├── Example_Implementations ├── Example_1.xlsx ├── Example_2.xlsx └── README.md ├── LICENSE.txt ├── README.md ├── RedTeam_CMM_V1.csv └── RedTeam_CMM_V1.xlsx /Example_Implementations/Example_1.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BCHarrell/redteamcmm/5b4987639af6273841651dfefd88555aa1e92bb3/Example_Implementations/Example_1.xlsx -------------------------------------------------------------------------------- /Example_Implementations/Example_2.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BCHarrell/redteamcmm/5b4987639af6273841651dfefd88555aa1e92bb3/Example_Implementations/Example_2.xlsx -------------------------------------------------------------------------------- /Example_Implementations/README.md: -------------------------------------------------------------------------------- 1 | # Implementation Examples 2 | These files are **optional** but include variations on the CMM spreadsheet submitted by users. 3 | 4 | Some examples also include provided implementation guidance on the [main website](https://www.redteammaturity.com/implement). 5 | 6 | --- 7 | 8 | # Inventory 9 | 10 | ### Example 1 11 | **Credit:** Brent Harrell 12 | **Implementation guidance on website?** [Yes](https://www.redteammaturity.com/implement#example1) 13 | **Description**: 14 | A workbook with multiple sheets and conditional formatting. Provides category and overall maturity scores based on the most common score from individual scoring. Useful for collaborative discussion to combine individual scores. 15 | 16 | ### Example 2 17 | **Credit:** Jorge Orchilles 18 | **Implementation guidance on website?** No (not yet) 19 | **Description**: 20 | A small revision to the main CMM spreadsheet to include scoring (category and overall) and a notes column. -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Creative Commons Attribution-NonCommercial 4.0 International Public License 2 | 3 | By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-NonCommercial 4.0 International Public License ("Public License"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions. 4 | 5 | Section 1 – Definitions. 6 | 7 | Adapted Material means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image. 8 | Adapter's License means the license You apply to Your Copyright and Similar Rights in Your contributions to Adapted Material in accordance with the terms and conditions of this Public License. 9 | Copyright and Similar Rights means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights. 10 | Effective Technological Measures means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements. 11 | Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material. 12 | Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License. 13 | Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license. 14 | Licensor means the individual(s) or entity(ies) granting rights under this Public License. 15 | NonCommercial means not primarily intended for or directed towards commercial advantage or monetary compensation. For purposes of this Public License, the exchange of the Licensed Material for other material subject to Copyright and Similar Rights by digital file-sharing or similar means is NonCommercial provided there is no payment of monetary compensation in connection with the exchange. 16 | Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them. 17 | Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world. 18 | You means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning. 19 | 20 | Section 2 – Scope. 21 | 22 | License grant. 23 | Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to: 24 | reproduce and Share the Licensed Material, in whole or in part, for NonCommercial purposes only; and 25 | produce, reproduce, and Share Adapted Material for NonCommercial purposes only. 26 | Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions. 27 | Term. The term of this Public License is specified in Section 6(a). 28 | Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material. 29 | Downstream recipients. 30 | Offer from the Licensor – Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License. 31 | No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material. 32 | No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i). 33 | 34 | Other rights. 35 | Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise. 36 | Patent and trademark rights are not licensed under this Public License. 37 | To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties, including when the Licensed Material is used other than for NonCommercial purposes. 38 | 39 | Section 3 – License Conditions. 40 | 41 | Your exercise of the Licensed Rights is expressly made subject to the following conditions. 42 | 43 | Attribution. 44 | 45 | If You Share the Licensed Material (including in modified form), You must: 46 | retain the following if it is supplied by the Licensor with the Licensed Material: 47 | identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated); 48 | a copyright notice; 49 | a notice that refers to this Public License; 50 | a notice that refers to the disclaimer of warranties; 51 | a URI or hyperlink to the Licensed Material to the extent reasonably practicable; 52 | indicate if You modified the Licensed Material and retain an indication of any previous modifications; and 53 | indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License. 54 | You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information. 55 | If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable. 56 | If You Share Adapted Material You produce, the Adapter's License You apply must not prevent recipients of the Adapted Material from complying with this Public License. 57 | 58 | Section 4 – Sui Generis Database Rights. 59 | 60 | Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material: 61 | 62 | for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database for NonCommercial purposes only; 63 | if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material; and 64 | You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database. 65 | 66 | For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights. 67 | 68 | Section 5 – Disclaimer of Warranties and Limitation of Liability. 69 | 70 | Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You. 71 | To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You. 72 | 73 | The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability. 74 | 75 | Section 6 – Term and Termination. 76 | 77 | This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically. 78 | 79 | Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates: 80 | automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or 81 | upon express reinstatement by the Licensor. 82 | For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License. 83 | For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License. 84 | Sections 1, 5, 6, 7, and 8 survive termination of this Public License. 85 | 86 | Section 7 – Other Terms and Conditions. 87 | 88 | The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed. 89 | Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License. 90 | 91 | Section 8 – Interpretation. 92 | 93 | For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License. 94 | To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions. 95 | No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor. 96 | Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority. 97 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Red Team Capability Maturity Model 2 | 3 | This GitHub is primarily for managing community input and also provides the CMM in two file formats - Excel, if you trust me and want some formatting already done for you; and CSV, if you want to do some formatting yourself and think I'm sketchy. For the full model in your browser and other supporting information, see [the project website](https://www.redteammaturity.com). 4 | 5 | Inside the Example_Implementations folder are variations on the base spreadsheet submitted by the community. See the README for an inventory of examples, credits, and a brief synopsis of each. Some of these examples are also further detailed on the [main site](https://www.redteammaturity.com/implement) 6 | 7 | # Here to Contribute? 8 | 9 | Thanks for participating! Please submit a feature request with your suggested changes after reading the guidance below. 10 | 11 | 1. Read through the level descriptors included with the CMM and align your modifications to those descriptors. If you think a descriptor is missing but is needed to address your change, you can suggest that, too! Just make sure you provide descriptors at all five levels. 12 | 13 | 2. Think broadly. I'm sure we all have unique cases that are missing from this model, but we want to ensure people from various organizations at various levels of maturity can still leverage the model. 14 | 15 | 3. Include rationale for the change. Changes without rationale won't receive much attention, we want to know why you believe this helps improve the model for everyone. 16 | 17 | # License 18 | This material is licensed under the Creative Commons Attribution-NonCommercial 4.0 International license. So feel free to copy and modify with attribution, but no selling this. -------------------------------------------------------------------------------- /RedTeam_CMM_V1.csv: -------------------------------------------------------------------------------- 1 | Category,Subject,Level 1 (Initial),Level 2 (Repeatable),Level 3 (Defined),Level 4 (Managed / Capable),Level 5 (Optimized), 2 | Processes,,,,,,, 3 | ,Continuous Improvement,The Red Team operates as individuals and might take notes to facilitate improvement,The Red Team is goal driven and reflects on their progress by holding retrospectives only after major operations; the Red Team has a general understanding of team gaps and informal plans to address them ,The Red Team holds regular retrospectives on an identified cadence which are inclusive of activities beyond operations; the Red Team has a defined roadmap to address improvement and operational targets,"Metrics are in place to track improvement and progress toward roadmap objectives; improvement items are sometimes achieved, and work items are created based on findings and objectives",The Red Team regularly discusses opportunities and uniformly decides to stay the course or pivot; retrospectives consistently deliver process/operational improvements; the Red Team roadmap is considered during organizational planning, 4 | ,Knowledgebase,The Red Team holds working sessions to share knowledge as needs arise,The Red Team has temporary or unorganized notes in various locations or mediums,"The Red Team has a common, secured knowledgebase that is irregularly updated","The Red Team has a common, secured knowledge base that has undergone review and addresses most frequent needs","The Red Team has a common, secured knowledge base that undergoes regular review for utility and is routinely updated as part of any actions the Red Team takes", 5 | ,Work Management,The Red Team operates on different objectives at will,The Red Team understands operational and improvement objectives but there is no mechanism for accountability and tracking if it is not done in the near term,The Red Team has a roadmap of current and future work in a distributed tool; leadership is responsible for accountability,The Red Team manages work with a platform specifically designed for work management; the team has understood measures for work items; and the Red Team is accountable within itself on achieving objectives without leadership oversight,Red Team members have a strong understanding of other activity occurring within the Red Team to lend support or surge in key areas; the work management platform is successfully utilized to allow self-direction from a commonly understood backlog, 6 | ,Operational Planning and Selection,Operation objectives are selected by individual interest or urgent need; planning may not include input from the whole team; operations are planned within a few weeks of commencement,"Operations target major services, infrastructure, or offerings of the organization",Operations leverage Cyber Threat Intelligence to derive objectives and are planned out at least one quarter; the Red Team has a defined intake process for suggestions and operational needs,"Operations draw from Cyber Threat Intelligence, responders, hunters, and engineering/architecture teams' concerns; operations are planned for 2+ quarters","Operations are based on objective criteria that consider business needs, threat intelligence, criticality, and/or other organizationally defined measures; unscheduled operations can be added ad hoc to address urgent issues without impacting other deliverables", 7 | ,Operational Approvals,"Red Team operations are approved only by the first-line Red Team leader without executive leadership knowledge; OR higher level leadership (VP, CISO, etc. - organization dependent) is involved in approval for most Red Team operational aspects","Operations are socialized with the leadership directly above the Red Team; OR Red Team approvals require individual, executive approval for operations","The Red Team can conduct some operations, like Purple Teams, with standing executive leadership approval",Red Team approvals are limited to the minimum number of parties required for coverage,"The Red Team has standard rules of engagement that are fully understood by executive leadership and legal, enabling continuous operations without individual approval requirements", 8 | ,Operational Documentation,The Red Team has a rough set of personal notes related to operational activities,"The only detailed logs for documentation are from automated tools, like automated logging from a C2 platform",Red Team actions are documented/logged in detail manually or with exports from tools,Red Team actions are documented/logged in a central location with some automation,Red Team actions are documented/logged in a central location and automated reporting of IOCs and behavior is available, 9 | ,Operation Reporting,The Red Team does not share operation details beyond the responsible risk owner; findings are possibly informally shared with defensive teams,The Red Team distributes findings to a static list of identified individuals,The Red Team has a reporting structure that includes a core list of stakeholders in a known template; products are semi-formal and not internally reviewed,The Red Team identifies additional stakeholders based on operational parameters; products are reviewed for quality,The Red Team has a regular reporting schedule for core and ad hoc stakeholders, 10 | ,Configuration Management,"The Red Team uses an inconsistent location for source code, infrastructure configurations, documentation, or tools","The Red Team leverages a shared location, without version control, to house source code, infrastructure configurations, documentation, or tools","The Red Team uses an industry-standard code repository for source code, infrastructure configuration files, and these items are versioned","The Red Team uses merge and pull requests, or similar, prior to changing known-good versions",The Red Team leverages automated CI/CD actions to expedite delivery and maintain quality of products, 11 | ,Resource Management,"Resources like licenses, accounts, or domains are only tracked upon reminder of expiration or renewal needs; ownership is dispersed across multiple people",One person tracks resources; knowledge not available to the entire Red Team,"Resources are centrally tracked, understood, and reviewed as needed by the Red Team; Red Team account passwords are secured",Recurring expenses or other resources are reviewed quarterly for need or expiration,Tracking methods provide alerts or other easily identifiable information to indicate actions needed in the next thirty days, 12 | Technology,,,,,,, 13 | ,Tooling,The Red Team primarily uses off the shelf tooling and/or basic custom scripts; not all operational needs are met by tooling,"The Red Team has modified, or can modify, tooling; C2 frameworks are current and capable of meeting operational needs",The Red Team's tools accomplish primary operational use cases,Custom or other tools accomplish the majority of operational needs; tools support automation or scaled execution of routine tasks,Custom or other tools accomplish all operational requirements and the Red Team uses a custom C2 framework when operationally relevant, 14 | ,Infrastructure,"The Red Team uses on-network, corporate workstations to conduct operations; infrastructure does not account for OPSEC","The Red Team uses a single set of externally accessed, static infrastructure for operations; infrastructure is manually set up per operation with inconsistent configuration; infrastructure accounts for minimal OPSEC considerations",The Red Team's infrastructure deployment is well documented to expedite manual configuration; infrastructure configuration accounts for best practice OPSEC concerns,The Red Team leverages automated deployments for infrastructure; Red Team infrastructure security is self-assessed,"The Red Team's infrastructure is easily customized; infrastructure configuration accounts for advanced OPSEC concerns and undergoes a third-party assessment (another team, whether internal or external to the organization); the Red Team uses operational variety in C2 channels", 15 | ,Test Environment,"The Red Team uses disparate configurations in a test environment, such as different VM configurations or dates for AV signatures","The Red Team has a consistent, but minimally customized, test environment","The Red Team's test environment is representative of the target organization's endpoint security tools (e.g. EDR, Domain Policies)","The Red Team's test environment matches the target organization's larger security stack, like configurations or other services, and deployment is automated if managed within the team",The organization maintains a separate test environment for collaborative operations that can be reconfigured to test different elements of the technology stack without affecting production, 16 | People,,,,,,, 17 | ,"Relationships with Responders (SOC, IR, Physical etc.)","Inconsistent and occasional interaction without identified points of contact, such as after operation activity is detected","Unscheduled interactions but with identified points of contact; subsets of the teams converse and share knowledge (e.g., manager to manager or individual contributor to individual contributor)); there's a general understanding of deconfliction processes","Responders identified and leveraged as stakeholders for the Red Team, and the Red Team has a documented deconfliction process; response teams and Red Team meet on a recurring, scheduled basis to discuss operational needs or other relevant topics, like metrics or collaborative goals ","The teams have scheduled interactions to share knowledge and build camaraderie; deconfliction efforts are well managed with regard to points of contact, communication mediums, and roles and responsibilities",Red Team understands and leverages response teams' concerns when planning operations; strong individual relationships facilitate frequent and unscheduled knowledge sharing and improvement, 18 | ,"Relationships with Engineering Teams (Enterprise/endpoint/server architecture and engineering, detection engineering, etc.)","Inconsistent and occasional interaction without identified points of contact, such as intermittent SME-based questions","Unscheduled interactions but with identified points of contact; subsets of the teams converse and share knowledge (e.g., manager to manager or individual contributor to individual contributor)",SMEs identified on most relevant engineering teams to aid in operations; engineering teams receive appropriate Red Team reporting for their respective areas,"Engineering teams and Red Team meet on a recurring, scheduled basis to discuss pending changes to the environment; the teams have scheduled interactions to share knowledge and build camaraderie",Red Team operations impact engineering and architecture decisions during planning or before implementation is complete; strong individual relationships facilitate frequent and unscheduled knowledge sharing and improvement, 19 | ,Relationship with Cyber Threat Intelligence,"Inconsistent and occasional interaction without identified points of contact, such as recent news articles related to breaches at other organizations","Unscheduled interactions but with identified points of contact; subsets of the teams converse and share knowledge (e.g., manager to manager or individual contributor to individual contributor)",The Red Team receives timely reporting from Cyber Threat Intelligence related to current threats to the organization or industry,"Red Team and Cyber Threat Intelligence share information on a recurring, scheduled basis, such as assorted TTPs currently observed in the wild, and this information informs Red Team operations, techniques, or procedures; the teams have scheduled interactions to share knowledge and build camaraderie",The teams collaboratively create adversary emulation operation plans and objectives to accurately emulate selected threat actors; strong individual relationships facilitate frequent and unscheduled knowledge sharing and improvement, 20 | ,Relationship with Legal,"Inconsistent and occasional interaction, such as asking targeted questions about a particular situation","Legal is advised, and provides counsel, on operational rules of engagements during planning",Red Team seeks recurring training from Legal on privilege or other legal matters related to Red Team operations,The Red Team proactively incorporates prior Legal counsel or input into its rules of engagement or future operational practices,The Legal team is considered a strong partner for operations and can be sought to provide ad hoc legal advice during ongoing operations, 21 | ,"Relationship with Governance, Risk, and Compliance (GRC)",Red Team findings are communicated to risk owners but don't align to organizational definitions,Red Team findings are tracked by remediation teams but only informally communicated with the risk management team,Red Team and GRC meet on a recurring basis to align definitions on impact and risk ratings,Red Team is a stakeholder in crafting the organization's risk definitions,GRC and Red Team routinely discuss organizational risks and use these discussions to drive operations, 22 | ,Relationship with Human Resources (HR),The Red Team doesn't consistently engage HR on matters the team believes may have HR implications,"HR partners are advised, and provides counsel, on operational rules of engagements during planning",Operational situations that have HR implications requiring consultation are clearly identified and documented,HR is included in operational after-action reports and treated as an operational stakeholder if consulted during operations,Identified points of contact on the HR team are considered strong partners for operations and can be sought to provide ad hoc advice during ongoing operations, 23 | ,"Relationships with Leadership (Security, IT, Engineering, Corporate)","Inconsistent and occasional interaction, such as leadership not attending readouts consistently",Segment and security leadership receive operational readouts scheduled by the Red Team; Red Team mission not fully understood,"Segment and security leadership receive operational readouts, scheduled in advance; Red Team mission understood; leadership reactively engages the Red Team for support based on existing interactions","The Red Team has recurring, scheduled time with security and organizational leadership for topics outside of operation findings; leadership supports organization-wide efforts to enhance the value of testing; the Red Team seeks out and understands leadership's concerns to formulate operations",The Red Team has consistently demonstrated value and impact resulting in leadership at segment or security levels actively engaging Red Team to influence organization decisions, 24 | ,Knowledge of Business and Technical Environment,The Red Team knows which defensive tools are in place,"The Red Team has tribal knowledge gained over time of defensive tools, software, services, and business processes","The Red Team has documented registers of software, services, and key personnel in the organization",SMEs from other teams validate a register of software and services in the environment,"The Red Team is included in meetings discussing major technology changes that affect the organization's security posture, such as changing EDR vendors or acquiring subsidiaries whose networks will be merged", 25 | ,Operational Capability,Operations are a mix of third party and internal efforts due to operational knowledge deficiencies,Red Team tactics applied without prioritization of Red Team OPSEC; internal capabilities limited to common TTPs,"The Red Team modifies common TTPs to address operation needs; the Red Team collectively has deep knowledge of common software / services / technologies, such as Active Directory or a CSP in use; the Red Team has identified specializations aligned to operation phases or needs",Red Team operations often result in noteworthy findings based on operation objectives; the Red Team is well versed / highly skilled in defense evasion tactics; Red Team has expertise in less common technologies present in the environment; Red Team specialists are considered SMEs in their operational focuses,"The Red Team has resiliency to achieve operational goals despite setbacks; the Red Team can vary tradecraft and technology to match operational or Cyber Threat Intelligence requirements; the Red Team has the staffing, support, and resources necessary to continuously respond to offensive testing needs", 26 | ,Development Capability,The Red Team employs basic scripting knowledge,"The Red Team creates some custom solutions beyond basic scripts with no formal development processes, such as source control or code style guides","The Red Team develops new implementations of common TTPs to avoid signature detection; code adheres to basic tenets of development, source is controlled","The Red Team creates custom solutions to address operation needs, such as stage 0s or implants; source code undergoes some automated checks for style or errors; code undergoes unit and functional testing","The Red Team develops advanced tooling, including custom C2 frameworks, to address operational needs; the team has an automated CI (and CD, if needed) pipeline; the team has dedicated developers", 27 | ,Training + Skill Development,Training or development opportunities are infrequently sought on a team or individual level; time for training or development is not consistently available,Time is provided to fill immediate knowledge gaps or maintain existing certifications; the team has de facto team roles; seniority levels are generally understood,General Red Team needs are identified at most semi-annually; funding and time set aside for selected courses or research opportunities; team roles and seniority levels are well defined,Training and development plans are based on individual needs drawn from skills assessments (individual or team); team knowledge gaps addressed periodically,Team members are encouraged and supported in identifying individual research opportunities to improve themselves and the team; internal Red Team training available for new or junior Red Team members, 28 | Program,,,,,,, 29 | ,Red Team Product Lines,The Red Team is not fully distinguished from other offensive testing,The Red Team conducts a consistent mix of overt and covert operations to address different needs,"In addition to operations, the Red Team provides predictive (adversarial) analysis to architecture reviews, table top exercises, or other defensive needs",Prior Red Team operations or TTPs can be run on-demand by defensive teams,The Red Team is responsive to business needs in developing unique and/or advanced service offerings, 30 | ,Strategy,The Red Team understands immediate needs but not enough to drive long term planning; operational planning is done within the current month; key relationships not understood,"The Red Team has an established vision, mission, and/or charter and has taken steps to identify needs for the next operation in advance; the Red Team has points of contact for key stakeholders","The Red Team has a documented roadmap extending at least two quarters that identifies, and plans to address, deficiencies related to technology, people, or processes; this roadmap is well understood by stakeholders and is aligned to business objectives",The Red Team has short and long term objectives and tracks progress via identified and socialized metrics,Red Team strategy influences greater organization decisions and objectives and overall security posture, 31 | ,Metrics,"The Red Team only anecdotally tracks basic information on operations, such as overall duration or number executed","The Red Team tracks basic facts about work items, such as number of findings from operations",The Red Team has defined KPI/KRIs that are evaluated quarterly; KPIs/KRIs are reported internally,KPIs/KRIs tracked at the organization level; Red Team metrics and objectives relate to and inform blue team metrics,Data sources tracking metrics are fed into an automated business intelligence platform, 32 | ,Knowledge Sharing,The Red Team shares operational knowledge within the Red Team and occasionally with blue team partners on high severity issues,The Red Team occasionally shares operational knowledge with the broader organization (other segments or the greater security population) on a periodic basis,The Red Team routinely shares operational knowledge at different levels of the organization; the Red Team contributes to operationally relevant open source projects,The Red Team pursues and obtains public speaking engagements; the Red Team has continuous industry engagement,The Red Team is recognized as industry contributors and features at security conferences and/or has publicly shared a tool / a TTP / knowledge that is widely adopted, 33 | ,,,,,,, 34 | -------------------------------------------------------------------------------- /RedTeam_CMM_V1.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BCHarrell/redteamcmm/5b4987639af6273841651dfefd88555aa1e92bb3/RedTeam_CMM_V1.xlsx --------------------------------------------------------------------------------