The ARMOR Model

0 of 23 answered0%

Testing Cadence & Scope

T axis

Q1.How predictable and scheduled is your penetration testing and vulnerability assessment cadence?

1Testing occurs only when required by a compliance audit or customer request.2Testing is planned annually but scheduling is inconsistent and not formally budgeted.3Testing occurs on a documented, budgeted schedule independent of compliance cycles.4Testing cadence is at least quarterly, formally documented, and adjusted based on significant changes.5Validation is continuous or near-continuous, triggered by change events and sustained by threat intelligence monitoring.

Q2.How broad is your asset inventory and how well does it reflect your real attack surface beyond compliance-defined scope?

1No formal inventory exists, or limited to systems explicitly required by a compliance scope.2An inventory exists covering critical systems but scope has not expanded beyond compliance-defined boundaries.3An inventory exists, reviewed quarterly, demonstrably covering systems beyond compliance-defined scope with documented expansion.4Inventory is integrated into testing workflows. Coverage gaps are identified and addressed systematically.5Continuous asset discovery feeds directly into test scoping, validated automatically after every material change.

Q3.To what extent do you conduct red team or purple team exercises to validate detection and response capability?

1No red or purple team exercises. Only vulnerability scanning or basic penetration tests.2A single red team engagement has occurred but it is not part of a recurring program.3Red or purple team exercises are planned annually with defined scope and objectives.4Red and purple team exercises occur at least annually using current threat intelligence with traceable after-action improvements.5Adversary simulation is ongoing and adaptive, scenario design continuously updated by current threat intelligence.

Q4.How well does your testing incorporate social engineering and human-layer attack vectors?

1No social engineering testing of any kind is conducted.2Bulk phishing simulations occur occasionally without a defined schedule or structured follow-through.3Bulk phishing simulations run on a defined schedule with tracked metrics feeding awareness training.4Targeted, scenario-driven social engineering, spear-phishing, pretexting, integrated into adversary simulation exercises.5Targeted social engineering is a standing component of the adversary simulation program, updated each cycle based on threat intelligence.

Q5.How consistently is security testing triggered by business, technology, or threat landscape changes?

1Testing is not triggered by changes. Schedule is fixed regardless of events.2Major changes occasionally prompt informal security review but not formal offensive testing.3A policy exists requiring security testing during significant IT changes, acquisitions, or application launches.4Offensive testing is formally embedded in change management and project approval workflows for all material changes.5Validation is triggered by both internal change events and active threat intelligence monitoring, with a documented stable-period cadence justified by intelligence outputs.

Current position

,/,

T1Technical →T5

Technical,

Governance,

Sections

ARMOR Self-Assessment

Testing Cadence & Scope