Level 5 – Resilient

At the Resilient level, offensive security becomes continuous, adaptive, and deeply embedded into organizational culture and enterprise governance. Testing is no longer an isolated event but an ongoing process of validation and improvement, ensuring that defenses can adapt as quickly as threats evolve. Because few organizations will achieve all aspects of this level, it is divided into two sub-levels:

  • 5A (Foundational Resilience): Represents foundational resilience where continuous validation begins across critical assets, advanced adversary simulations are conducted regularly, and results are reviewed by senior leadership.

  • 5B (Fully Resilient): Represents full resilience where continuous validation is automated across all major environments, adversary simulations are ongoing and threat-informed, and results are embedded directly into board-level risk reporting and strategic decision-making.

Level 5A: Foundational Resilience

Outcomes

  • Continuous validation is established for critical systems, business applications, and key controls.

  • Semi-annual adversary simulations validate detection, response, and recovery against realistic attacker behaviors.

  • Tabletop exercises expand into crisis simulations involving technical, operational, and leadership participants.

  • Security leaders use offensive security results in quarterly strategy and investment discussions.

  • Exposure management shifts from remediation of discrete vulnerabilities to reduction of systemic risk.

Actions

  • Deploy continuous validation for mission-critical systems and high-risk assets (e.g., production cloud workloads, payment platforms, customer-facing apps).

  • Conduct semi-annual adversary simulations, integrating threat intelligence into scenario design.

  • Introduce crisis tabletop simulations focused on validating containment and recovery procedures, communication plans, and coordination between departments.

  • Align offensive security reporting with enterprise risk registers and strategy planning cycles.

  • Set measurable exposure reduction targets (e.g., reducing time-to-remediation or mean exposure days).

Sustainment Criteria

  • Continuous validation is maintained across at least critical systems with documented scope and results.

  • Adversary simulations are conducted semi-annually and reviewed at the executive level.

  • Tabletop and crisis simulation findings are tracked, and remediation actions are verified through follow-up testing or audits.

  • Risk dashboards reflect exposure reduction trends, not just point-in-time vulnerability counts.

  • Results are directly linked to resourcing, budget adjustments, or risk mitigation initiatives.

Governance

  • Governance fully integrates continuous validation, adversary simulation, and resilience measurement into enterprise risk management.
  • Policy mandates the ongoing alignment of offensive security activities with business continuity, crisis management, and incident response programs
  • Leadership regularly reviews validation outcomes and resilience metrics, using them to adjust priorities and resource allocation.
  • Governance ensures structured accountability, defined ownership, and documentation to sustain continuous improvement.

Level 5B: Fully Resilient

Outcomes

  • Continuous validation extends across the enterprise environment, including on-premises, cloud, SaaS, and supply chain exposures.

  • Adversary simulations are ongoing and adaptive, with new threat intelligence automatically shaping test scenarios.

  • Enterprise-level tabletop and crisis simulations are institutionalized to validate governance, communication, and strategic decision-making.

  • Resilience metrics (e.g., mean time to detect/respond, percent of coverage, exposure reduction rate) are tracked at the enterprise level.

  • Offensive security outcomes are embedded into board-level risk discussions and capital allocation.

  • Continuous improvement cycles (plan--do--check--act) are institutionalized across security operations.

Actions

  • Expand continuous validation to cover all significant business systems, cloud environments, and third-party integrations.

  • Establish an adaptive adversary simulation program, continuously updated by real-time threat intelligence.

  • Conduct quarterly enterprise tabletop and crisis simulations that test executive communication, governance coordination, and business continuity.

  • Integrate resilience metrics into enterprise scorecards and risk dashboards.

  • Formalize a PDCA cycle:

    • Plan: Define objectives for offensive security aligned with risk.

    • Do: Execute continuous validation and adversary simulations.

    • Check: Review outcomes with executives and the board.

    • Act: Adjust strategy, budgets, and processes based on lessons learned.

Sustainment Criteria

  • Continuous validation is active across the enterprise, with results consistently maintained and monitored.

  • Threat-informed adversary simulations are executed on an ongoing basis.

  • Crisis simulation metrics (response time, communication accuracy, decision velocity) are tracked and reported to executive leadership. Cross-functional teams including legal, HR, and corporate communications regularly participate in enterprise tabletop exercises.

  • Enterprise resilience metrics show sustained improvement over multiple review cycles.

  • Board-level oversight includes offensive security as a standard input to enterprise risk governance.

Governance

  • At this level, offensive security governance is institutionalized at the enterprise level and embedded into board oversight.
  • Policy, risk frameworks, and operational governance all incorporate continuous validation, TTX results, and resilience performance as ongoing strategic inputs.
  • Executive and board-level reporting includes offensive security as a key indicator of organizational readiness and operational risk.
  • Governance ensures adaptability, transparency, and sustained integration across security, IT, operations, and business leadership—treating resilience as a measurable, managed business discipline

Resources

Resource Description
Threat Model Template Coming soon...
Purple Team AAR Teamplate Coming soon...
Tabletop Exercise Template Coming soon...