Security Playground

Security Assessment Matrix

Score your platform against ten weighted security controls and identify the highest-impact gaps to remediate.

90-100

Strong Security Posture

75-89

Adequate, with known gaps

50-74

Significant vulnerabilities present

0-49

Critical risk

Security Assessment, in Brief

A security assessment matrix evaluates how well a platform addresses the key controls that reduce breach risk, limit blast radius, and meet compliance obligations. It covers identity, data protection, application security, threat detection, and governance.

Score each control from 0 to 5. Higher weights represent controls with the greatest impact on overall security posture.

90-100 Strong Security Posture
75-89 Adequate, with known gaps
50-74 Significant vulnerabilities present
0-49 Critical risk
Why this matters

Security gaps compound. A weak identity layer combined with flat network access and no SIEM creates the conditions for a full breach.

Low scores in high-weight controls (IAM, encryption) signal the highest remediation priority.

This matrix helps teams communicate risk and prioritise security investments before incidents occur.

Security Assessment Matrix

Score each control from 0 to 5. Weighted scores update instantly.

Identity & Access Management

Are MFA, RBAC, and least-privilege enforced for all human and service identities? Are access reviews conducted regularly?

Weight 15%
Weighted: 0.0 / 15
Network Segmentation & Zero Trust

Are network boundaries enforced with a Zero Trust model? Is lateral movement blocked between segments without explicit policy?

Weight 10%
Weighted: 0.0 / 10
Data Encryption & Classification

Is data classified by sensitivity and encrypted at rest and in transit? Are encryption keys managed separately from data?

Weight 15%
Weighted: 0.0 / 15
Secrets & Credentials Management

Are secrets stored in a dedicated vault with dynamic issuance and automatic rotation? Are static credentials eliminated?

Weight 10%
Weighted: 0.0 / 10
Application Security Testing

Are SAST, DAST, and dependency scanning integrated into the CI/CD pipeline? Are findings tracked and resolved within SLAs?

Weight 10%
Weighted: 0.0 / 10
Vulnerability & Patch Management

Is there a process to track CVEs, prioritise critical patches, and measure mean-time-to-remediate across all components?

Weight 10%
Weighted: 0.0 / 10
Threat Detection & SIEM

Are logs centralised and correlated in a SIEM? Do detection rules cover key attack techniques and generate actionable alerts?

Weight 10%
Weighted: 0.0 / 10
Incident Response & Recovery

Is there a tested incident response plan with defined roles, communication channels, and documented recovery runbooks?

Weight 10%
Weighted: 0.0 / 10
Compliance & Security Governance

Are security policies documented, reviewed annually, and mapped to applicable regulatory requirements (e.g. SOC 2, ISO 27001)?

Weight 5%
Weighted: 0.0 / 5
Supply Chain & Dependency Security

Are third-party libraries scanned for known vulnerabilities? Are SBOMs generated and vendor security practices reviewed?

Weight 5%
Weighted: 0.0 / 5
0 = Not addressed. 3 = Partially implemented. 5 = Fully implemented and verified.