A standardized, community-informed Capability Maturity Model to measure, report on, and plan for internal Red Team maturity
Want to hear a short talk about this from BSides LV?
Let's Talk Some
This model mostly applies to internal Red Teams. Consultancies will have some different considerations that aren't addressed here, or things they don't need to worry about that are found in the model.
This model presumes you have Red Team that is staffed with operators - meaning more than simply a general Offensive Security program or a manager who coordinates 3rd-party assessments
Except for subjects where lower levels are negative elements (e.g., "The Red Team is not...), you cannot skip levels without meeting the prior level. This may mean your team is doing Level 5 things, but if they don't qualify for Level 4 they cannot claim credit for Level 5 yet.
Unlike other CMMs, some elements in this CMM follows a sliding scale of maturity rather than an additive scale; meaning the higher level replaces the lower level's behaviors rather than adding additional capability on top of the prior level
Level 1 - Occasional, Not Consistent, Not Planned, Disorganized, One-Size-Fits-All, Basic Technical Capability, No OPSEC Considerations
Level 2 - Intuitive, Not Documented, Occurs Only When Necessary, Inconsistent Manual Processes, Somewhat Effective Capability, Limited OPSEC Considerations