How the Zero Trust Maturity Evaluator Works
A structured, self-guided assessment aligned with NIST SP 800-207 and the CISA Zero Trust Maturity Model v2.0. Complete all 8 pillars in about 10 minutes and walk away with a clear picture of your current posture and what to prioritize next.
How the Assessment Works
Answer 25 targeted questions
Work through 8 pillars at your own pace. Each question has 3 options mapped to maturity levels 1, 2, and 3. You can go back and change answers at any time.
Get your maturity scores
Each pillar is scored as the average of its questions, then mapped to a maturity level. Your overall score is the average across all pillars with at least one answer.
Review prioritized recommendations
For every pillar below Level 3, you receive specific, actionable guidance. Recommendations are written at the CISO level — strategic enough for board reporting, specific enough for implementation.
Export, print, and track progress
Download a CSV of all pillar scores and recommendations. Print a formatted report. Save the assessment with a name and date, then re-run quarterly to track improvement over time.
How Scoring Works
Each answer maps to a numeric value — Level 1, 2, or 3. A pillar score is the average of its questions' values. The overall score is the average of all pillar scores. Scores are then mapped to a maturity level:
Primarily perimeter-based security with limited Zero Trust controls. Significant exposure to lateral movement, identity-based attacks, and supply chain risk. Most organizations start here.
Partial Zero Trust implementation with enhanced context-aware access controls. Most critical systems are protected, but gaps remain in automation, governance, and supply chain visibility.
Comprehensive Zero Trust with continuous verification, least-privilege enforcement, dynamic policy, AI-driven threat detection, and formal governance across all 8 pillars.
The 8 Zero Trust Pillars
The assessment covers all 5 core pillars from the CISA Zero Trust Maturity Model v2.0 plus three cross-cutting capabilities — Automation & Orchestration, Visibility & Analytics, and Governance — giving you a complete picture of your Zero Trust program.
Identity
4 questionsMFA, phishing-resistant auth (FIDO2/passkeys), privileged access management (PAM/JIT), non-human identity, and identity lifecycle governance (IGA/JML).
Devices
3 questionsEndpoint posture and EDR, BYOD and unmanaged device controls, hardware trust (TPM/Secure Boot), and OT/IoT device security.
Network
4 questionsMicro-segmentation, ZTNA, mTLS east-west encryption, SASE, dynamic least-privilege access, and email/collaboration security (DMARC, BEC).
Applications & Workloads
4 questionsDevSecOps and CI/CD security (SAST/DAST/RASP), API security, software supply chain (SBOM/SCA), cloud and container security (CSPM, K8s, IaC).
Data
2 questionsData discovery and classification, DLP, encryption at rest and in transit, attribute-based access control (ABAC), and data lineage tracking.
Automation & Orchestration
3 questionsSOAR, policy-as-code, AI-assisted incident response, resilience and recovery (immutable backups, purple team validation).
Visibility & Analytics
3 questionsXDR/SIEM/UEBA, unified telemetry, AI/ML risk scoring, threat intelligence, and AI/LLM security controls.
Governance
2 questionsZero Trust program ownership, executive sponsorship, board-level risk reporting, compliance-as-code, and continuous third-party audit validation.
Your Privacy
Framework Alignment
NIST SP 800-207
Primary framework. Defines Zero Trust Architecture principles, logical components, and deployment models.
CISA ZTMM v2.0
Five core pillars plus Visibility, Automation, and Governance capabilities with four maturity stages.
DoD ZTA v2.0
Seven-pillar model with Governance overlay, emphasizing hardware trust, OT/IoT, and supply chain.
Ready to evaluate your Zero Trust posture?
Takes about 10 minutes. No account required. Results stay on your device.
Start the Assessment