Capability Posture
Capability Posture gives you a KSI-aligned view of how well your organisation has implemented security across 11 pre-defined capability themes. Where the Dashboard shows aggregate compliance metrics, Capability Posture breaks implementation down by strategic security domain — so you can identify exactly which areas need attention and how they relate to one another.
Every theme is scored on four independent axes — Implementation Coverage, Maturity, Evidence Coverage, and Evidence Quality — plus an optional composite KSI Posture Score (KPS). Each axis is meaningful on its own, defensible to an auditor, and reported alongside a Strong / Moderate / Developing band so executives can read the status at a glance.
Accessing Capability Posture
Section titled “Accessing Capability Posture”Navigate to Analytics in the sidebar (under the Overview section). The feature is available to all users with access to your organisation.
The theme grid
Section titled “The theme grid”The main view presents all 11 capability themes as a grid of cards. Each card gives you an at-a-glance summary for that theme.
Card anatomy
Section titled “Card anatomy”Each theme card surfaces:
| Element | Description |
|---|---|
| Theme icon + name | Identifies the capability theme |
| KSI badge | Tags the card with its Key Security Indicator alignment |
| Four axis bands | Strong / Moderate / Developing indicators for IC, M, EC and EQ |
| KPS band | The composite headline band for the theme |
| Maturity badge | Aggregate maturity from L0 to L5 across implemented controls |
| Status bar | Visual distribution of the 8 implementation statuses |
| Control count | ”X of Y controls” — scoped vs. total in the theme |
| At Risk badge | Appears when one or more controls have an At Risk status |
Click any card to open the detail view for that theme.
How posture is scored
Section titled “How posture is scored”The scoring model at a glance
Section titled “The scoring model at a glance”The scope gate
Section titled “The scope gate”Only controls that are explicitly in scope contribute to any axis. A control enters scope when its selected flag is true during scoping (Gap Analysis or import). Anything else — never-scoped controls, or controls marked out-of-scope — is ignored entirely: it does not sit in the numerator or the denominator.
Inside scope, Not Applicable controls are excluded from the denominator of IC and EC. This matters: marking a control N/A is not the same as leaving it unimplemented. N/A says the control is genuinely irrelevant to our environment, so removing it from the denominator prevents a disinformation bias where unreachable work drags your score down forever.
| Status | In IC / EC denominator? | In IC numerator (partial credit)? |
|---|---|---|
| Out of scope | No | No |
| Monitored | Yes | 1.0 |
| Implemented | Yes | 1.0 |
| Ready for Review | Yes | 0.5 |
| In Progress | Yes | 0.25 |
| Not Started | Yes | 0.0 |
| At Risk | Yes | 0.0 |
| Deferred | Yes | 0.0 |
| Not Applicable | No — excluded from denominator | N/A |
① Implementation Coverage (IC)
Section titled “① Implementation Coverage (IC)”Implementation Coverage answers: of the controls we said we would implement, how many have we actually implemented?
IC = (Monitored + Implemented + 0.5·Ready-for-Review + 0.25·In-Progress) ÷ (Scoped − Not Applicable)
The formula awards partial credit so progress is visible before every control reaches “Implemented”:
- Monitored and Implemented controls count in full (weight 1.0).
- Ready for Review counts at half weight (0.5) — the work is done and awaiting sign-off, but it is not yet certified.
- In Progress counts at quarter weight (0.25) — meaningful effort has started, but the control is not close to operational.
- Not Started, At Risk and Deferred contribute zero to the numerator. They still sit in the denominator (unless also marked N/A).
IC is reported on a scale of 0.0 to 1.0 (0% to 100%).
② Maturity (M)
Section titled “② Maturity (M)”Maturity answers: of the controls we have implemented, how mature are the underlying processes?
M = average(maturity_level) over in-scope controls where status is
ImplementedorMonitoredand maturity is set
Maturity is scored on the CMMI-style ladder the platform uses across the product:
| Level | Label | Description |
|---|---|---|
| L0 | Not Assessed | No maturity assessment performed |
| L1 | Initial | Ad-hoc processes with no formal procedures |
| L2 | Developing | Basic procedures exist but are inconsistently applied |
| L3 | Defined | Processes are documented and standardised |
| L4 | Managed | Processes are measured, monitored and managed |
| L5 | Optimised | Continuous improvement is embedded; metrics drive decisions |
Two rules protect this axis from misleading values:
- Restricted to implemented or monitored controls. A control that is Not Started has no observable maturity — including it would be guesswork. Only Implemented and Monitored controls contribute to the average.
- Small-sample guard — n < 3 returns null. If a theme has fewer than three controls eligible for maturity averaging, the axis reports
null(shown as “Developing / insufficient data”). This prevents an honest L4 score on a single control from looking like theme-wide excellence.
③ Evidence Coverage (EC)
Section titled “③ Evidence Coverage (EC)”Evidence Coverage answers: of the controls in scope, how many have any evidence at all attached?
EC = distinct in-scope controls with ≥ 1 evidence file ÷ (Scoped − Not Applicable)
EC is deliberately a breadth metric, not a quality metric. A single evidence file of any type satisfies the numerator: the question is coverage, not depth. Depth lives on the EQ axis.
EC uses the same denominator as IC (in-scope minus N/A), so the two are directly comparable. A common and healthy pattern is IC > EC: controls have been marked implemented but the associated artefacts have not been uploaded yet. Seeing the gap is exactly why the axis is reported separately.
④ Evidence Quality (EQ)
Section titled “④ Evidence Quality (EQ)”Evidence Quality answers: of the evidence files we have, how strong are they?
EQ = ((1.0·sufficient + 0.5·partial + 0.0·insufficient) ÷ total_assessed) × (average_relevance ÷ 100)
This is the AI-assessed quality signal. Each uploaded evidence file is reviewed by the assessment pipeline and assigned:
- Sufficient (weight 1.0) — the file fully evidences the control.
- Partial (weight 0.5) — the file partially evidences the control, typically missing a dimension (time range, scope, or artefact type).
- Insufficient (weight 0.0) — the file does not meaningfully evidence the control.
Files that are still Pending or Unassessed are excluded from the denominator — they are unknowns, not failures. The relevance_score (0–100) from the same assessment scales the quality fraction so a high-quality but weakly relevant file does not masquerade as strong coverage. A null relevance_score is treated as a neutral 0.5 (50%) rather than zero, so the absence of a relevance signal never zeroes out an otherwise strong EQ.
Unassessed coverage warning. If more than 30% of a theme’s evidence files are still pending or unassessed, the EQ axis is flagged with a low_ai_coverage warning in the UI. The axis still reports a value (from the assessed subset), but you are told the denominator is narrow. This matters for audit defence: an EQ of 0.82 means something different when it is over 5 files out of 50 versus 50 files out of 50.
Band thresholds
Section titled “Band thresholds”Each axis is categorised into three plain-English bands. Bands are the only thing shown on public surfaces (see Trust Portal projection below) and are used in most dashboard summaries.
| Axis | Strong | Moderate | Developing |
|---|---|---|---|
| Implementation Coverage (IC) | ≥ 0.75 | 0.40 – 0.74 | < 0.40 |
| Maturity (M) | ≥ 3.0 (L3+) | 2.0 – 2.9 | < 2.0 or null |
| Evidence Coverage (EC) | ≥ 0.70 | 0.35 – 0.69 | < 0.35 |
| Evidence Quality (EQ) | ≥ 0.70 | 0.40 – 0.69 | < 0.40 or null |
| KSI Posture Score (KPS) | ≥ 0.70 | 0.40 – 0.69 | < 0.40 |
Null axes fall into Developing by convention — an axis that cannot be calculated is treated the same as a weak one, because a missing number should not look like a strong one.
The composite KPS
Section titled “The composite KPS”The KSI Posture Score (KPS) is a single-number roll-up of the four axes. Use it when you need one headline number for an executive slide; fall back on the axes whenever someone asks why.
KPS = 0.35·IC + 0.20·(M ÷ 5) + 0.20·EC + 0.25·EQ
The default weights emphasise Implementation Coverage (35%), followed by Evidence Quality (25%), Evidence Coverage (20%) and Maturity (20%). Maturity is normalised from its 0–5 scale to 0–1 by dividing by 5 before weighting. Weights are organisation-tunable — a regulated customer might raise EQ to reflect the primacy of documentary evidence; a start-up might raise IC during early rollouts.
Null-axis redistribution. If one or more axes are null (for example, no evidence yet → EQ is null), the composite still computes: the weights of populated axes are scaled up proportionally so the weight base always sums to 1.0. A KPS based on three axes with the remaining weight redistributed is legitimately comparable to a KPS based on four — it just tells you one of the inputs was unobservable.
Defensibility — show the numbers
Section titled “Defensibility — show the numbers”The most useful audit pattern is the “formula with numbers plugged in” tooltip. Hover over any axis score in the UI and you will see the exact calculation — no opaque aggregations. This is the pattern to practise in every audit conversation: when asked how did you get 0.69?, reproduce the formula with your inputs and read the answer off.
Worked example — “Identity & Access” theme
Section titled “Worked example — “Identity & Access” theme”Assume the theme has:
- 20 scoped controls (selected = true)
- 2 marked Not Applicable
- Of the remaining 18: 6 Monitored, 4 Implemented, 4 Ready for Review, 2 In Progress, 2 Not Started
- 10 of those 18 controls have an Implemented or Monitored status and a maturity level set; their maturity values are:
3, 4, 3, 2, 3, 4, 3, 3, 2, 3 - 12 of the 18 controls have at least one evidence file attached
- The evidence pipeline has assessed 14 files with outcomes: 8 sufficient, 4 partial, 2 insufficient, average relevance score of 80
IC = (6 + 4 + 0.5·4 + 0.25·2) ÷ (20 − 2) IC = (6 + 4 + 2 + 0.5) ÷ 18 IC = 12.5 ÷ 18 IC = 0.69 → Moderate
Maturity
Section titled “Maturity”n = 10 (≥ 3 ✓, sample-size guard passes) Σ(maturity) = 3+4+3+2+3+4+3+3+2+3 = 30 M = 30 ÷ 10 M = 3.0 → Strong
EC = 12 ÷ (20 − 2) EC = 0.67 → Moderate
total_assessed = 8 + 4 + 2 = 14 quality_fraction = (1.0·8 + 0.5·4 + 0.0·2) ÷ 14 = 10 ÷ 14 = 0.714 relevance_factor = 80 ÷ 100 = 0.80 EQ = 0.714 × 0.80 EQ = 0.57 → Moderate
KPS (all four axes populated)
Section titled “KPS (all four axes populated)”KPS = 0.35·0.69 + 0.20·(3.0 ÷ 5) + 0.20·0.67 + 0.25·0.57 KPS = 0.242 + 0.120 + 0.134 + 0.143 KPS = 0.64 → Moderate
KPS (one axis null — EQ missing)
Section titled “KPS (one axis null — EQ missing)”Suppose there are no assessed evidence files yet, so EQ is null.
Populated weights: IC 0.35, M 0.20, EC 0.20 — sum 0.75 Scaled: 0.35 ÷ 0.75 = 0.467, 0.20 ÷ 0.75 = 0.267, 0.20 ÷ 0.75 = 0.267 KPS = 0.467·0.69 + 0.267·0.60 + 0.267·0.67 KPS = 0.66 → Moderate
Write this pattern into any audit narrative you produce. The defensibility of these numbers is not that they are opaque — it is that they are reproducible.
Implementation statuses — reference
Section titled “Implementation statuses — reference”Every scoped control within a theme carries one of eight implementation statuses:
| Status | Meaning |
|---|---|
| Monitored | Control is implemented and actively monitored for compliance |
| Implemented | Control is fully implemented and operational |
| Ready for Review | Implementation is complete and awaiting formal review |
| In Progress | Implementation is actively underway |
| Not Started | Control has been scoped but no implementation work has begun |
| At Risk | Implementation is behind schedule or has identified issues |
| Not Applicable | Control does not apply to your organisation’s environment |
| Deferred | Implementation has been intentionally postponed |
Only Monitored and Implemented contribute in full to Implementation Coverage; Ready for Review and In Progress contribute partial credit. The other statuses do not contribute.
Exploring a capability theme
Section titled “Exploring a capability theme”Click any theme card to open the detail view for that theme.
Key stats panel
Section titled “Key stats panel”The top of the detail view displays a summary panel:
| Stat | Description |
|---|---|
| Scoped | Total controls scoped to this theme |
| Total | All controls available in this theme (scoped and out-of-scope) |
| IC / M / EC / EQ | The four posture axes for this theme, with band and numeric value |
| KPS | The composite headline score |
Status distribution
Section titled “Status distribution”Below the stats panel, a breakdown shows how your controls are distributed across the 8 implementation statuses. This helps you understand the composition of your current posture — for example, whether a Moderate IC is driven by many “In Progress” controls (nearing completion) or many “Not Started” controls (work yet to begin).
Controls table
Section titled “Controls table”The detail view includes a paginated table of every scoped control in the theme:
| Column | Description |
|---|---|
| Name | Full control name |
| Domain | The control domain it belongs to |
| Status | Current implementation status |
| Maturity | Current maturity level |
| Relevance | How central this control is to the capability theme |
| Evidence | Count of evidence files attached |
Pagination: The table defaults to 50 controls per page. You can increase this to a maximum of 200 controls per page using the page-size selector.
Trust Portal projection
Section titled “Trust Portal projection”Public-facing surfaces — the Trust Portal, shared PDF exports, and any anonymous viewer link — expose bands only. They do not show raw numeric scores, and they do not expose control-level identifiers or framework internals.
| On the platform (authenticated users) | On the Trust Portal (public) |
|---|---|
| IC = 0.69 (Moderate) | Implementation Coverage: Moderate |
| M = 3.0 (Strong) | Maturity: Strong |
| EC = 0.67 (Moderate) | Evidence Coverage: Moderate |
| EQ = 0.57 (Moderate) | Evidence Quality: Moderate |
| KPS = 0.64 (Moderate) | Overall posture: Moderate |
| Control identifiers, per-control status, maturity per control, evidence filenames | None of these are exposed |
This projection is intentional: it communicates trustworthy status to a buyer or auditor without turning public pages into a map for attackers or a competitor intelligence feed.
Why does my Maturity axis say “Developing” when all my controls are L3?
Section titled “Why does my Maturity axis say “Developing” when all my controls are L3?”The small-sample guard returns null (shown as Developing) when fewer than three controls in the theme are Implemented or Monitored and have a maturity level set. Raise that count to three or more and the axis will populate. The guard prevents a single L5 control from implying theme-wide excellence.
Why does EC show higher than IC?
Section titled “Why does EC show higher than IC?”It usually means evidence was uploaded before the implementation status was updated — for example, the team pulled a configuration export from production (evidencing the control in practice) but never flipped the control from “In Progress” to “Implemented” in the platform. Walk the scoped controls in the theme and update statuses; IC will catch up.
Can we tune the KPS weights to suit our business?
Section titled “Can we tune the KPS weights to suit our business?”Yes. The default weights (0.35 / 0.20 / 0.20 / 0.25) are a balanced starting point. Regulated sectors often raise EQ; product-led teams often raise IC. Any change to weights is audit-logged alongside the value it produced, so you can always justify a historical KPS against the weights that generated it.
Best practices
Section titled “Best practices”- Review Capability Posture weekly during active compliance programs to track momentum.
- Use the theme grid as a prioritisation tool — address themes with multiple Developing axes before themes with just one.
- Pair IC with EC — a Strong IC against a Developing EC is the single most common audit-finding risk. Upload evidence as work completes, not after.
- Cross-reference with Risk Management — high-risk items with low capability posture represent compounded exposure.
- Brief executives using the KPS headline band — fall back on the per-axis bands when someone asks why.
Related guides
Section titled “Related guides”- Evidence Health — Freshness of evidence files, which feeds EC and EQ
- Evidence Collection — How evidence is attached to controls
- Dashboard Overview — Aggregate posture across all themes
- Core Features — Control scoping, implementation statuses and maturity management
- Risk Management — Link capability gaps to your risk register
- AI Integration (MCP) — Query capability posture data via AI assistants