Skip to content

Level 5 – Resilient

At the Resilient level, offensive security becomes continuous, adaptive, and deeply embedded into organizational culture and enterprise governance. Testing is no longer an isolated event but an ongoing process of validation and improvement, ensuring that defenses can adapt as quickly as threats evolve. Because few organizations will achieve all aspects of this level, it is divided into two sub-levels:

  • 5A (Foundational Resilience): Represents foundational resilience where continuous validation begins across critical assets, advanced adversary simulations are conducted regularly, and results are reviewed by senior leadership.

  • 5B (Fully Resilient): Represents full resilience where continuous validation is automated across all major environments, adversary simulations are ongoing and threat-informed, and results are embedded directly into board-level risk reporting and strategic decision-making.

Level 5A: Foundational Resilience

Outcomes

  • Continuous validation is established for critical systems, business applications, and key controls.

  • Semi-annual adversary simulations validate detection, response, and recovery against realistic attacker behaviors.

  • Tabletop exercises expand into crisis simulations involving technical, operational, and leadership participants.

  • Security leaders use offensive security results in quarterly strategy and investment discussions.

  • Exposure management shifts from remediation of discrete vulnerabilities to reduction of systemic risk.

Actions

  • Deploy continuous validation for mission-critical systems and high-risk assets (e.g., production cloud workloads, payment platforms, customer-facing apps).

  • Conduct semi-annual adversary simulations, integrating threat intelligence into scenario design.

  • Introduce crisis tabletop simulations focused on validating containment and recovery procedures, communication plans, and coordination between departments.

  • Align offensive security reporting with enterprise risk registers and strategy planning cycles.

  • Set measurable exposure reduction targets (e.g., reducing time-to-remediation or mean exposure days).

Sustainment Criteria

  • Continuous validation is maintained across at least critical systems with documented scope and results.

  • Adversary simulations are conducted semi-annually and reviewed at the executive level.

  • Tabletop and crisis simulation findings are tracked, and remediation actions are verified through follow-up testing or audits.

  • Risk dashboards reflect exposure reduction trends, not just point-in-time vulnerability counts.

  • Results are directly linked to resourcing, budget adjustments, or risk mitigation initiatives.

Operational Practices

  • Governance: Security steering committee reviews offensive security results during quarterly strategy updates.

  • People: Dedicated red/purple team function, with trusted partners supplementing scale or specialized testing.

  • Process: Continuous validation results are integrated into risk registers and change management processes. Tabletop exercises include representation from legal, communications, and operations to evaluate readiness comprehensively.

  • Technology: Continuous validation platforms monitor defined critical assets, with telemetry integrated into SOC and SIEM systems.

Level 5B: Fully Resilient

Outcomes

  • Continuous validation extends across the enterprise environment, including on-premises, cloud, SaaS, and supply chain exposures.

  • Adversary simulations are ongoing and adaptive, with new threat intelligence automatically shaping test scenarios.

  • Enterprise-level tabletop and crisis simulations are institutionalized to validate governance, communication, and strategic decision-making.

  • Resilience metrics (e.g., mean time to detect/respond, percent of coverage, exposure reduction rate) are tracked at the enterprise level.

  • Offensive security outcomes are embedded into board-level risk discussions and capital allocation.

  • Continuous improvement cycles (plan--do--check--act) are institutionalized across security operations.

Actions

  • Expand continuous validation to cover all significant business systems, cloud environments, and third-party integrations.

  • Establish an adaptive adversary simulation program, continuously updated by real-time threat intelligence.

  • Conduct quarterly enterprise tabletop and crisis simulations that test executive communication, governance coordination, and business continuity.

  • Integrate resilience metrics into enterprise scorecards and risk dashboards.

  • Formalize a PDCA cycle:

  • Plan: Define objectives for offensive security aligned with risk.

  • Do: Execute continuous validation and adversary simulations.

  • Check: Review outcomes with executives and the board.

  • Act: Adjust strategy, budgets, and processes based on lessons learned.

Sustainment Criteria

  • Continuous validation is active across the enterprise, with results consistently maintained and monitored.

  • Threat-informed adversary simulations are executed on an ongoing basis.

  • Crisis simulation metrics (response time, communication accuracy, decision velocity) are tracked and reported to executive leadership. Cross-functional teams including legal, HR, and corporate communications regularly participate in enterprise tabletop exercises.

  • Enterprise resilience metrics show sustained improvement over multiple review cycles.

  • Board-level oversight includes offensive security as a standard input to enterprise risk governance.

Operational Practices

  • Governance: Board and executive committees integrate offensive security results into decision-making on budgets, priorities, and risk tolerance.

  • People: Mature internal red/purple teams with specialized roles (e.g., adversary emulation, detection engineering) supplemented by external intelligence partners.

  • Process: Offensive security informs not just remediation but strategy, investment, and enterprise risk appetite.

  • Technology: Automated validation and adversary simulation platforms are fully integrated with SOC, SIEM, and risk systems to deliver near real-time resilience reporting.