DEFENSE READINESS INDEX

Measure your team's ability to defend

Built to connect Live-Fire Exercise outcomes to business-relevant readiness, the Defense Readiness Index (DRI) shows how well your team performs against real attackers, not how much training they completed.

See DRI in action How it works
Deloitte
Highmark Health
Lazada
Maire Tecnimont
NEIT
Miami-Dade County
CDWG
Deloitte
Highmark Health
Lazada
Maire Tecnimont
NEIT
Miami-Dade County
CDWG
THE GAP

The problem no one had solved

Most organizations can report on training activity. Very few can prove defensive readiness against real attacks. That leaves persistent gaps.

Activity is easy to measure

Hours, course completions, and certifications are visible, but they do not show whether a team is prepared for an actual incident.

Readiness is hard to prove

Without realistic team exercises tied to real threats, capability remains assumed rather than demonstrated.

Executives and cyber teams speak differently

Practitioners talk in TTPs and threat actors. Leaders talk in risk, exposure, and investment.

What is the Defense Readiness Index?

During an incident, the question is whether people, process, and technology work together under pressure, not how much training your team completed.

DEFINITION

The Defense Readiness Index measures the capability of a cybersecurity team to detect, disrupt, and defend against threat actors that pose the greatest risk to their organization.

It is a 1–5 scale anchored in the real threat landscape defined internally by the adversary groups and attack playbooks that actually exist.

How we calculate DRI

Each DRI level maps to a distinct class of adversary, defined by the sophistication of their tools, the resources they invest per target, and what kind of defense is required to stop them. The measurement stick is outside the organization.

A team’s DRI level is determined by what they can defend against in Live-Fire Exercises, not by how much they trained, or what internal scores they achieved.

1

Run a Live-Fire Exercise

Simulate a realistic attack based on a known adversary playbook.

2

Observe team performance

Evaluate how the entire team detects, communicates, investigates, and responds under pressure.

3

Map the outcome to adversary level

Determine which class of attacker the team can successfully defend against.

4

Track measurable progress

A higher DRI reflects demonstrated ability against a more sophisticated threat.

1

Run a Live-Fire Exercise

Simulate a realistic attack based on a known adversary playbook.

2

Observe team performance

Evaluate how the entire team detects, communicates, investigates, and responds under pressure.

3

Map the outcome to adversary level

Determine which class of attacker the team can successfully defend against.

4

Track measurable progress

A higher DRI reflects demonstrated ability against a more sophisticated threat.

THE FIVE LEVELS

The DRI scale

DRI 1
Adversary Class Script kiddie / Opportunistic
Typical attacks Publicly available malware, credentials, and TTPs requiring low skill
Attacker effort
< 1 hour per target
What defence requires Automated machine detection: Signature-based via endpoint or network
DRI 2
Adversary Class Low-level e-crime
Typical attacks Paid or publicly available malware and TTPs requiring medium skill (e.g. exploit kits)
Attacker effort
~1 hour per target
What defence requires Mostly automated detection: Requires complete configuration and log aggregation
DRI 3
Adversary Class Organized crime / Hacktivists
Typical attacks Altered public tools and paid tools, may use interactive capabilities (e.g. Cobalt Strike)
Attacker effort
~10 hours per target
What defence requires Threat intelligence becomes a requirement: Behavioral signatures needed for full coverage
DRI 4
Adversary Class Nation-state / High-level e-crime
Typical attacks Mainly internally developed tools and capabilities, attackers limit number of targets
Attacker effort
~100 hours per target
What defence requires Behavioral and advanced threat detection capabilities
DRI 5
Adversary Class Strategic nation-state
Typical attacks Tools chosen for best operational security, very limited use of existing tools
Attacker effort
> 1,000 hours per target
What defence requires Behavioral detection coupled with deep manual analysis of the environment
TRANSLATION LAYER

DRI gives cyber teams and executives a shared language

DRI

Cyber team language

Executive language

DRI 1

Automated scans, exploit kits

Script kiddies targeting anyone unpatched

DRI 2

Phishing, credential theft

Opportunistic attacks targeting SMBs, weak controls

DRI 3

Custom malware, C2, lateral movement

Organized crime targeting mid-market, finance

DRI 4

ATT&CK playbooks, living-off-the-land

Advanced threat targeting critical infrastructure

DRI 5

APTs, zero-days, supply chain

Nation-state targeting governments, utilities

TRANSLATION LAYER

DRI as a strategic planning tool

Once you can measure defensive capability against a consistent external scale, you unlock the ability to set strategic goals.

Current DRI - A measured outcome

What adversary class can our team successfully defend against today?

This comes from Live-Fire Exercise results.

The Gap

The investment case, in language executives already understand.

Required DRI - A business decision

What adversary class targets organizations like ours?

This is the threat-informed capability target.

Organization type
Likely threat profile
Required DRI
What the gap means
Central bank / utility
Nation-state (DRI 5)
DRI 5
Existential: Must invest to close gap
Large enterprise
Advanced persistent threat (DRI 4)
DRI 4
Significant: Board-level investment case
Mid-market company
Organized crime (DRI 3)
DRI 3
Manageable: Structured program
Small business
Opportunistic (DRI 2)
DRI 2
Baseline: Good hygiene is sufficient
Central bank / utility
Nation-state (DRI 5)
DRI 5
Existential: Must invest to close gap
Large enterprise
Advanced persistent threat (DRI 4)
DRI 4
Significant: Board-level investment case
Mid-market company
Organized crime (DRI 3)
DRI 3
Manageable: Structured program
Small business
Opportunistic (DRI 2)
DRI 2
Baseline: Good hygiene is sufficient
CLARITY

What DRI is, and what it isn't.

The Defense Readiness Index is not a training metric. Training is preparation. DRI measures performance. A team that trained 1,000 hours but never successfully completed a DRI 3 exercise is still a DRI 2 team.

What DRI is

Outcome measures from live fire exercises against real adversary playbooks

  • Team successfully defended against a DRI 2 exercise
  • Team completed a DRI 3 exercise (first time, measurable progress)
  • Team attempted DRI 4, partially succeeded (gap identified)
What DRI is NOT

Internal activity metrics: Invisible to the real threat landscape

  • Training hours logged
  • Course completion rate
  • Self-assessed maturity score
  • Number of certifications held
DRI answers one question

Can our team defend against the adversaries that are actually targeting organisations like ours?

Everything else — the scale, the exercises, the measurement — exists to answer that question clearly.

Discover the Cyberbit Readiness platform

Book a demo
Same Job, New Skills Report: What cybersecurity readiness really looks like in 2026