Loading…
Checklist · Free
Score your security posture across identity, network, application, data, and observability. 25 checks across 5 categories with weighted scoring, posture-tier classification, and the top 3 priorities to invest in first.
Posture across 5 categories
0%
Identity
SSO via OIDC / SAML on every internal and customer-facing app
MFA enforced on every workforce account (hardware-key option for privileged)
Just-in-time elevated access via change ticket (no long-standing admin)
Quarterly access reviews documented and acted on
Off-boarding under 4 hours for revoked accounts
Network
Private VPCs / VNETs with explicit egress allow-lists per workload
WAF with managed rule sets in front of customer-facing surfaces
DDoS mitigation at the cloud edge (AWS Shield, Cloudflare, equivalent)
Service-to-service mTLS where data sensitivity warrants it
Bastion-free engineering (SSM Session Manager or IAM-authenticated tunnels)
AppSec
SAST / SCA / DAST integrated as deployment gates in CI
Dependency vulnerability scanning with auto-remediation PRs
Threat modeling on every new service touching customer data
Code review required, with explicit security review for sensitive paths
Annual third-party penetration testing with documented remediation
Data
Encryption at rest with customer-managed keys for PHI / PCI / regulated data
TLS 1.2+ on all transport with HSTS preload on customer-facing surfaces
Backup encryption + integrity verification + restoration drills
Data classification policy enforced at the storage layer where possible
Documented data retention schedule per data class
Observability
Centralized log aggregation with explicit retention per regulatory frame
24×7 alert routing with documented on-call rotation
Documented incident response plan rehearsed at least annually
Customer-notification SLA defined per severity tier
Post-incident review process within 2 weeks of any P0 / P1 incident
How it works
We don’t gate the tool behind a form. Take the assessment; share your email at the end if you want a written report.
Five checks each across identity, network, application security, data, and observability. Each check has three states: Yes (full), Partial (in flight), No (gap). Honest assessment beats optimistic — the report only helps if it reflects where you actually are.
Overall score weighted across categories (identity and AppSec carry slightly higher weight given their typical leverage). Tier classification: Mature (85+), Established (65–84), Foundational (40–64), Gap-rich (<40).
Top 3 categories where investment will reduce the most risk, surfaced from the lowest-scoring categories. Each priority comes with a concrete recommendation grounded in what we'd do in a real posture engagement.
The checklist is a self-assessment. A real posture review pairs the checklist with technical validation against your actual environment — IAM hygiene, network segmentation, AppSec tooling, data flows, observability coverage. Bring the output to a 30-minute review.
Common questions
Identity and application security carry slightly higher weight (1.2x) given the typical leverage — identity gaps make every other control worse, and AppSec gaps account for the bulk of breaches. Data carries 1.1x weight given audit visibility. Network and observability weighted at 1.0x. The weights aren't dramatic; we want the score to reflect the holistic posture.
The checklist covers the foundational controls every framework requires. Regulated frames add specific control sets on top — HIPAA's risk analysis and BAA chain, PCI-DSS's segmentation and tokenization, SOC 2's continuous monitoring. We can map this checklist's output to your specific framework in a real engagement; the output here is the starting point.
Most enterprise security postures are partial — controls in flight, on some workloads, with some exceptions. We partial-credit so the score reflects reality rather than penalizing organizations actively making progress. A tier-3 organization with 70% partial credit is in better shape than an organization with 35% full credit and 0% partial.
They map to the planes of defense most security incidents traverse: identity (initial access), network (lateral movement), application (privilege escalation and data access), data (exfiltration), observability (detection and response). A gap in any plane creates a kill chain; the score reflects the weakest plane more than the strongest.
SOC 2 audits the implementation and operation of controls against specific Trust Services Criteria, with auditor evidence and a published opinion. This checklist is a self-assessment of posture across the same control surface. Most clients use this as the starting point for SOC 2 readiness; CITADEL takes it from there with the full evidence pipeline.
Posture audit (4–6 weeks): the checklist plus technical validation, gap remediation roadmap, and SOC 2 / ISO / HIPAA mapping. AppSec / SecOps program build (6–12 months): SAST / SCA / DAST in CI, threat modeling cadence, IR plan, continuous monitoring. Managed Services for ongoing security operations: $25K–$100K monthly retainer. Brackets published honestly.
More tools
15-question scored report across data, infrastructure, talent, governance, and use cases.
Open the toolScore a legacy system for replatform vs rearchitect vs replace. With phased rollout recommendations.
Open the toolPick the right LLM family for your workload — frontier API, mid-tier, or self-hosted.
Open the toolTalk to us
Bring your scored report to a 30-minute call. Senior engineer plus department lead. No discovery gauntlet, no junior reps.