Preamble

As I sought to build a Red Team at a prior company, I realized we needed a way to plot our path. But, almost as importantly, we also needed a way to communicate our goals and progress with leadership to build continued support and trust. That led to the creation of the Red Team Maturity Model, found here or on my GitHub to fill a gap in resources in this area.

The CMM website has a much longer release blog covering how the model was made and some of the additional reasons, I recommend reading that or the implementation notes if you’d like to know more. You can also check out a presentation at BSides Las Vegas if you prefer more of a discussion.

For this venue, I’ll stick with a few high points and future plans.

The Background (in brief)

I first discovered an existing model created by a few Red Teamers at various consultancies and companies. This was a great starting point, but as we sought to implement it on the team, it became apparent it wasn’t quite what was needed. One of the main goals of that model was simplicity, and they captured that well. The difficulty came into play when trying to plot maturity waypoints across complex topics, and in the communication of those results to leadership.

In that model, level three was the highest level. For all other standard maturity models in various fields, it’s a five-point scale. That led to a communication mismatch with our leadership, who saw three as virtually expected in some core areas despite being the maximum on that model.

The subjects also did not align across all of the levels, so something that appeared in level one might not appear again, or not again until level three. Typically, these models account for each subject at all five levels of maturity, folding in documentation, metrics, and feedback loops as you reach the upper echelons of maturity in a given area.

In summary, that led to the creation of a standard-format model that would allow full tracking across subjects and an easily communicated status and roadmap to leaders.

The Future

The model wasn’t created in a vacuum and there were several teams involved in the editing process. I really want this to be an enduring community resource that evolves as the field does. That doesn’t mean it will see quarterly or even yearly updates - part of the purpose is long term planning, and you can’t do that on shifting sands - but it will continue to see refinement in language and content.

I’ve already identified a few areas that could use a little tweaking, particularly in how the Red Team relates to other teams. That will be a small update after some time passes to continue to collect data.

I also plan to put together a team to write an addendum for consultancies along with (possibly) instructions on how a company can or should evaluate a third-party red team. As things currently stand, the model applies best to internal teams.

TL;DR

Red Teams generate data. To generate data the Red Team needs to get gud. To get gud, the team needs a roadmap. And when they’re gud, they communicate well with leaders. The Red Team Maturity Model helps teams do exactly that.

---