The assessment can span systems, infrastructure hardware/software, users, operators, maintainers, defenders, training and TTPs, and focuses on the capabilities to Protect, Detect, React, and Restore (PDRR). A CSA may consist of a Cooperative Vulnerability and Penetration Assessment (CVPA) and an Adversarial Assessment (AA), both performed in the operational environment.