Security Maturity Score

5-domain maturity score (NIST CSF style).

Privacy: answers stay in your browser. We do not record your responses.

1. Do you have an inventory of devices and software?

Yes No / Not sure

Identify function — if you don't know what you have, you can't protect it.

2. Is there a documented information-security policy?

Yes No / Not sure

Identify function — the governing document.

3. Is MFA enforced on all accounts?

Yes No / Not sure

Protect function — the single highest-impact control.

4. Are all endpoints running EDR?

Yes No / Not sure

Protect function — modern equivalent of antivirus.

5. Are backups automated and tested?

Yes No / Not sure

Recover function — only real measure of resilience.

6. Is logging centralized for auth + admin actions?

Yes No / Not sure

Detect function — no logs, no detection.

7. Do you run tabletop exercises for incidents at least yearly?

Yes No / Not sure

Respond function — rehearse before the real thing.

8. Are security awareness trainings completed yearly?

Yes No / Not sure

Human layer — often the weakest.

9. Is access reviewed and offboarded within 24h of departure?

Yes No / Not sure

Protect function — dormant accounts are the top attacker pivot.

10. Are privileged accounts separated from daily use?

Yes No / Not sure

Protect function — blast radius reduction.

11. Is patch management automated for OS + core apps?

Yes No / Not sure

Protect function — 90% of exploits target known CVEs.

12. Do you have a written incident response plan?

Yes No / Not sure

Respond function — don't improvise during a breach.

Score

—

Answer the questions above to see your score.

Vendor Risk Analyzer

SOC 2 / data-handling / breach-history checklist for any vendor.

Privacy: answers stay in your browser. We do not record your responses.

1. Does the vendor have a current SOC 2 Type II report?

Yes No / Not sure

Non-negotiable for anyone handling your data.

2. Do they sign a Data Processing Agreement (DPA)?

Yes No / Not sure

GDPR/CCPA compliance relies on this.

3. Is data encrypted at rest and in transit?

Yes No / Not sure

TLS in transit + AES-256 at rest is table stakes.

4. Are breach notifications contractually required within 72 hours?

Yes No / Not sure

GDPR requirement; asks whether they will tell you fast.

5. Do they have MFA enforced on admin accounts?

Yes No / Not sure

Asks whether YOUR data sits behind their MFA.

6. Is sensitive data stored in the jurisdiction you require?

Yes No / Not sure

EU customers need EU data residency typically.

7. Are sub-processors disclosed and contractually constrained?

Yes No / Not sure

Their vendors are your vendors too.

8. Do they have cyber insurance?

Yes No / Not sure

Signals they take breach risk seriously financially.

9. Is there an incident response plan they will share?

Yes No / Not sure

Reassurance they plan for the bad days.

10. Can you export / delete your data easily?

Yes No / Not sure

Data portability = escape hatch if things go wrong.

11. Are they on any regulator blocklist or in active litigation?

Yes No / Not sure

Google them; check FTC complaints and court records.

12. Have they had a breach in the last 3 years?

Yes No / Not sure

A past breach isn't automatically disqualifying but demands extra care.

Score

—

Answer the questions above to see your score.

Credential Stuffing Risk Checker

How exposed are you to attackers reusing leaked credentials?

Privacy: answers stay in your browser. We do not record your responses.

1. Do you reuse passwords across 3+ important accounts?

Yes No / Not sure

If you reuse, one leak compromises all. Fix with a password manager.

2. Are any of your emails in a public breach (check HIBP)?

Yes No / Not sure

If yes, attackers have your credentials to try against other sites.

3. Is MFA enabled on your email, bank, and password manager?

Yes No / Not sure

MFA defeats credential stuffing — enable it everywhere.

4. Do you change leaked passwords within 48 hours of breach news?

Yes No / Not sure

Rapid rotation kills the credential-stuffing window.

5. Are your oldest account passwords 14+ characters?

Yes No / Not sure

Short old passwords are brute-forceable offline.

6. Do you have login alerts enabled (email on new device)?

Yes No / Not sure

First line of defense after a credential-stuff attempt.

7. Have you rotated passwords exposed in a breach in the last year?

Yes No / Not sure

If you saw a HIBP notification, did you act on it?

8. Do you keep track of which password was used where?

Yes No / Not sure

You cannot rotate what you cannot find.

9. Is your primary email on the free-email-provider allowlist for your bank (Gmail, Outlook)?

Yes No / Not sure

Self-hosted / obscure providers sometimes have weaker security.

10. Is your password manager's master password unique?

Yes No / Not sure

Master password reuse is the single biggest vulnerability.

Score

—

Answer the questions above to see your score.

IP Reputation Checker

Cross-reference an IP against simple reputation heuristics.