This is a draft "security hardness scale", desgigned to somewhat roughly quantify the level of effort of a penetration test -- since simply measuing "how many vulns did you find" is a terrible measurement of success
The scale is similar to the Mohs Hardness Scale in that it's simply an ordinal scale, not an absolute one. That is, the "gap" between 3 and 4 doesn't have to be the same "difficulty increase" as the gap between 5 and 6. It's simply a way of rating that one pentest was "harder" than another. (This is in lieu of being able measuing "hardness" in any truely quantitative way).
Level | How vulns are found | type of vulns req'd to lead to exploit | level of effort |
---|---|---|---|
1 | trivial poking (e.g. enter ; in a text box causes an error) |
single knowned vuln | minutes |
2 | automated scanners (metasploit) find vulns | single knowned vuln | minutes |
3 | automated scanners give hints, real vuln requires custom work | single knowned vuln | hours |
4 | automated scanners give hints, real vuln requires custom work | single knowned vuln | days |
5 | automated scanners give hints, real vuln requires custom work | single knowned vuln | hours |
6 | automated scanners give hints, real vuln requires custom work | single knowned vuln | days |
7 | no help from automated scanners; custom work required | single knowned vuln | hours |
8 | no help from automated scanners; custom work required | single knowned vuln | days |
9 | no help from automated scanners; custom work required | chained | days+ |
10 | novel engineering required | novel chain, or 0-day | days+ |
11 | novel engineering required | multiple novel 0-days | days+ |