The ARMOR Model

A Maturity Framework for Offensive Security

ARMOR exists to bridge the gap between offensive security activity and organizational resilience. Most organizations test. Few use what testing reveals. ARMOR gives security leaders a structured, honest language for where their program actually stands, and a practical path for building adversary-informed resilience.

Take the Self-Assessment Explore the Matrix

About the model

ARMOR evaluates offensive security maturity across two independent axes. Organizations develop asymmetrically, technical capability and governance integration advance at different rates. A single maturity score hides the most important diagnostic information. ARMOR surfaces it honestly, giving practitioners the language to describe where their program actually stands and what needs to change.

Technical Practice

What offensive security activities are actually being executed, the sophistication, breadth, and consistency of the testing program. Covers testing cadence, scope, adversarial simulation, and continuous validation.

How well do you practice the game?

T1 Ad Hoc T2 Repeatable T3 Measured T4 Offensive T5 Resilient

Governance & Integration

How well offensive security outcomes are owned, connected to business risk, and used to drive decisions across the organization. Covers strategy, sponsorship, remediation accountability, and board-level reporting.

How well does the organization act on what testing reveals?

G1 Absent G2 Responsive G3 Strategic G4 Integrated G5 Institutionalized

Find your coordinate position

23 questions. Two axis scores. One honest picture of where your program stands, and what to do next.

Start the Assessment →