The program moves beyond finding vulnerabilities to measuring whether the organization can detect, respond to, and recover from realistic adversarial behavior. Red and purple team exercises, adversary simulations, and structured tabletop exercises are in place. Targeted social engineering tests human and process resilience. Resilience metrics are collected and used to evaluate program effectiveness. How activities are resourced, internal staff, retained partners, managed services, or automated platforms, is an organizational decision.
Outcomes
- ·Red and purple team exercises are conducted at least annually with defined scope and documented after-action outcomes
- ·Adversary simulations incorporate realistic attack paths informed by current threat intelligence
- ·Targeted social engineering, scenario-driven, spear-phishing style, is integrated into adversary simulation
- ·Structured tabletop exercises validate coordination, escalation, and communication between security, IT, and management
- ·Resilience metrics, MTTD, MTTR, detection coverage, are collected for critical systems and tracked over time
- ·Findings from exercises produce traceable improvements to detection engineering and IR playbooks within the current exercise cycle
Actions
- 01Develop a red and purple team testing plan, internal staff, retained third parties, managed services, and BAS platforms all satisfy this requirement
- 02Integrate current threat intelligence into adversary simulation scenario design
- 03Design targeted social engineering scenarios, spear-phishing, pretexting, reflecting realistic attack paths
- 04Measure and document detection and containment performance during exercises
- 05Conduct after-action reviews and translate findings into detection engineering outputs within the current cycle
Sustainment Criteria
All criteria must be met to hold this level. If any criterion is unmet at reassessment, consider yourself at the previous level.
Red or purple team exercises occur at least annually with documented after-action review and tracked improvement closure
Adversary simulations demonstrably incorporate current threat intelligence updated each cycle
Targeted social engineering assessments are conducted at least annually as part of adversary simulation
At least one structured tabletop exercise is completed annually with documented improvement actions
Resilience metrics are collected for at least each critical asset class and tracked over time
Exercise findings have produced traceable detection engineering or IR playbook improvements within the current or immediately preceding cycle
Practitioner note
T4 is explicitly agnostic on delivery mechanism. Targeted social engineering belongs at T4 rather than T3 because its value is realized through integration with adversary simulation scenarios, spear-phishing and pretexting exercises test process resilience and organizational response, not just click rates.
Moving to T5
Deploy continuous validation tooling, establish a threat intelligence monitoring function, define a minimum validation cadence justified by threat intelligence, and formalize a PDCA cycle connecting validation outcomes to program improvement.
Corresponding Governance & Integration level
G4 Integrated
Organizations often develop these axes at different rates. Compare your position on both.