Zero Trust Maturity Calculator

Turn assessments into measurable zero trust progress today. Compare domains, visualize gaps, and plan investments. Build defensible maturity evidence with repeatable, consistent scoring reports.

Assessment inputs

Use 0–5 scoring per control, adjust weights, and submit.

Organization

Assessor

Assessment date

Target score (0–100)

Evidence quality (1–5)

Notes (optional)

Domain weights (0–40)

Identity & Access

Higher weight increases impact on overall score.

Device Security

Higher weight increases impact on overall score.

Network & Segmentation

Higher weight increases impact on overall score.

Applications & Workloads

Higher weight increases impact on overall score.

Data Protection

Higher weight increases impact on overall score.

Visibility & Analytics

Higher weight increases impact on overall score.

Governance & Automation

Higher weight increases impact on overall score.

Control scoring (0–5, or N/A)

Suggested interpretation: 0 not started, 1 ad hoc, 2 repeatable, 3 defined, 4 managed, 5 optimized.

Identity & Access

Answer all that apply. Mark N/A if out of scope.

Strong MFA for users, admins, and remote access

Privileged access management and just-in-time elevation

Conditional access using risk, device, and location signals

Joiner/mover/leaver automation and access reviews

Device Security

Answer all that apply. Mark N/A if out of scope.

Accurate inventory, ownership, and device posture checks

MDM/EDR coverage with policy enforcement and isolation

Patch SLAs, secure configuration baselines, and hardening

Disk encryption, secure boot, and credential protection

Network & Segmentation

Answer all that apply. Mark N/A if out of scope.

Micro-segmentation and least-privilege network paths

Modern access (ZTNA/SASE) replacing broad VPN access

DNS security, egress controls, and secure web gateways

Encryption in transit and certificate lifecycle management

Applications & Workloads

Answer all that apply. Mark N/A if out of scope.

SSO coverage and strong authentication for applications

Secure SDLC, code scanning, and dependency governance

Runtime protection, secrets management, and hardening

API security, service identity, and workload attestation

Data Protection

Answer all that apply. Mark N/A if out of scope.

Data classification and tagging for critical datasets

DLP policies for endpoints, cloud, and email channels

Key management, rotation, and encryption at rest

Resilient backups, immutability, and recovery testing

Visibility & Analytics

Answer all that apply. Mark N/A if out of scope.

Centralized logging with normalized security telemetry

Detection engineering, correlation, and threat hunting

Behavior analytics and anomaly-based detections

Maturity metrics, KRIs/KPIs, and continuous reporting

Governance & Automation

Answer all that apply. Mark N/A if out of scope.

Policies, standards, and exceptions with ownership

Risk-based prioritization and architecture reviews

Automation (SOAR) for common response workflows

Third-party access controls and supplier assurance

New assessment

Example data table

Use this sample to understand how weights and scores translate into maturity percentages.

Domain	Weight	Avg control score (0–5)	Domain percent
Identity & Access	20	3.5	70%
Device Security	15	3.0	60%
Network & Segmentation	15	2.5	50%
Data Protection	20	4.0	80%
Visibility & Analytics	10	2.0	40%

The overall score is the weighted average of domain percentages. Increasing a domain weight raises its influence on the final maturity score.

Formula used

1) Domain average score

domain_avg = (sum of answered control scores) / (number of answered controls)

2) Domain percent

domain_percent = (domain_avg / 5) × 100

3) Overall maturity (weighted)

overall = (Σ(domain_percent × domain_weight)) / (Σ(domain_weight))

N/A controls are excluded from the domain average. Evidence quality applies a confidence factor to show a conservative, adjusted score.

How to use this calculator

Enter organization, assessor, and an assessment date.
Set a target score that matches your roadmap horizon.
Adjust domain weights to reflect business risk and scope.
Score each control from 0 to 5, or mark N/A.
Submit to view maturity, priorities, and recommendations.
Use the export buttons to share results with stakeholders.

What the overall score represents

The overall maturity percent is a weighted view across domains. Each domain percent is computed from control scores between 0 and 5, then blended using your weights. If Identity is 70 percent and Data is 80 percent at equal weights, they influence the result equally over time. N A controls are excluded from averages to preserve scope.

Interpreting domain percent values

Domain percent converts an average control score into a simple scale. A domain average of 2 point 5 equals 50 percent, 3 point 0 equals 60 percent, and 4 point 0 equals 80 percent. Moving a domain from 2 to 3 adds 20 points and clarifies progress for stakeholders.

Using weights to reflect business risk

Weights let you model what good looks like for your environment. If account takeover is the main risk, increase Identity and Devices. If ransomware recovery is the concern, increase Data Protection and Visibility. A starting set is 20, 15, 15, 15, 20, 10, and 5, then adjust by 2 to 5 points. Higher weights should map to crown jewel systems.

Reading the priority index for planning

Priority is the gap to your target multiplied by the domain weight. This favors domains that are important and behind. If Network is 50 percent with weight 15 and your target is 80 percent, the gap is 30 and the priority index is 450. Governance at 40 percent and weight 5 yields priority 200. Use priorities to sequence work and justify funding.

Evidence quality and confidence adjusted scoring

Evidence quality reduces over scoring when proof is weak. The calculator applies a multiplier from about 0 point 76 at low evidence to 1 point 00 at high evidence. If your overall score is 68 percent with evidence level 3, an approximate 0 point 88 factor yields about 60 percent adjusted. Improve evidence with configs, tests, and detection metrics.

Roadmap cadence and measurement targets

Reassess quarterly and keep scope consistent so trend lines stay reliable. Set a near term target, for example 75 to 85 percent, tied to initiatives like MFA rollout, segmentation, or DLP tuning. Export CSV for tracking, and export PDF for leadership and audits. Store exports to compare quarter over quarter movement.

FAQs

How do I choose domain weights?

Start with the defaults, then shift weight toward domains tied to your highest impact risks and crown jewel systems. Keep the total weight consistent, and document why each adjustment was made.

What happens when I mark a control as N/A?

N/A removes that control from the domain average, so out of scope items do not lower your percent. Use N/A sparingly and record the scope decision in notes.

How often should we run the assessment?

Quarterly works well for most programs. Run it after major control changes too, such as MFA rollout, segmentation projects, or new logging pipelines, so score movement reflects real outcomes.

Can this calculator support multiple teams or business units?

Yes. Run separate assessments per team or unit, using the same weights and scope rules. Export CSV files and trend results side by side to highlight where investment or standards are needed.

Why include evidence quality at all?

Scores without evidence can be optimistic. Evidence quality applies a conservative adjustment that rewards tested and documented controls. It helps align security reporting with audit expectations and reduces surprises during reviews.

What are quick wins that usually raise scores?

Improve identity controls first: phishing resistant MFA, stronger admin governance, and conditional access. Next, raise visibility with centralized logs and tuned detections. Finally, harden endpoints and backups to reduce ransomware impact.

Related Calculators

Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.