Loading…
Checklist · Free
Score your security posture across identity, network, application, data, and observability. 25 checks across 5 categories with weighted scoring, posture-tier classification, and the top 3 priorities to invest in first.
How it works
We don’t gate the tool behind a form. Take the assessment; share your email at the end if you want a written report.
Five checks each across identity, network, application security, data, and observability. Each check has three states: Yes (full), Partial (in flight), No (gap). Honest assessment beats optimistic. The report only helps if it reflects where you actually are.
Overall score weighted across categories (identity and AppSec carry slightly higher weight given their typical leverage). Tier classification: Mature (85+), Established (65–84), Foundational (40–64), Gap-rich (<40).
Top 3 categories where investment will reduce the most risk, surfaced from the lowest-scoring categories. Each priority comes with a concrete recommendation grounded in what we'd do in a real posture engagement.
The checklist is a self-assessment. A real posture review pairs the checklist with technical validation against your actual environment: IAM hygiene, network segmentation, AppSec tooling, data flows, observability coverage. Bring the output to a 30-minute review.
Common questions
Identity and application security carry slightly higher weight (1.2x) given the typical leverage: identity gaps make every other control worse, and AppSec gaps account for the bulk of breaches. Data carries 1.1x weight given audit visibility. Network and observability weighted at 1.0x. The weights aren't dramatic; we want the score to reflect the holistic posture.
The checklist covers the foundational controls every framework requires. Regulated frames add specific control sets on top: HIPAA's risk analysis and BAA chain, PCI-DSS's segmentation and tokenization, SOC 2's continuous monitoring. We can map this checklist's output to your specific framework in a real engagement; the output here is the starting point.
Most enterprise security postures are partial: controls in flight, on some workloads, with some exceptions. We partial-credit so the score reflects reality rather than penalizing organizations actively making progress. A tier-3 organization with 70% partial credit is in better shape than an organization with 35% full credit and 0% partial.
They map to the planes of defense most security incidents traverse: identity (initial access), network (lateral movement), application (privilege escalation and data access), data (exfiltration), observability (detection and response). A gap in any plane creates a kill chain; the score reflects the weakest plane more than the strongest.
SOC 2 audits the implementation and operation of controls against specific Trust Services Criteria, with auditor evidence and a published opinion. This checklist is a self-assessment of posture across the same control surface. Most clients use this as the starting point for SOC 2 readiness; CITADEL takes it from there with the full evidence pipeline.
Posture audit (4–6 weeks): the checklist plus technical validation, gap remediation roadmap, and SOC 2 / ISO / HIPAA mapping. AppSec / SecOps program build (6–12 months): SAST / SCA / DAST in CI, threat modeling cadence, IR plan, continuous monitoring. Managed Services for ongoing security operations: $25K–$100K monthly retainer. Brackets published honestly.
More tools
15-question scored report across data, infrastructure, talent, governance, and use cases.
Open the toolScore a legacy system for replatform vs rearchitect vs replace. With phased rollout recommendations.
Open the toolPick the right LLM family for your workload: frontier API, mid-tier, or self-hosted.
Open the toolTalk to us
Bring your scored report to a 30-minute call. Senior engineer plus department lead. No discovery gauntlet, no junior reps.