What this tier actually looks like.
The pattern from inside a Repeatable-tier org: some pipelines have SCA, others don’t. Some services emit SBOMs, others ship without. One team enforces signed images at deploy; another doesn’t know what signing is. Audit conversations end with “we have a vault” — and the auditor doesn’t ask whether the credentials in the vault are static or short-lived.
You probably have:
- A vault (HashiCorp / cloud-native) holding secrets, but applications still pull static long-lived credentials from it.
- A SAST tool with thousands of unread findings.
- SBOMs occasionally generated, but no owner-alert path when a CVE lands.
- Policy “documented” in a PDF; not encoded as OPA / Kyverno / Conftest.
- One paved CI pipeline that two squads use and four squads route around.
- Annual pen-tests as your primary external assurance signal.
You probably don’t have:
- Workload identity (OIDC, SPIFFE) as default for new services.
- Signed provenance attached to artefacts (SLSA L2+).
- An SLO for time-to-patch on KEV-listed CVEs.
- A clear feedback path from SBOM → graph → service owner alert.
Why most teams get stuck here.
The reason organisations stall in Repeatable for years rather than crossing into Defined isn’t budget. It isn’t skill. It’s that the incremental moves that look obvious are the wrong ones.
The wrong moves orgs typically make from here:
- SAST consolidation. Merging three SAST tools into one feels like progress; doesn’t move you up a tier.
- Security awareness training. Compliance-mandated; near-zero impact on your maturity score.
- Yet another “security champions” programme. If you’ve tried it twice and it’s decayed both times, the third attempt won’t fix the underlying ownership problem.
- Buying a fancier SBOM tool. Without the alert-to-owner loop, the SBOM is still shelfware.
The right moves all involve changing the substrate, not adding instrumentation on top of it.
The three substrate moves to the next tier.
The three moves that reliably get a Repeatable-tier org to Defined within two quarters:
1. Workload identity on one critical pipeline. Then propagate.
Pick the highest-impact pipeline (usually customer-facing, regulated workload). Migrate it from static credentials in the vault to OIDC-based workload identity (GitHub Actions ↔ AWS IAM Roles, or GCP Workload Identity Federation, or Azure Federated Credentials). Document the pattern as a paved-path template. Three months later, every new service inherits it.
Closes the Vault Theatre gap.
2. SBOM → graph → owner. Close the loop, not the input.
The SBOMs you’re already emitting need an output side. Wire them into a graph store (GUAC, OWASP Dependency-Track). Pipe CISA KEV alerts through to the service owner directly — not to a central security inbox.
Closes the SBOM Shelfware gap.
3. One policy-as-code rule, enforced at deploy.
Pick one architecture principle that’s already in your PDF (most common picks: “no public S3 buckets,” “production images must be signed,” “no workloads without owner annotation”). Encode it as OPA / Kyverno / Conftest. Wire to admission. Deploys that violate fail before a human is involved.
Closes the PDF Principles gap.
What changes when you cross.
When you complete the three moves, the operational pattern changes:
- MTTR for critical CVEs drops from weeks to days. Owner-alert loop replaces central triage.
- Audit conversations get easier. You can demonstrate the policy is enforced, not documented.
- New services inherit the substrate. The 3 paved-path patterns mean adoption stops being a per-team negotiation.
- SAST findings stop being the centre of gravity. They become hygiene; supply-chain and identity become the headline.
And critically: you cross the threshold where regulators take you seriously. APRA CPS 234, EU DORA, CISA Secure Software Attestation all become checkable rather than aspirational.
Run the diagnostic.
To find out whether your team scores at this tier or another, run DevSecOps Maturity. It takes 2–4 minutes and surfaces both your overall tier and the capability breakdown that shows you where the move starts.
For the bigger picture: the compound diagnostic takes results from all six diagnostics and shows you the substrate gap that bounds your overall delivery, not the per-discipline symptom.