← All posts

Understanding Your Security Maturity Score: From Ad-Hoc to Optimized

Your machine scores 72/100 on a security audit. Is that good? What does it mean across different security domains? Here's how WinSentinel's CMMI-inspired maturity assessment turns raw findings into actionable intelligence — and why a letter grade matters more than a number.

Security scores are everywhere. Compliance dashboards show percentages. Vulnerability scanners count CVEs. But a number without context is useless. Telling a sysadmin "your score is 72" doesn't help them understand where they're weak, why they're weak, or what to do next.

WinSentinel's maturity assessment takes a different approach. Instead of a single number, it evaluates your security posture across seven distinct domains using a CMMI-inspired 5-level maturity scale. Each domain gets its own level, strengths, gaps, and targeted recommendations. The result: a security assessment that actually tells you something useful.

The Seven Security Domains

Every finding from a WinSentinel audit maps to one of seven security domains. This isn't arbitrary grouping — each domain represents a distinct area of security responsibility with its own controls, risks, and remediation paths:

The domain model matters because security weaknesses cluster. An organization with poor Identity & Access controls almost always has credential sprawl, stale admin accounts, and exposed remote access — fixing one finding without addressing the domain-level gap just plays whack-a-mole.

The Five Maturity Levels

Each domain is assessed on a 1–5 scale inspired by the Capability Maturity Model Integration (CMMI). This isn't about counting findings — it's about understanding how mature your security controls are in each area:

How Scoring Works Under the Hood

The maturity score isn't arbitrary. Every finding from every audit module contributes to its domain's score using a weighted system:

# Scoring weights per finding:
# Pass    = +3 points  (control is properly configured)
# Info    = +1 point   (informational, no action needed)
# Warning =  0 points  (needs attention)
# Critical = -1 point  (urgent — actively weakens posture)

# Domain percentage = (actual score / max possible) × 100
# Max possible = total findings × 3

# Example: 4 findings in Network Security
#   Firewall enabled (Pass)      → +3
#   DNS over HTTPS (Pass)        → +3
#   SMBv1 still active (Warning) →  0
#   Open RDP port (Critical)     → -1
#   Score: 5 / 12 = 41.7% → Level 2 (Repeatable)

The negative weight for critical findings is intentional. A single critical finding doesn't just add zero — it pulls the score down. This prevents a machine with 10 passing checks and 1 gaping hole from appearing healthy. One critical vulnerability can undo multiple good configurations.

Scores are always clamped to zero minimum — you can't go negative. But a domain flooded with critical findings will hit zero fast, clearly signaling that the entire domain needs attention, not just individual fixes.

From Scores to Grades: The Overall Assessment

Your overall security grade (A through F) isn't just the average of your domain scores. It's the average of your domain maturity levels, rounded to the nearest level:

# Run a maturity assessment:
winsentinel --audit --maturity

# Output:
# ┌─────────────────────────────┬───────┬─────────┬──────────────┐
# │ Domain                      │ Level │ Score   │ Grade        │
# ├─────────────────────────────┼───────┼─────────┼──────────────┤
# │ Identity & Access           │   4   │  82.3%  │ Managed      │
# │ Network Security            │   3   │  61.5%  │ Defined      │
# │ Endpoint Protection         │   5   │  95.0%  │ Optimizing   │
# │ Data Protection             │   4   │  78.9%  │ Managed      │
# │ Patch & Config Management   │   2   │  41.7%  │ Repeatable   │
# │ System Hardening            │   3   │  66.7%  │ Defined      │
# │ Resilience & Recovery       │   1   │  25.0%  │ Initial      │
# └─────────────────────────────┴───────┴─────────┴──────────────┘
# Overall: Level 3.1 (Defined) — Grade C
# Top priorities:
#   1. Improve Resilience & Recovery (Level 1 – Initial)
#   2. Improve Patch & Config Management (Level 2 – Repeatable)

The grade mapping is straightforward: Optimizing = A, Managed = B, Defined = C, Repeatable = D, Initial = F. No curve, no fudging. If your average domain level is Defined, you get a C — meaning there's real room to improve.

Strengths, Gaps, and Targeted Recommendations

The maturity assessment doesn't just score you — it tells you exactly what's working and what isn't. For each domain, you get:

The recommendations are not generic. Each domain has its own improvement path based on its current maturity level. You won't see "enable BitLocker" as a recommendation for your Network Security domain — that advice appears in Data Protection, where it belongs.

Top Priorities: Where to Focus First

With seven domains to improve, where do you start? The assessment generates a prioritized list of your weakest domains — up to three top priorities, ordered from worst to best:

# Top priorities (from the assessment above):
# 1. Improve Resilience & Recovery (currently Level 1 – Initial)
#    → Configure automated backups and secure event log retention
# 2. Improve Patch & Config Management (currently Level 2 – Repeatable)
#    → Enable automatic updates and remove unauthorized software
#
# Only domains at Level 2 (Repeatable) or below appear in priorities.
# If all domains are Level 3+, the priorities list is empty — you're
# in good shape. Focus on maintaining and monitoring.

This is the "what to do Monday morning" list. Don't try to improve everything at once. Focus on moving your worst domain up one level at a time. Going from Level 1 to Level 2 in Resilience & Recovery is more impactful than going from Level 4 to Level 5 in Endpoint Protection.

Tracking Maturity Over Time

A single maturity assessment is a snapshot. The real value comes from tracking your maturity levels over weeks and months. WinSentinel stores every scan result locally, so you can watch your trajectory:

# Score history and trend:
winsentinel --score --trend

# Are you improving? Regressing? Flat-lining?
# The maturity model makes progress measurable:
#   Week 1: Overall Level 2.3 (Grade D)
#   Week 4: Overall Level 3.1 (Grade C)
#   Week 8: Overall Level 3.7 (Grade C — close to B)
#   Week 12: Overall Level 4.0 (Grade B)
#
# You went from reactive (D) to measured (B) in 3 months.
# That's a story you can tell your CISO.

The maturity model gives you a language for security improvement that executives understand. "We moved from Level 2 to Level 4 in Identity & Access" is clearer than "we reduced critical findings by 73%." Both are true — the maturity framing communicates capability, not just bug counts.

What Good Maturity Looks Like

For most organizations, the realistic target is Level 4 (Managed) across all domains — Grade B. Here's what that looks like in practice:

Level 5 (Optimizing) is the aspirational target for security-sensitive environments — healthcare, finance, government. It requires near-zero warnings, proactive hardening ahead of new threat intelligence, and continuous automated verification of every control.

Getting Started

Run your first maturity assessment in 30 seconds:

# Install WinSentinel:
dotnet tool install --global WinSentinel.Cli

# Run a full audit with maturity assessment:
winsentinel --audit

# Your grade, domain scores, strengths, gaps, and
# prioritized recommendations — all in one report.

No cloud account needed. No agent to deploy. Everything runs locally using real Windows APIs. Your security data never leaves your machine.

For organizations managing multiple machines, WinSentinel Pro aggregates maturity assessments across your entire fleet — giving you a single dashboard view of which domains need the most attention across which machines.

Install WinSentinel and find out what grade your machine gets.