Offensive security has no organizational home. Testing occurs because something external required it and the results are filed without meaningful follow-through. There is no defined owner, no leadership visibility, and no connection between what testing reveals and how the organization makes decisions.
Outcomes
- ·A named individual or function is identified as responsible for coordinating offensive security activities
- ·Test results are documented and retained
- ·Leadership is informed when assessments are completed
- ·Critical findings are communicated to relevant operational stakeholders beyond the security team
Actions
- 01Assign a named owner responsible for coordinating testing, tracking findings, and communicating results
- 02Establish a basic process for retaining assessment documentation
- 03Brief IT and business leadership following each assessment
- 04Connect critical findings to operational priorities so remediation is understood as a business issue
Sustainment Criteria
All criteria must be met to hold this level. If any criterion is unmet at reassessment, consider yourself at the previous level.
A named owner for offensive security coordination exists and is known within the organization
Assessment documentation is retained and accessible to relevant staff
Leadership receives a summary of findings after each major assessment
Critical findings are communicated beyond the security team to relevant operational stakeholders
Practitioner note
G1 is not a stable operating position, it is a starting point. Organizations that remain at G1 while advancing technically are building capability that cannot be leveraged. Test results that reach no one, inform no decisions, and drive no accountability do not improve resilience regardless of their technical quality.
Moving to G2
Formally document roles and responsibilities, implement a remediation tracking process, establish a defined leadership review cadence, and capture testing ownership in policy or SOPs.
Corresponding Technical Practice level
T1 Ad Hoc
Organizations often develop these axes at different rates. Compare your position on both.