This is a draft "security hardness scale", desgigned to somewhat roughly quantify the level of effort of a penetration test -- since simply measuing "how many vulns did you find" is a terrible measurement of success
The scale is similar to the Mohs Hardness Scale in that it's simply an ordinal scale, not an absolute one. That is, the "gap" between 3 and 4 doesn't have to be the same "difficulty increase" as the gap between 5 and 6. It's simply a way of rating that one pentest was "harder" than another. (This is in lieu of being able measuing "hardness" in any truely quantitative way).
| Level | How vulns are found | type of vulns req'd to lead to exploit | level of effort |
|---|---|---|---|
| 1 | trivial poking (e.g. enter ; in a text box causes an error) |
single knowned vuln | minutes |
| 2 | automated scanners (metasploit) find vulns | single knowned vuln | minutes |
| 3 | automated scanners give hints, real vuln requires custom work | single knowned vuln | hours |
| 4 | automated scanners give hints, real vuln requires custom work | single knowned vuln | days |
| 5 | automated scanners give hints, real vuln requires custom work | single knowned vuln | hours |
| 6 | automated scanners give hints, real vuln requires custom work | single knowned vuln | days |
| 7 | no help from automated scanners; custom work required | single knowned vuln | hours |
| 8 | no help from automated scanners; custom work required | single knowned vuln | days |
| 9 | no help from automated scanners; custom work required | chained | days+ |
| 10 | novel engineering required | novel chain, or 0-day | days+ |
| 11 | novel engineering required | multiple novel 0-days | days+ |