Turn policy, context, and behavior into confidence numbers. Compare scenarios, tune weights, and document decisions. Download reports, share results, and harden access quickly together.
Rate each factor from 0 to 5. Optionally enable custom weights. Missing critical controls and risk signals reduce the final score.
Sample ratings and weights for a mid-maturity environment. Use it to sanity-check your own inputs before exporting results.
| Factor | Example rating (0–5) | Example weight | Example note |
|---|---|---|---|
| Identity assurance | 3 | 12 | SSO with solid recovery, some stale identities. |
| MFA strength | 4 | 14 | Strong MFA widely deployed; admin exceptions remain. |
| Device posture | 3 | 12 | Managed endpoints; patch SLAs vary by team. |
| Network context | 3 | 8 | Geo controls present; segmentation improving. |
| Conditional access | 3 | 10 | Baseline policies; limited risk-based step-up. |
| Least privilege | 2 | 8 | Overbroad roles; JIT elevation not consistent. |
| Session controls | 3 | 10 | Token lifetimes tuned; re-auth triggers partial. |
| Behavior analytics | 2 | 10 | Limited baselining; alerts need tuning. |
| Logging & monitoring | 3 | 8 | Central logs; gaps for SaaS integrations. |
| Response readiness | 3 | 8 | Playbooks exist; containment drills quarterly. |
This calculator builds a weighted base score, then subtracts penalties:
Penalties come from missing critical controls and risk signals (high-risk sign-ins, failed login rate, and stale account exposure).
In a zero trust program, access is granted when identity, device, and context meet a defined assurance bar. A single score (0–100) helps teams compare sessions, trend posture, and explain decisions to auditors. It supports continuous evaluation, so a user may be challenged again after context shifts. In this calculator, 85+ indicates Strong posture, 70–84 is Good, 50–69 is Moderate, and below 50 is Critical, prompting immediate hardening and tighter conditional access.
Collect measurable signals rather than opinions: MFA coverage, device compliance, user behavior baselines, privileged access controls, identity governance, and log coverage. Rate each factor from 0 to 5 using artifacts such as policy exports, IdP reports, EDR dashboards, and access review results. A “3” should represent a documented standard, not a best-case assumption. Include network zone, geolocation drift, and session age to reduce confidence in static controls.
Each factor has a weight that reflects business risk and blast radius. Ratings are normalized as rating/5, then combined as a weighted average to produce the base score. For example, a factor weighted 12 contributes 12×(4/5)=9.6 points toward the weighted sum. Keeping weights stable makes month-to-month comparisons meaningful, while custom weights let you align with regulated systems or high-value apps.
Base posture can be strong, yet still risky when active threats or control gaps appear. Missing critical controls apply fixed deductions, and dynamic risk signals apply bounded penalties. This model subtracts up to 10 points each for: high‑risk sign-in alerts (0.25 per alert, capped at 40), failed login rate (0.10 per percentage point), and stale account exposure (0.10 per percentage point).
Use score bands to automate responses: allow, require step‑up verification, restrict to managed devices, or block. When the score drops, inspect the breakdown to target the lowest normalized factors and the largest penalties first. Track improvements weekly for engineering teams and monthly for governance committees. Export CSV or PDF to document control changes, exceptions, and residual risk decisions for stakeholders.
Many teams require 70+ for standard apps and 85+ for privileged or sensitive systems. Treat targets as risk-based gates, then add step-up requirements when risk signals spike, even if the base posture remains strong.
Start with default weights, then increase weights for controls that reduce blast radius, like MFA strength, device compliance, and privileged access management. Keep the total weight stable so score trends remain comparable over time.
You can score a common enterprise posture, then apply stricter thresholds for higher‑tier applications. For regulated workloads, create an app-specific profile with custom weights and critical controls that mirror your compliance requirements.
The base score reflects steady controls, while the final score also subtracts penalties for missing critical controls and live risk signals. High‑risk sign-in alerts, high failed login rates, or stale accounts can quickly reduce confidence.
Recalculate after policy changes, major incidents, or identity-system migrations. For ongoing governance, monthly scoring is common, while high-risk environments may review weekly. Export results to create an audit trail of improvements.
Yes. Rate third parties on identity proofing, MFA method, device posture, and monitoring visibility. Use conditional access, shorter session lifetimes, and stricter thresholds for vendors, especially when you cannot verify device compliance.
Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.