Level 3 – Managed

At the Managed level, offensive security evolves into a deliberate program aligned with organizational goals. A documented strategy guides testing, the scope expands to include cloud, SaaS, and third-party environments, and results are tied to structured remediation and governance. Offensive security becomes integrated into IT and business change cycles, ensuring new initiatives are validated before introducing risk. This marks a turning point: security is no longer performed just for compliance or consistency, but as a strategic discipline that supports business priorities and acts as a proactive partner in innovation.

Outcomes

  • Documented offensive security strategy: A written strategy exists and is reviewed regularly to ensure alignment with business objectives.

  • Broader coverage: Testing expands beyond traditional IT infrastructure to include cloud, SaaS, APIs, and third-party services.

  • Threat-informed scoping: Threat modeling is structured and formalized, ensuring test scenarios reflect realistic attack paths.

  • Change-driven testing: Security testing is triggered not only by cadence but also by significant business or IT changes (e.g., acquisitions, application launches, infrastructure shifts).

  • Formal remediation governance: Service-level agreements (SLAs) define timelines for fixing vulnerabilities by severity.

Actions

  • Develop and maintain an offensive security strategy that ties testing to organizational risk and business objectives, review annually.

  • Expand testing scope to include cloud environments, SaaS platforms, APIs, and critical supply chain integrations.

  • Formalize threat modeling using methodologies such as STRIDE, PASTA, or DREAD to guide test planning.

  • Integrate testing into change cycles, making offensive security part of ITIL, DevOps, or digital transformation workflows.

  • Define remediation SLAs (e.g., Critical issues fixed within 15 days, High within 30 days) and hold teams accountable.

  • Introduce social engineering testing to evaluate user and process resilience.

Sustainment Criteria

  • A documented and approved offensive security strategy is reviewed and updated annually.

  • Testing covers on-premises, cloud, SaaS, and third-party environments.

  • Remediation SLAs are consistently applied and tracked for accountability.

  • Security testing is formally included in IT and business change management processes.

  • Social engineering assessments (e.g., phishing, pretexting) are part of the testing program.

  • Threat modeling sessions are conducted before major initiatives and at least annually for core business functions and are used to inform both scoping and scenario-based exercises and associated incident response procedures in future stages.

Governance

  • Formal governance mechanisms oversee testing strategy, resource allocation, and remediation performance.
  • Policies define testing objectives, required coverage, and SLA expectations for remediation.
  • Executive sponsors or risk committees review results, trends, and strategic alignment with business goals.
  • Findings are tracked through established governance workflows with escalation for unresolved issues.
  • Governance ensures that offensive security is integrated into change management, project approval, and risk reporting processes, enabling predictable, strategic outcomes.

Resources

Resource Description
Threat Model Template Coming soon...