SOC Maturity Benchmarking Platform

Know exactly where
your SOC stands.

Replace spreadsheets and expensive consultants with a continuous, data-driven SOC maturity platform. Benchmark against real peers. Track improvement over time.

Start your assessment › See how it works
392
Assessment questions
15
Capability domains
4
Industry frameworks
NIST CSF 2.0
ISO 27001:2022
MITRE ATT&CK v14
SOC-CMM 2024
Financial Services
Healthcare
Government
Retail
NIST CSF 2.0
ISO 27001:2022
MITRE ATT&CK v14
SOC-CMM 2024
Financial Services
Healthcare
Government
Retail
The Platform

Everything your SOC
team needs.

Assessment Engine

10 capability domains.
119 scored questions.

Part A covers every dimension of SOC maturity — from strategy and governance through detection engineering, incident response, threat intelligence, and continuous improvement. Each question scored 0-5 with weighted importance.

3.8
Strategy
2.9
Detection
4.1
Response
Benchmarking

See how you compare.

Anonymised peer benchmarking across sectors. Know your percentile — not just your score.

Your SOC
2.8
Sector avg
3.2
Top quartile
4.2
Finance avg
3.5
Confidence Scoring

Trust your score.

Confidence bands tell you how reliable the result is before you present it to the board.

0.87
High
Completion
40%
Evidence
40%
Assessor
20%
SOC-CMM 2024 Advanced

Part B: operational depth.

Beyond capability scoring, the platform includes the full SOC-CMM 2024 Advanced question bank — 273 Yes/No questions across 5 operational domains with importance weighting. The most comprehensive SOC assessment available, delivered as a SaaS workflow instead of a spreadsheet.

Business (44 questions)
People (58 questions)
Process (38 questions)
Technology (32 questions)
Services (101 questions)
Access Control

8 roles.
Right data, right people.

Every role sees exactly what they need — and nothing more.

Platform Admin
Org Admin
Assessor
Executive
Stakeholder
Architecture

Built for multi-tenant SaaS from day one.

Full customer isolation enforced at the database layer on every query. Self-hosted on your own infrastructure or managed cloud. Open-source components throughout — no vendor lock-in. Keycloak SSO with OAuth2 PKCE, RBAC, MFA. Prometheus + Grafana + Loki observability built in.

Next.js 14
.NET 8 API
PostgreSQL 16
Keycloak 24
Docker
Grafana
Maturity Model

Five levels.
One number you can act on.

Domain scores aggregate from weighted question responses. Overall SOC score is the confidence-weighted mean across all domains.

0-1
Initial
No formal capability. Reactive, individual-dependent. No documentation.
1-2
Developing
Capability being built. Partially implemented. Inconsistently applied.
2-3
Defined
Formal documented capability. Consistently applied. Reviewed periodically.
3-4
Managed
Measured and managed. Metrics tracked. Continuously improving over time.
4-5
Optimised
Continuously improved. Industry-leading. Proactive and predictive posture.
Access Control

The right view
for every person.

Eight roles across two groups — internal platform team and customer organisation users. Every role scoped precisely.

🛡️
Platform Admin
Internal · No tenant scope
Provisions customer organisations, manages users, views cross-tenant audit logs and error queues.
  • Create & suspend organisations
  • Provision org admin accounts
  • View all audit logs
  • Reset scoring jobs
👤
Org Admin
External · Org scoped
Full control within their organisation — team, billing, assessments, results.
  • Manage team members & roles
  • Create & submit assessments
  • Manage billing & subscription
  • View all org results
🔬
Assessor
External · SOC Analyst
Completes assessment questions, attaches evidence, submits for scoring.
  • Complete Part A & Part B questions
  • Attach evidence (URL / upload)
  • Submit assessments
  • View completed results
📊
Executive
External · CISO / CEO / Director
Board-ready view — aggregate scores, trends, benchmarks, improvement roadmap. No individual question detail.
  • Domain-level scores only
  • Trend & benchmark comparison
  • Executive PDF report
  • Scheduled report emails
Framework Coverage

One assessment.
Four frameworks covered.

Every question maps to one or more industry framework controls simultaneously — eliminating duplicate compliance work.

📋
NIST CSF 2.0
NIST Cybersecurity Framework
Govern, Identify, Protect, Detect, Respond, Recover — all six functions scored against subcategory outcomes from your assessment responses.
D01 and D03 fully mapped →
🏛️
ISO 27001:2022
Information Security Management
Annex A control mapping from A.5 organisational policies through A.8 technological controls. Audit-ready evidence collected at question level.
93 controls mapped →
⚔️
MITRE ATT&CK v14
Adversarial Tactics, Techniques & Common Knowledge
Detection coverage mapped to specific techniques and tactics. Visualise your detection gaps as an ATT&CK heatmap per assessment.
Technique-level coverage →
🎯
SOC-CMM 2024
SOC Capability Maturity Model — Advanced Edition
Full integration of the open-source SOC-CMM 2024 Advanced question bank — the industry standard operational assessment, delivered as Part B of the platform.
273 questions, 27 sub-sections →
Technical Architecture

Modern stack.
Zero lock-in.

Container-based, open-source throughout. Deploy on any Linux server or your own cloud. Every component replaceable.

🌐
Nginx Reverse Proxy
TLS termination · Rate limiting · Auth proxy
⚛️
Next.js 14 Frontend
React · TypeScript · Tailwind CSS · shadcn/ui
⚙️
.NET 8 API
ASP.NET Core · Entity Framework · Serilog
🗄️
PostgreSQL 16 + PgBouncer
Connection pooling · Row-level tenant isolation
📊
Prometheus · Grafana · Loki
Metrics · Dashboards · Log aggregation
🔐
Keycloak Identity
OAuth2 PKCE, RBAC with 8 roles, MFA, protocol mappers for tenant claims.
🏢
Tenant Isolation
Every database query filtered by tenant_id. API middleware enforces at every endpoint.
Redis Cache
Session management, feature flag caching, scoring job queuing.
📋
Full Audit Trail
Every action logged with user, timestamp, IP and correlation ID. GDPR-ready.
💳
Stripe Billing
Starter, Professional, Enterprise and Consultant plans. Webhook-driven subscription lifecycle.
🚀
Self-Hostable
Single docker compose up. Full deployment runbook and idempotent Keycloak setup script included.
Security & Privacy

Secure by design.
Private by default.

Built for organisations that handle sensitive security posture data. Privacy and security aren't features — they're the foundation.

🔒
Benchmark Privacy
Seven privacy rules govern the benchmark pool. Minimum 10 organisations per cohort. Scores never stored with identity. Opt-in by default. Withdrawal removes future contribution.
🛡️
Tenant Isolation
Every API request verified by tenant middleware. External users physically cannot access another organisation's data — enforced at the database query level, not just the UI.
📜
GDPR Compliance
Consent audit log on every benchmark participation change. Right to withdraw. GDPR erasure flow for platform admins. Data export on request. Configurable retention policies.
🔑
Credential Separation
Individual question scores are hidden from Executive role by design — aggregate domain scores only. Evidence attachments not visible to board-level viewers.
📊
Full Audit Trail
Every login, assessment change, role assignment and admin action is logged with timestamp, user identity, IP and correlation ID. Immutable audit log in PostgreSQL.
🏗️
Open Source Stack
Every component is open source — Keycloak, PostgreSQL, Redis, Nginx, Prometheus, Grafana, Loki. Full source code. No black boxes. Deploy on infrastructure you control.
Delivery Roadmap

From MVP to continuous
automated monitoring.

Three phases. Each one delivers standalone value while building towards automated, continuous SOC maturity measurement.

1
In Progress
Foundation
Phase 1 — MVP · Now
  • Multi-tenant SaaS platform
  • Part A + Part B assessment engine
  • 0-5 maturity scoring + confidence bands
  • 8-role RBAC with Keycloak SSO
  • Platform admin & customer portals
  • Benchmarking engine with privacy rules
  • PDF report generation
  • Stripe subscription billing
2
Next
Intelligence
Phase 2 · Q3 2026
  • ATT&CK coverage heatmaps
  • Executive PDF report format
  • Trend analysis across assessments
  • SMTP notifications & scheduled reports
  • Evidence document upload
  • Gap analysis with recommended actions
  • Improvement roadmap generator
  • SAML / enterprise SSO integration
3
Planned
Continuous
Phase 3 · Q1 2027
  • SIEM integrations (Splunk, Sentinel, QRadar)
  • Automated detection rule analysis
  • Continuous maturity monitoring
  • Threat-informed defence scoring
  • Open API for partner integrations
  • Mobile companion app
  • AI-assisted gap recommendations
  • White-label consultant edition

Start your SOC
maturity assessment.

No spreadsheets. No consultants. Just clear, actionable data about where your SOC stands — and where it needs to go.

Begin assessment › Request a demo