Adversarial Testing Lead

Job Family: JF-RISKOPS — Risk Operations Job Level Range: L1-L4 (CERG Grade S1-S4/M3) CERG Canonical Role: Adversarial Testing Lead (CERG-GOV-OM-001 §6.1)

1. Role Summary

The Adversarial Testing Lead operates the Adversarial Validation Procedure. They own the penetration testing, red team, and purple team programs. They think like an adversary to find the paths that scanners miss, then translate those findings into actionable remediation that Engineering and IT teams can act on.

2. NICE Workforce Framework Mapping

NICE Work Role Definition: See JF-002 for the official NICE Work Role definition and complete CERG-to-NICE mapping. The NICE TKS database is available at https://www.nist.gov/nice/framework/.

3. Job Family & Level Placement

4. Key Responsibilities

4.1 Core Responsibilities (All Grades)

• Plan, execute, and report on internal penetration tests across IT, cloud, and OT environments - Design and execute red team exercises: objective-based adversary simulation testing detection and response capabilities - Run purple team exercises: collaborative testing with the Detection Engineer to validate and improve detection coverage - Document findings with clear attack paths, evidence, severity ratings, and actionable remediation guidance - Track finding remediation and verify closure through retesting - Maintain the offensive security tooling and lab environment - Coordinate external penetration testing and red team engagements when external providers are used - Contribute threat-emulation scenarios to detection engineering - Provide adversary-perspective input to threat modeling and architecture review

4.2 Grade-Level Responsibility Differentiation

Grade-level responsibility differentiation for this role is defined in JA-001 §7 (Role-to-Grade Mapping). The grade definitions (S1-S4 SME Track, M1-M4 Management Track) and leveling dimensions are in CERG-GOV-JA-001 §4-5. Behavioral anchors at each grade are in CMP-001.

5. Required Knowledge, Skills, and Abilities (KSAs)

5.1 Domain Expertise

• Deep expertise in offensive security: network penetration testing, web application testing, cloud security testing, and social engineering - Red team operations: C2 frameworks (Cobalt Strike, Mythic, Sliver), evasion techniques, operational security - Active Directory attack paths and modern Windows enterprise attack techniques - Cloud penetration testing across AWS, Azure, and/or GCP - OT/ICS security testing awareness (if the organization has OT) - Strong written communication: penetration test reports are read by engineers, executives, and possibly regulators - Relevant certifications: OSCP, OSCE, GPEN, GXPN, CREST, or equivalent

5.2 Technical Skills

Technical skills for this role are documented in the original JD-001 content extracted into this file (see §5.1 Domain Expertise). Additional technical skill definitions aligned to NICE Skill Statements are maintained in JF-002.

5.3 CERG-Specific Knowledge

CERG-specific knowledge requirements for this role are defined in OM-001 §6 (Canonical Role Roster) and RAC-001 §7 (Role Descriptions). See §12 (Related CERG Documents) for the complete list of standards and procedures relevant to this role.

6. NICE TKS Statement References

The following Task, Knowledge, and Skill statements are extracted from the NIST NICE Framework v2.2.0 Work Role [PD-WRL-007 — Adversarial Testing Lead primary mapping] and filtered by relevance to this CERG role. The full TKS database is maintained at https://www.nist.gov/nice/framework/.

Full TKS Reference: The complete TKS statement set for the primary NICE Work Role (PR-VAM-001 → PD-WRL-007) is in the NICE Framework Components v2.2.0 dataset (download). JF-002 contains the complete CERG-to-NICE crosswalk with secondary role mappings.

7. Typical Qualifications

7.1 Education

• 5-12+ years in cybersecurity, with 3+ years in offensive security - Bachelor’s degree or equivalent experience - One or more advanced offensive security certifications required

7.2 Certifications

Certifications for this role are defined in TRN-001 §3 (Certification Matrix). The matrix specifies Required, Recommended, and Aspirational certifications per role and grade.

7.3 Experience

Typical experience ranges by grade are defined in JA-001 §4-5. See §7.1 (Education) above for education requirements.

8. Key Performance Indicators (KPIs)

KPIs for this role are defined in MTR-001 (Metrics, Dashboard, and CISO/Board Reporting). KPI allocation by job family and grade-level thresholds are documented in PERF-001. Each role’s evaluation criteria are embedded in the per-role JD document structure defined by JF-001.

9. Competency Expectations by Grade

Competency expectations for this role follow the Risk pillar behavioral anchors from CERG-GOV-CMP-001. Each cell describes observable behavior demonstrating the competency at that grade. Anchors are cumulative: an L3 expectation includes the L1 and L2 anchors.

Full Reference: See CERG-GOV-CMP-001 for the complete competency model, including the Management Track addendum (§7) and guidance on using the model for hiring, development, and promotion (§8).

10. Success Profile

An Adversarial Testing Lead is successful when the organization understands its real-world security posture through validated attack simulation. Key indicators: every test has a clear scope, approved rules of engagement, and a structured findings report; findings are reproducible and include validated exploitation paths; remediation verification testing confirms fixes are effective; the test calendar covers all in-scope systems on a risk-prioritized schedule. The lead ensures that testing is a learning tool for the defense team, not a gotcha exercise.

11. Career Path

11.1 Within-Family Progression

Within JF-RISKOPS, this lead role can progress on either a management path or a senior SME path depending on organizational scale. In larger teams, progression usually runs through M1 Manager to M3 Principal Manager as the role gains team leadership, KPI ownership, budget input, and cross-functional delivery scope. In smaller teams, the same title may operate as an S3-S4 expert lead, with progression shown through authoritative risk analysis, procedure ownership, measurable exposure reduction, and influence on CISO-level risk decisions. See JF-001 §9.2 and JA-001 §7.3.

11.2 Cross-Family Movement

Cross-family movement options are defined in the Family-to-Family Career Lattice (JF-001 §4). The Left-Right Knowledge Model (FRM-001 §9.2) and cross-training expectations (OM-001 §10.4) operationalize cross-family career movement.

11.3 Management Track Option

At L3+ (SME track), a Management track option may be available per CERG-GOV-JA-001 §8.1 (SME to Management Transition). Readiness indicators include: consistently sought out for guidance by junior team members, leading cross-functional initiatives without formal authority, and communicating clearly with non-technical stakeholders. The transition is a track change, not a grade promotion — an S3 Advisor moving to M1 Manager carries their technical credibility into the management role. Management competencies are defined in CERG-GOV-CMP-001 §7. See CERG-GOV-JA-001 §5 for Management grade definitions (M1-M4) and §9 (Span of Control and Team Design) for when to create a management role.

12. Related CERG Documents

13. Document Control

Revision History

Review Triggers

• Change to this role’s definition in CERG-GOV-OM-001 §6.1
• Change to this role’s NICE Work Role mapping in JF-002
• Change to this role’s grade range in CERG-GOV-JA-001 §7
• Direction from the CISO

Governance owns this document. The Governance Pillar Leader (Policy & Standards) is responsible for initiating reviews, managing the revision cycle, and obtaining approval for all changes.

Related Documents

Source: roles/jf-riskops/CERG-GOV-JD-RISKOPS-002_Adversarial_Testing_Lead.md · Download .md · View on GitHub