Offensive security has a strategic home. A documented strategy connects testing to how the organization understands and manages its own risk, through whatever practices currently exist. The model does not require a specific risk framework or GRC infrastructure. It requires that the connection between offensive security outcomes and risk decision-making is documented, intentional, and evidenced. An executive sponsor is formally engaged. Remediation is SLA-governed.
Outcomes
- ·A documented strategy exists, reviewed annually, explicitly connecting testing to the organization's risk understanding
- ·An executive sponsor is formally engaged and accountable, not merely listed as a stakeholder
- ·Remediation SLAs are defined by severity tier with a formal escalation process for breaches
- ·Offensive security findings demonstrably inform existing risk management practices and decision-making
- ·Offensive security requirements are formally embedded in change management and project approval workflows
Actions
- 01Develop a written offensive security strategy reflecting the organization's actual risk management practices
- 02Identify and engage an executive sponsor with genuine accountability, able to articulate priorities and influence resource allocation
- 03Define remediation SLAs by severity tier and establish a formal escalation process
- 04Document how offensive security findings reach risk decision-makers and with what expected response
- 05Formalize security testing requirements in change management and project approval processes
Sustainment Criteria
All criteria must be met to hold this level. If any criterion is unmet at reassessment, consider yourself at the previous level.
A documented and approved offensive security strategy is current and reviewed annually
An executive sponsor is engaged on a defined cadence and can articulate program priorities
Remediation SLAs are consistently applied with a documented escalation process and breach visibility
Documented evidence exists that findings inform existing risk management practices and decision-making
Security testing requirements are embedded in change management workflows with evidence of application
Practitioner note
G3 explicitly does not require a formal risk register, a mature GRC program, or a dedicated risk function. It requires that the connection between offensive security and risk decision-making is documented and intentional. The most common G3 failure is nominal executive sponsorship, a name on a program with no meaningful accountability.
Moving to G4
Establish a defined reporting cadence to leadership independent of exercise schedules, expand tabletops beyond technical teams, define business unit accountability between cycles, and formally integrate offensive security into governance and risk reporting structures.
Corresponding Technical Practice level
T3 Measured
Organizations often develop these axes at different rates. Compare your position on both.