Offensive security outcomes are woven into how the organization understands and manages risk across functions. Leadership receives offensive security metrics on a defined reporting cycle, not only after exercises. Cross-functional tabletop exercises extend beyond technical teams. The signal that an organization has reached G4 is that leadership asks questions about offensive outcomes without being prompted, and business units treat findings as operationally relevant between exercise cycles.
Outcomes
- ·Offensive security outcomes are reported to executive leadership on a defined cadence, not only following exercises
- ·Cross-functional tabletop exercises are conducted at least annually beyond technical teams
- ·Between exercise cycles, business units demonstrate accountability for findings relevant to their functions
- ·Resilience metrics are collected, trended, and included in leadership reporting
- ·Exercise findings are formally tracked to detection engineering improvements and IR playbook updates
Actions
- 01Establish a defined reporting cadence to executive leadership operating independently of exercise schedules
- 02Expand tabletop exercises beyond technical teams to include business unit leadership, communications, legal, and HR
- 03Define business unit accountability for findings between exercise cycles, not only during tabletops
- 04Build formal processes connecting simulation findings to detection engineering outputs each cycle
- 05Track and report resilience metrics as trend data for leadership evaluation
Sustainment Criteria
All criteria must be met to hold this level. If any criterion is unmet at reassessment, consider yourself at the previous level.
Offensive security outcomes are reported to executive leadership on a defined cadence independent of exercise schedules
Cross-functional tabletop exercises are conducted at least annually with participants beyond technical teams
Evidence exists that business units demonstrate accountability for findings between exercise cycles
Resilience metrics are collected, trended, and executives can speak to whether they are improving
Each exercise cycle produces traceable detection engineering or IR playbook improvements with verified closure
Practitioner note
The distinction between G3 and G4 is integration between cycles, not just during exercises. A G4 organization has made offensive security outcomes part of how the organization operates day-to-day. Business unit accountability between tabletop cycles is the most concrete test of whether G4 integration is real or nominal.
Moving to G5
Establish board-level reporting as a standing governance function, formalize the PDCA cycle with documented evidence, design enterprise crisis simulations with executive and board participation, and build documented linkages between resilience metrics and investment decisions.
Corresponding Technical Practice level
T4 Offensive
Organizations often develop these axes at different rates. Compare your position on both.