Testing is no longer reactive. The organization has established a rhythm, assessments happen on a schedule, findings are tracked to closure, and someone owns the process. Coverage is expanding beyond compliance-defined boundaries. The program is predictable and beginning to build institutional knowledge through trend data.
Outcomes
- ·Testing occurs on a documented, predictable schedule independent of compliance deadlines
- ·Asset inventory demonstrably expands beyond compliance-scoped systems, reducing visibility blind spots
- ·Vulnerabilities are tracked from identification through validated closure, not self-attested
- ·Basic threat modeling begins to inform scope and scenario selection
- ·Year-over-year trend data is available to demonstrate program improvement or identify regression
Actions
- 01Establish and document a testing cadence, annual at minimum, semi-annual or quarterly preferred, with budget formally assigned
- 02Expand the asset inventory beyond compliance-scoped systems to include broader business applications and infrastructure
- 03Document inventory expansion at each review cycle so growth in coverage is visible and traceable
- 04Implement a remediation workflow using ticketing or project management tooling with ownership and target closure dates
- 05Validate remediation through retesting rather than self-attestation
- 06Conduct at least one threat modeling session annually to inform scope decisions
Sustainment Criteria
All criteria must be met to hold this level. If any criterion is unmet at reassessment, consider yourself at the previous level.
Testing occurs on its documented schedule, not triggered by external demands
Asset inventory demonstrably covers systems beyond compliance-defined scope, with expansion documented at each quarterly review
All findings have an assigned owner, a priority, and a documented path to closure
Retesting of remediated findings occurs before closure is recorded
At least one threat modeling session is conducted annually to inform scope decisions
Practitioner note
The most common failure at T2 is tracking without closing. Organizations build remediation workflows and populate them, then watch the backlog grow. The second most common failure is sustaining T1-level inventory scope while claiming T2, coverage expansion must be demonstrable, not just intended.
Moving to T3
Develop a documented offensive security strategy, formally expand testing scope to cloud and third-party environments, define remediation SLAs, and embed security testing into change management workflows.
Corresponding Governance & Integration level
G2 Responsive
Organizations often develop these axes at different rates. Compare your position on both.