About ARMOR
A vendor-agnostic, open framework for offensive security maturity
Why ARMOR exists
Over the past several years, I have spoken with hundreds of CISOs and security leaders across organizations of every size, from small businesses to global enterprises. Despite differences in budget and technology, they share a common challenge: most are not using offensive security results to drive tactical, operational, and strategic decisions.
That gap is not from neglect. It is the result of how our industry has evolved. For decades, frameworks and compliance programs have taught us to treat offensive security as validation, not as a continuous discipline. Penetration testing has become our annual report card. Teams work hard all year to strengthen defenses, only to test them once, patch what is found, and repeat the cycle.
Think of athletics. If teams only trained in the gym but never practiced the game, they would be strong in theory but untested in execution. That is where cybersecurity finds itself today. We build strong networks and write detailed procedures, yet rarely test them under real pressure.
ARMOR was created to change that, helping organizations move from periodic testing to continuous, adaptive resilience. ARMOR is not a product or a tool, and it is not owned by any vendor. It is a vendor-agnostic model built to turn testing into an ongoing discipline that strengthens detection, response, and organizational confidence.
How the model works
ARMOR evaluates offensive security maturity across two independent axes. An organization is assigned a coordinate position, for example T3/G2, representing its current state on the Technical Practice axis and the Governance and Integration axis independently.
Technical Practice
What offensive security activities are actually being executed, how sophisticated they are, and how consistently they are sustained.
How well do you practice the game?
Governance & Integration
How well offensive security outcomes are owned, connected to business risk, and used to drive decisions across the organization.
How well does the organization act on what testing reveals?
The two-axis structure reflects how organizations actually develop: asymmetrically. A T4/G1 organization, technically capable but organizationally isolated, has a completely different problem than a T1/G4 organization, where governance has been built ahead of the testing program it depends on. A single average score cannot describe either honestly.
Design principles
Vendor-agnostic
ARMOR does not prescribe specific tools, platforms, or delivery mechanisms. The model evaluates whether activities are occurring and producing outcomes, not how they are staffed or tooled.
Self-administered
The model is designed for honest self-assessment. No external certification, no audit, no enforcement. The model delivers value in proportion to the honesty of the responses.
Sustainment before advancement
Organizations should not advance to the next level until all sustainment criteria for the current level are demonstrably met. Progress is only durable if the foundation holds.
Open and free
ARMOR is published under CC BY-NC-SA 4.0. It is free to use, share, and adapt for non-commercial purposes with appropriate credit. The model is not owned by any company and is not a sales funnel.
Validation and research status
ARMOR v2 has not yet been validated against a large sample of real organizations. The scoring structure and level descriptors were developed through structured analysis of offensive security program patterns across organizations of varying sizes and maturity levels.
Empirical validation, comparing self-assessed coordinates to independent expert assessments, is planned for a future release. Organizations willing to participate in validation research can contact the author directly. Participation is anonymous and voluntary.
Planned work includes crosswalks to common frameworks (MITRE ATT&CK, NIST CSF, C2M2), additional tabletop and PDCA templates, and deeper implementation guidance for the T4/T5 and G4/G5 transitions.
Terms of use
Copyright © 2025 Greg Anderson. Licensed under CC BY-NC-SA 4.0.
You may copy, share, and adapt this work for non-commercial purposes with appropriate credit to the author. Any adaptations must be distributed under the same license. Commercial use, including incorporation into products, training, or services, requires prior written permission.
Affiliation note
The ARMOR Model was created by Greg Anderson as a vendor-agnostic framework for advancing offensive security maturity. While Greg is employed by Sprocket Security and received encouragement and support from CEO Casey Camilleri and the Sprocket team, ARMOR is an independent initiative. It is not owned by, nor does it represent, any Sprocket Security product.