized external testers where needed.

  • Process: Offensive testing is embedded into change management workflows, with defined SLAs and escalation paths.

  • Technology: Security controls such as IAM, WAF, and cloud security services are validated regularly through offensive testing.