| Domain | Practice | Example Score | Illustrative Observation |
|---|
| Governance | Strategy and Metrics | 2.50 | Metrics exist for coverage, MTTR, and review gates; board narrative could be tighter. |
| Governance | Compliance and Policy | 2.30 | Policies are defined and periodically reviewed; evidence automation is partial. |
| Governance | Training | 2.00 | Champions network exists but role-based depth varies by org. |
| Intelligence | Attack Models | 2.10 | Threat models exist for crown jewels; adversary simulation is selective. |
| Intelligence | Security Features & Design | 2.20 | Reusable authn/authz and logging patterns exist, but crypto guidance needs consolidation. |
| Intelligence | Standards and Requirements | 2.40 | Standards are well documented; enforcement is stronger in modern platforms than legacy. |
| SSDL Touchpoints | Architecture Analysis | 2.00 | Architecture review is effective when triggered, but not all changes are routed through it. |
| SSDL Touchpoints | Code Review | 2.50 | Strong review practice with scoped security heuristics and diff-based triage. |
| SSDL Touchpoints | Security Testing | 2.30 | Tooling is good; manual abuse-case testing is still capacity constrained. |
| Deployment | Penetration Testing | 1.90 | Targeted testing exists for major launches; cadence is below ambition. |
| Deployment | Software Environment | 2.40 | Cloud guardrails and runner controls are solid; ephemeral environments need more coverage. |
| Deployment | Configuration Management & Vulnerability Management | 2.20 | Inventory and SLA tracking are in place; exception debt remains visible. |