4.2 AppSec ADR maturity model
Stage | Activities | Configurations | Evidence / How to prove it |
LEVEL 1 | |||
ADR deployed on Tier 0 (critical) applications | Agent installed, Monitor mode active | ADR console shows Tier 0 apps with active agents | |
Application metadata is complete (owner, tier, environment) | Metadata fields populated per 3.2 | ADR console export showing populated fields | |
Naming conventions aligned with SOC | Application names match CMDB / SOC convention | Cross-reference check with SOC (3.2 #1) | |
Vulnerability findings are triaged and ticketed | Integration with ticketing system (Jira, etc.) | Ticket backlog shows ADR-sourced findings | |
LEVEL 2 | |||
ADR deployed on Tier 0 and Tier 0 applications | Expanded agent deployment | ADR console shows Tier 0 + Tier 1 coverage | |
Block Mode enabled for high-confidence rules on Tier 0 apps | Policy configured per 3.5 rollout approach | ADR policy export showing Block rules per app | |
False positive rate is tracked and managed | Exception rules documented with rationale | FP rate metric; exception log with dates and reasons | |
Regular (monthly) review of alert quality with SOC | Scheduled recurring meeting | Meeting notes/action items from last 3 reviews | |
Actively-exploited vulns are reprioritized above backlog items | Process to escalate exploited vulnerabilities | Evidence: ticket priority changed based on ADR exploit data | |
LEVEL 3 | |||
ADR deployed across all application tiers | Full portfolio coverage | ADR console: coverage report vs. app inventory | |
Block Mode enabled broadly with low false-positive rate | Block policies validated across tiers | Block mode coverage %; FP rate < defined threshold | |
Mean Time to Remediate for ADR-discovered vulns is tracked and improving | Metric calculation per 4.3 | Trend report showing MTTR over time | |
AppSec provides proactive guidance to Engineering based on ADR attack trends | Structured report or briefing | Evidence of trend-based guidance shared with Eng |