Posture score

/ 100 F

composite grade

First baselinetrend unlocks at next scan

No prior comparison30d window

12 critical and 70 high exposures open across this tenant.

Open findings · by severity164 total · last 30d

Critical

—

High

—

Medium

—

Low

—

§ 01·A

Priority actions

5 items · scheduling pending

P0On-Prem: Windows Firewall Disabled on One or More Profiles

5 assets

OwnerNetwork Security

ETA pending

P0Critical Security Configuration Gaps Require Action

4 assets

OwnerSecurity Operations

ETA pending

P0NSG Rules Allow All Inbound Traffic

4 assets

OwnerCloud/Network Team

ETA pending

P0External trust to legacy-supplier.example has SID filtering disabled

impact unmeasured

Ownerowner pending

ETA pending

P02 Domain Admins without MFA

impact unmeasured

Ownerowner pending

ETA pending

§ 01·B

Posture at a glance

identity · vulnerability · on-prem

Identity & accessSecure score 56%

Graph Secure Score API · as of 2026-02-08 14:00 UTC

0 admins without MFA · 9 users without MFA

Admins

100%

Admin MFA

150

Users

94%

MFA coverage

Vulnerability

Tracked vulnerabilities

Upper cap — full list in Findings detail

Critical

High

Exposed hosts

40 critical/high6.8 avg CVSSsecure score

On-premisesCollected

4 sites · 9 DCs · 2 CAs · 4 trusts

Tier-0 at risk

DCs · EOL Windows

ADCS ESC1-8

5 collectors50 linked findingsad.attack path, ad.tier 0 +4

Device posture

Intune deviceManagement

8 devices non-compliant · 72 managed

67%

Compliance

Windows

Top platform · 50 devices

48 compliant8 non-compliant16 unknownWindows 50 · macOS 12

OAuth App Permissions1 high-risk

Graph Applications API · live collection

Total apps

Admin consented

High-risk apps

Top app: DataSync Pro (Unverified) · Most granted permission: User.Read (8)

Sign-In Analysis12 risky

Graph Sign-In Logs API · live collection

120

Failed sign-ins

Risky sign-ins

138

Users affected

Top failure: Invalid password (45) · Top geography: United States (4,200) · 12 risky sign-in events flagged in the current window

§ 01·C

Trust & coverage

auditor anchor

Collection confidenceStrong

Payload coverage

100%

Permission scopes OK

100%

Endpoints succeeded

49 / 49

Last scan

Feb 8, 2026

◆ Evidence bundle present◆ Manifest only

Framework coveragePrimary · NIST CSF 2.0

★NIST CSF 2.0

50%

10 / 25 controls assessed

CIS v8 IG2

72%

33 / 43 controls assessed

SOC 2 TSC

56%

16 / 27 controls assessed

Hardening gatesNot yet run — results reappear after the first publish or next gate-suite pass for this run id.

§ 01·D

Improve report coverage

2 coverage items · action checklist

Coverage unlock checklist

2 gaps

API error - Polaris retry

Purview retention labels

Retry Purview retention labels, then handle Records Management consent if needed

This is not an Azure Reader issue. Microsoft Graph lists Purview retention labels through a delegated Records Management permission path. Polaris should retry first; if Microsoft still returns an authorization error, the customer Purview or records-management admin must approve RecordsManagement.Read.All for the delegated collection path.

OwnerPolaris first; customer Entra or Purview records-management admin if authorization is missing

Access/artifact neededMicrosoft Graph delegated RecordsManagement.Read.All for retention label reads

Customer actionIf the retry still fails with authorization, approve the delegated Records Management read path.

Polaris actionRetry the endpoint and show the exact Microsoft status code/message if it still fails.

Retry Purview collection

Microsoft lists this endpoint as delegated-only for work or school accounts. It is not fixed by Azure RBAC Reader.

Unlocks after rerunData Protection, Compliance Matrix, Technical Evidence

Evidence not provided

Network Security

Confirm whether network security is in scope

Network Security is either not in scope yet or missing the source needed to assess it. Do not read 0% coverage as a clean network result.

OwnerCustomer Azure/network admin with Polaris support

Access/artifact neededAzure RBAC Reader for cloud network inventory, or firewall/network evidence for non-Azure scope

Customer actionEither mark Network Security out of scope with a reason, or grant/provide the network evidence source.

Polaris actionIf in scope, rerun Azure Resource Graph or ingest the network evidence and link it to findings.

Resolve Network Security coverage

Out of scope is acceptable when intentional. Missing source data should be fixed or explicitly excluded.

Unlocks after rerunNetwork Security

Live Assessment Active

Executive Summary

IT Operations Assessment

IT operations assessment and security posture score review for Contoso Defense Systems. 164 findings identified across 9 risk domains, with 12 critical and 70 high-severity items defining the current action window. Evidence landed from 49/49 collection endpoints in this run.

What Matters Most

Executive Priority Queue

playlist_play

Start here before the deeper evidence and benchmark sections.

1 2 Domain Admins without MFA
2 ADCS template CorpUserSmartcard is ESC1 vulnerable
3 ADCS template certifies domain controllers without signature (ESC1)

Open

164

Secure Score

56.7%

MFA

94% / 100%

Weights live findings, evidence-backed controls, and collection coverage. It is not the same as Microsoft Secure Score.

Assessment State

At Risk

12.6% Security Posture Score (Composite Posture Score)

Evidence Confidence

Strong

100% endpoint coverage with resilience verified

Immediate Workload

Critical and high-severity items needing action in the next 30 days

Immediate Risk Snapshot

Primary Signals

The first three metrics drive urgency and workload.

emergency

Critical Risks

Immediate executive attention

warning

High Risks

Priority queue this month

task_alt

Open Findings

164

164 total findings in scope

Coverage and Guardrails

Supporting Context

These metrics explain confidence and baseline protections.

check_circle

Coverage Confidence

100%

Strong evidence coverage

shield

Secure Score Benchmark

56.7%

Supporting Microsoft benchmark, not the posture decision

security

MFA Adoption

94% / 100%

Users / admins protected

Change Tracking

Delta From Last Run

No prior run available. This run establishes the baseline for future deltas.

Baseline

New

Findings present now that were absent in the prior run.

Resolved

Findings that disappeared since the prior run.

Improved

Controls that moved into a stronger assessed state.

Worsened

Controls that moved into a weaker assessed state.

Coverage Changed

0 assessed controls vs prior run (0 → 0).

priority_high

What To Do Next

Top 5 Action Items

Priority action guidance with expected impact, dependency context, and evidence-backed closure criteria.

1

Critical On-Prem: Windows Firewall Disabled on One or More Profiles

Expected Impact: On-premises infrastructure control 'Windows Firewall Disabled on One or More Profiles' is not met. Windows Firewall disabled on 1 profile(s): Public. (Reduces operational risk and improves control assurance)

Medium (2-4 hours)

Closure Criteria: See portal verification steps
Dependency Guidance: Admin role and licensing as required
Assessability Reason: Assessed from collected tenant telemetry.
Evidence Freshness: Current assessment run
2

Critical Critical Security Configuration Gaps Require Action

Expected Impact: Critical Security Configuration Gaps Require Action is below the expected baseline. Current state is 12 against a target of 0, which weakens endpoint hardening and attacker containment. (Reduces operational risk and impr

Medium (2-4 hours)

Closure Criteria: See portal verification steps
Dependency Guidance: Admin role and licensing as required
Assessability Reason: Assessed from collected tenant telemetry.
Evidence Freshness: Current assessment run
3

Critical NSG Rules Allow All Inbound Traffic

Expected Impact: NSG Rules Allow All Inbound Traffic is below the expected baseline. Current state is 1 against a target of 0, which increases cloud exposure, resilience, and recovery risk. (Reduces operational risk and improves control

Medium (2-4 hours)

Closure Criteria: See portal verification steps
Dependency Guidance: Admin role and licensing as required
Assessability Reason: Assessed from collected tenant telemetry.
Evidence Freshness: Current assessment run
4

High Legacy Authentication Still Allowed

Expected Impact: Legacy authentication protocols (like IMAP, POP3, and SMTP) bypass modern security controls including MFA, making them a prime target for attackers. Credential stuffing and password spray attacks frequently target legacy

Medium (2-4 hours)

Closure Criteria: See portal verification steps
Dependency Guidance: Admin role and licensing as required
Assessability Reason: Assessed from collected tenant telemetry.
Evidence Freshness: Current assessment run
5

High 40 Users Not Covered by MFA Policy

Expected Impact: 40 users (26.7% of your workforce) are not targeted by any Conditional Access policy that requires MFA. These users can sign in with just a password, making them vulnerable to credential theft, phishing, and password spr

Small (1-2 hours)

Closure Criteria: See portal verification steps
Dependency Guidance: Admin role and licensing as required
Assessability Reason: Assessed from collected tenant telemetry.
Evidence Freshness: Current assessment run

Board Decision Points

Risk Acceptance and Approval Queue

Executive action required

Block legacy authentication protocols

Recommended decision: Approve cutoff after report-only pilot

Risk acceptance tradeoff: Legacy clients may fail; requires exception process

Impacted group: Users on older mail clients or scripts

Decision window: 7-21 days

auto_awesome

Executive Intelligence

Assessment Summary

Environment

Contoso Defense Systems operates a Microsoft 365 environment with 150 users and 150 managed devices across 3 verified domains.

Score Clarity

Microsoft Secure Score is 56.7%, while the broader composite posture score is 12.6%. The composite score weights live findings, evidence-backed controls, and collection coverage, so it is stricter than Secure Score alone. The gap between those measures indicates material risk remains despite partial control coverage. MFA coverage stands at 94%, with gaps remaining that expose the organization to credential-based attacks.

Immediate Attention

This assessment identified 164 findings, including 12 critical and 70 high-severity issues requiring immediate attention. The highest priority finding — "On-Prem: Windows Firewall Disabled on One or More Profiles" — should be the first item addressed.

info

Assessment Coverage: 77% of Available Data Sources

This assessment analyzed 37 of 48 available security data sources. The findings and recommendations in this report are based on the data that was successfully collected.

37 Assessed 9 Review Required

To expand coverage

9 platform access checks returned non-retryable API responses. Review the exact endpoints before classifying these as collection flakiness.

Confidence Context

Executive Confidence Context

Low

Coverage

100%

Evidence-backed section coverage.

Freshness

May 15, 2026 23:34 UTC

Latest evidence timestamp surfaced here.

Source

Snapshot-based evidence

9 unresolved collection gaps affect confidence.

Bias / Limits

9 unresolved collection gaps still limit report-wide certainty.

fact_check

Compliance Benchmarks

Framework Assessment Summary

shield

CIS Controls v8 (IG1)

73%

43 results 18 passing 25 failing

policy

NIST CSF

50%

25 results 0 passing 25 failing

verified_user

SOC 2

56%

27 results 5 passing 22 failing

Visibility Constraints

Collection Gaps

These are visibility constraints, not failing controls. They explain where the current run cannot make a stronger claim yet.

Affected Domains

Network Security

Collection gap

No live collection or usable manual artifact was available for this input.

Unlocks: the missing evidence needed to move controls out of Not Assessed.

Examples access_review_summary, terms_of_use_summary, lifecycle_summary

Threat Distribution

Findings At a Glance

164 Total Risks

Critical

High Severity

Medium / Low

Exposure Vectors

Top Risk Domains

Identity 54 Issues

Infrastructure 26 Issues

Endpoint 25 Issues

Email 18 Issues

Strategic Roadmap

90-Day Action Plan

30 Days: Foundation

radio_button_unchecked 2 Domain Admins without MFA
radio_button_unchecked ADCS template CorpUserSmartcard is ESC1 vulnerable
radio_button_unchecked ADCS template certifies domain controllers without signature (ESC1)

60 Days: Optimization

radio_button_unchecked AdminSDHolder ACL contains unexpected GenericWrite ACE for PKI vendor
radio_button_unchecked DAL-PRINT01 has unconstrained Kerberos delegation
radio_button_unchecked External trust to legacy-supplier.example has SID filtering disabled

90 Days: Maturity

radio_button_unchecked HSV-FILE02 has unconstrained Kerberos delegation
radio_button_unchecked On-Prem: Windows Firewall Disabled on One or More Profiles
radio_button_unchecked SMB server signing is not required domain-wide

thumb_up

Positive Indicators

What's Going Well

check_circle

User MFA Adoption Is Above 90%

Identity

check_circle

Administrative MFA Coverage Is Complete

Identity

check_circle

Conditional Access Enforcement Is Active

Identity

check_circle

Device Compliance Rate Is Above 80%

Endpoint

check_circle

Email Authentication Controls Are Configured

check_circle

Backup Resilience Baseline Is Healthy

Infrastructure

security

Findings

164

Security findings with remediation steps

View Findings arrow_forward

fact_check

Compliance

Framework controls passing

View Compliance arrow_forward

lab_profile

Technical Evidence

Raw Data

Collection telemetry and technical proof

View Evidence arrow_forward

help_outline

How to Use This Report

expand_more

Severity Levels & Response Targets

Critical — P0

Respond within 72 hours

Active exploitation risk or data exposure

High — P1

Respond within 7 days

Significant gap in security controls

Medium — P2

Respond within 30 days

Hardening opportunity or partial gap

Low — P3

Respond within 90 days

Best-practice improvement

Suggested Workflow

Overview

Risk snapshot and KPIs

Findings

Detailed issues with remediation

Compliance

Framework alignment matrix

Technical Evidence

Raw data and collection proof

Navigation Tips

Use the sidebar to switch between tabs
Toggle Executive / Operational / Detailed density in the top bar to control section visibility
Click any finding card header to expand remediation details
Use Ctrl+P to print — sidebar and header auto-hide

apartment

Environment Summary

Organization

Contoso Defense Systems

Tenant ID

a1b2c3d4-e5f6-7890-abcd-ef1234567890

Users

150

Managed Devices

150

Verified Domains

contoso.onmicrosoft.comcontoso.comcontoso.mail.onmicrosoft.com

download

Download Security Collector

Run the Polaris collector script against Contoso Defense Systems to gather security telemetry — identity configuration, endpoint posture, email transport rules, Conditional Access policies, and complementary compliance evidence. Results are encrypted and uploaded for analysis.

download Download Script

Quick Start

PS> .\Invoke-SecurityCollection.ps1 -OutputPath .\results

payments

Cost Optimization

When Azure FinOps telemetry is complete, this section highlights specific resources with quantified savings.

Total Licenses

185

Assigned

129

Unassigned

Est. Annual Savings

Utilization

69.7%

License SKU Breakdown

Microsoft 365 Business Premium

Assigned

120

Total

130

Utilization

92.3%

EXCHANGESTANDARD

Assigned

Total

Utilization

100.0%

POWER_BI_STANDARD

Assigned

Total

Utilization

8.0%

Microsoft_Teams_Exploratory_Dept

Assigned

Total

Utilization

0.0%

SKU	Assigned	Total	Utilization
Microsoft 365 Business Premium	120	130	92.3%
EXCHANGESTANDARD	5	5	100.0%
POWER_BI_STANDARD	4	50	8.0%
Microsoft_Teams_Exploratory_Dept	0	0	0.0%

On-Prem Active Directory Assessment

Active Directory health telemetry collected from domain: —

Health Score

Domain

—

Controls Passing

Controls Failing

§ 02 · Findings · operations console

164 open findings, prioritised by blast radius and evidence depth. Search the queue and inspect detail evidence inline.

Mean time to remediate

Awaiting baseline

vs prior 30d

Mean finding age

Awaiting baseline

across 164 tracked

Tracked

164

first baseline

Open

164

first baseline

P0 · Critical

Target 72 h

P1 · High

Target 7 d

P2 · Medium

Target 30 d

P3 · Low

Target 90 d

P4 · Note

Target —

§ 02.1

Findings queue

164 open · 12 P0 · 70 P1 · 67 P2 · 15 P3

Status appears only when a finding is not open. Severity is normalized from collected evidence; internal owners and due dates stay out of the shared report.

SevTitle · ID · blast

P0 · Critical12 items

On-Prem: Windows Firewall Disabled on One or More Profiles

OnPremInfra-ONPREM-FW-0011Infrastructure Configuration (1)

Critical Security Configuration Gaps Require Action

Device-0153Critical Configuration Gaps (12)

NSG Rules Allow All Inbound Traffic

Network-0101Network Security Groups (1)

External trust to legacy-supplier.example has SID filtering disabled

OnPrem-a838cee6bbdebeade5b6f87e45bd47bf

2 Domain Admins without MFA

OnPrem-b2f1b05d8a827a2e5c84fa24de42f482

krbtgt password age 247 days exceeds 180-day threshold

OnPrem-bed89eaf2193e46f4ff4e32592dae478

AdminSDHolder ACL contains unexpected GenericWrite ACE for PKI vendor

OnPrem-16f7917e737ec4706ddf063523c83342

DAL-PRINT01 has unconstrained Kerberos delegation

OnPrem-8ca006d6163ddcbbaba1e7966c2eadbf

HSV-FILE02 has unconstrained Kerberos delegation

OnPrem-fa9a1cc45e2cca28fe8473c0489bcad6

ADCS template certifies domain controllers without signature (ESC1)

OnPrem-4aa38d65ce3032519d1f521931c464da

ADCS template CorpUserSmartcard is ESC1 vulnerable

OnPrem-76680815350c3b60af20b49eed10bff4

SMB server signing is not required domain-wide

OnPrem-2481dae51698953372cf8077e7873270

P1 · High70 items

Legacy Authentication Still Allowed

Identity-0053Users on Legacy Protocols (3)

40 Users Not Covered by MFA Policy

Identity-0085Users Not Covered by MFA Policy (40)

2 High-Risk User Accounts Detected

Identity-0106High-Risk Users (6)

3 Active Security Alerts (2 High, 1 Medium)

Security-0013Active Security Alert Patterns (3)

Safe Links Protection Disabled

Email-0051Email Security Control (1)

Safe Attachments Protection Disabled

Email-0061Email Security Control (1)

Anti-Phishing Controls Are Not Fully Enabled

Email-0071Email Security Control (1)

Email Threat Detection/Containment Rate Is Below Target

Email-0084Email Threats (30 Days)

FIDO2 / Passkey Authentication Not Enabled

Identity-0141Authentication Methods Policy (1)

Failed and Risky Sign-In Volume Exceeds Baseline

Security-0023Active Security Alert Patterns (3)

Privileged High-Risk Administrative Operations Require Review

Governance-0023High-Risk Administrative Operation (3)

SharePoint External Sharing Is Enabled on Collaboration Sites

DataProtection-0105Sharepoint Site With External Sharing (7)

Secure Score Recommendation Backlog Is Accumulating

Governance-0035Top Improvement Actions (85 total)

Third-Party Application Consents Include Elevated-Risk Integrations

Application-0061High-Risk OAuth Apps (2)

Strong Authentication Method Adoption Is Below Target

Identity-0174User Lacking Strong Auth Methods (52)

Threat Pulse Indicates Elevated Active Alert Backlog

Security-0033Active Security Alert Patterns (3)

Network Security Groups Allow Unrestricted Inbound Access

Infrastructure-0011Network Security Groups (1)

Storage Accounts Allow Public Blob Access

Infrastructure-0021Storage Account (1)

Showing 30 of 164

P0OnPremInfra-ONPREM-FW-001

On-Prem: Windows Firewall Disabled on One or More Profiles

Open

Impact

This control gap increases security and operational risk. Resolve promptly to reduce breach likelihood, compliance exposure, and avoidable recovery cost.

Blast radius · 1 infrastructure configuration

Infrastructure Configuration (1)

Infrastructure Configuration
Windows Firewall disabled on 1 profile(s): Public

Verifyexpected post-remediation

Run verification command
Invoke-PolarisCollection -Modules All -OutputPath ./results

Rollback

Revert the configuration change in the admin portal
Verify service is restored
Document the issue for review

Closure criteriaresolution contract

ONPREM-FW-001 status: pass

Program-derived from explicit closure text or the first verification outcome.

Traceabilitypayload-backed provenance

Data Source: onprem_infra_assessment.findings[ONPREM-FW-001]

Severity Basis: Severity based on Critical impact and affected scope.

Evidence · 1full envelope in § 04

evidence

Windows Firewall disabled on 1 profile(s): Public

onprem_infra_assessment.findings[ONPREM-FW-001]

2026-05-15T23:34:51.491662+00:00

Control / Recommendation	Priority	Score Impact
Do Not Allow Users To Grant Consent To Unmanaged Applications	Critical	10.0
Ensure Sign-In Risk Policy Is Enabled	Critical	8.0
Ensure User Risk Policy Is Enabled	Critical	8.0

NSG Name	Location	Rules
nsg-edge-westus2

User	Protocol	Last Sign-in
david.mitchell@contoso.com	IMAP4	Feb 11, 2026 21:14
patricia.kowalski@contoso.com	IMAP4	Feb 12, 2026 07:14
robert.chen@contoso.com	SMTP	Feb 12, 2026 15:14

User (Reason)
david.mitchell@contoso.com (Not covered)
patricia.kowalski@contoso.com (Not covered)
robert.chen@contoso.com (Not covered)
lisa.nakamura@contoso.com (Not covered)
kevin.patel@contoso.com (Not covered)

User	Risk Level	Risk State	Last Updated
marcus.williams@contoso.com	High	At Risk	Feb 12, 2026 04:50
jennifer.park@contoso.com	High	At Risk	Feb 12, 2026 04:50
emily.rodriguez@contoso.com	Medium	At Risk	Feb 12, 2026 04:50
james.okafor@contoso.com	Medium	At Risk	Feb 12, 2026 04:50
rachel.kim@contoso.com	Medium	Remediated	Feb 12, 2026 04:50
thomas.bergstrom@contoso.com	Low	Dismissed	Feb 12, 2026 04:50

Alert Pattern	Severity	Count	Top Context	Latest Seen
Impossible travel activity	High	1	Status: New	Feb 05, 2026
Suspicious inbox forwarding rule created	High	1	Status: New	Feb 03, 2026
Email messages containing malicious URL removed after delivery	Medium	1	Status: New	Feb 06, 2026

Email Security Control
Safe Links Status

Email Security Control
Safe Attachments Status

Email Security Control
Anti-Phishing Status

Category	Count
Spam	892
Phishing	34
Malware	3
Total	929

Authentication Methods Policy
FIDO2 method configuration

Alert Pattern	Severity	Count	Top Context	Latest Seen
Impossible travel activity	High	1	Status: New	Feb 05, 2026
Suspicious inbox forwarding rule created	High	1	Status: New	Feb 03, 2026
Email messages containing malicious URL removed after delivery	Medium	1	Status: New	Feb 06, 2026

High-Risk Administrative Operation
sarah.chen@contoso.com -> Add member to role
michael.torres@contoso.com -> Disable MFA for user
sarah.chen@contoso.com -> Consent to application

Sharepoint Site With External Sharing
Human Resources
Finance and Billing
IT Operations
Training Portal
Marcus Williams

Recommendation	Priority	Score Impact
Do Not Allow Users To Grant Consent To Unmanaged Applications	Critical	9.0
Ensure Sign-In Risk Policy Is Enabled	Critical	8.5
Ensure User Risk Policy Is Enabled	Critical	8.5
Windows Print Spooler Elevation Of Privilege	High	7.8
Windows Ancillary Function Driver For Win Sock Elevation Of Privilege	High	7.8

Application	Permissions	Consent Type	Risky Perms
DataSync Pro (Unverified)	User.Read.All, Mail.ReadWrite, Files.ReadWrite.All, Directory.Read.All, Sites.FullControl.All	0 users	5

User Lacking Strong Auth Methods
david.mitchell@contoso.com
robert.johnson@contoso.com
ana.rodriguez@contoso.com
jenny.lee@contoso.com

Alert Pattern	Severity	Count	Top Context	Latest Seen
Impossible travel activity	High	1	Status: New	Feb 05, 2026
Suspicious inbox forwarding rule created	High	1	Status: New	Feb 03, 2026
Email messages containing malicious URL removed after delivery	Medium	1	Status: New	Feb 06, 2026

NSG Name	Location	Rules
nsg-edge-westus2

Storage Account
stapp01

Control / Recommendation	Priority	Score Impact
Do Not Allow Users To Grant Consent To Unmanaged Applications	Critical	10.0
Ensure Sign-In Risk Policy Is Enabled	Critical	8.0
Ensure User Risk Policy Is Enabled	Critical	8.0

Control / Recommendation	Priority	Affected Assets
Windows Print Spooler Elevation Of Privilege	High	12
Windows Ancillary Function Driver For Win Sock Elevation Of Privilege	High	8

Orphaned Cloud Resources
orphaned-managed-disk-fin01
unused-public-ip-westus2
stale-snapshot-hr-archive

Control	Current State	Evidence
Privileged Admin Footprint Controlled	3 Global Admins (target: <=4), but 1 admin without MFA	3 Global Admins found; admin3@contoso.com lacks MFA registration

Control	Current State	Evidence
LDAP Signing/Channel Binding Gap	LDAP signing not enforced on domain controllers	GPO audit shows LDAPServerIntegrity = 0 (Not Required) on DC-01, DC-02

Infrastructure Configuration
RDP is exposed to all networks — primary ransomware entry vector

Infrastructure Configuration
Open high-risk ports: 3389 (RDP (remote access exposure)), 445 (SMB (lateral movement, ransomware)), 1433 (SQL Server (d

Infrastructure Configuration
System patching is behind — 12 updates pending, last update 45 days ago

Infrastructure Configuration
Certificates expiring soon: CN=mail.contoso.local

Infrastructure Configuration
Domain password policy requires only 8 characters — below CMMC/NIST minimum of 12

Security Control
Too Many Global Administrators

Security Control
PIM Not Utilized for Privileged Roles

User	Protocol	Last Sign-in
david.mitchell@contoso.com	IMAP4	Feb 11, 2026 21:14
patricia.kowalski@contoso.com	IMAP4	Feb 12, 2026 07:14
robert.chen@contoso.com	SMTP	Feb 12, 2026 15:14

Device
DESKTOP-FIN01

Device	OS	Status	Owner
SRP-PC012	Windows	Non-compliant	marcus.williams@contoso.com
SRP-PC025	Windows	Non-compliant	james.okafor@contoso.com
SRP-PC038	Windows	Unknown	thomas.bergstrom@contoso.com
SRP-PC007	Windows	Non-compliant	james.liu@contoso.com
SRP-PC008	Windows	Unknown	robert.johnson@contoso.com
SRP-MAC007	macOS	Non-compliant	ana.rodriguez@contoso.com

Control / Recommendation	Priority	Affected Assets
Windows Print Spooler Elevation Of Privilege	High	12
Windows Ancillary Function Driver For Win Sock Elevation Of Privilege	High	8

Dlp Policy Baseline
No DLP Policies Configured

Application	Permissions	Consent Type	Risky Perms
DataSync Pro (Unverified)	User.Read.All, Mail.ReadWrite, Files.ReadWrite.All, Directory.Read.All, Sites.FullControl.All	0 users	5

Email Encryption Baseline
Sensitive Email Encryption Not Enabled

Security Control
ForwardAll

Security Control
No Outbound Spam Policy Enabled

Security Control
BypassSpam

Security Controls
Auto-Forward to External Addresses Detected

Security Control
contoso.com

Security Control
DESKTOP-FIN01

Security Control
Defender Tamper Protection Disabled

Security Control
DESKTOP-FIN01

4 frameworks NIST primary 50% scored CMMC most-incomplete (28%)

Frameworks · 4 assessed

Crosswalk: mapping enrichment pending

Framework

§ 03 · Compliance Matrixprimary frameworkManifest · May 15, 2026

Last assessed May 15, 2026Polaris automated

NIST CSF 2.0

2 controls failing · 60% not yet assessed.

Score of assessed controls

50%

10 of 25 controls scored · 15 not yet assessed

Pass2

Partial6

24%

Fail2

Not assessed15

60%

§ 03·A

Functions at a glance

status density by function

§ 03·B

Control ledger

25 controls

Control

Status

Name

Coverage

Evidence

Govern3 controls

GV.OC-01

Not assessed

Organizational mission and stakeholders are understood

0 ev

GV.RM-01

Not assessed

Risk management objectives are established and communicated

0 ev

GV.SC-01

Not assessed

Supply chain risk management program is established

0 ev

Identify5 controls

ID.AM-05

Partial

Assets are prioritized based on classification and criticality

40%

1 ev

ID.AM-01

Pass

Hardware asset inventories are maintained

60%

1 ev

ID.AM-02

Not assessed

Software asset inventories are maintained

0 ev

ID.RA-01

Not assessed

Vulnerabilities in assets are identified

0 ev

ID.RA-02

Not assessed

Threat intelligence is received from information sharing

0 ev

Protect9 controls

PR.AA-03

Fail

MFA and risk-based authentication are enforced

0 ev

PR.AA-05

Partial

Access permissions managed using least privilege

40%

1 ev

PR.DS-02

Partial

Data in transit is protected

40%

1 ev

PR.DS-10

Partial

Data classification and handling policies

40%

1 ev

PR.IR-01

Pass

Backups of data are maintained and tested

60%

1 ev

PR.AA-01

Not assessed

Identities and credentials are managed

0 ev

PR.AA-02

Not assessed

Identities are proofed and bound to credentials

0 ev

PR.DS-01

Not assessed

Data at rest is protected

0 ev

PR.PS-01

Not assessed

Configuration management practices are established

0 ev

Detect4 controls

DE.CM-01

Fail

Networks are monitored for potential adverse events

0 ev

DE.CM-03

Not assessed

Computing hardware and software are monitored

0 ev

DE.CM-06

Not assessed

External service provider activities are monitored

0 ev

DE.AE-02

Not assessed

Adverse events are analyzed

0 ev

Respond2 controls

RS.MA-01

Not assessed

Incident response plan is executed

0 ev

RS.AN-03

Not assessed

Analysis is performed to establish what has taken place

0 ev

Recover2 controls

RC.RP-01

Partial

Recovery plan is executed during or after incident

40%

1 ev

RC.RP-03

Partial

Integrity of backups and restored assets is verified

20%

1 ev

Evidence chain

sig

Manifest signed · bundle verified · 2026-05-15T23:34:52.960141+00:00

Assessment

NIST CSF 2.0 · v2.0

Polaris automated

last assessed May 15, 2026

Scope

Contoso Defense Systems

30-day scan window

run 20260515T233445Z_ad-hoc

§ 03 · Compliance MatrixManifest · May 15, 2026

Last assessed May 15, 2026Polaris automated

CIS v8 IG2

3 controls failing · 23% not yet assessed.

Score of assessed controls

72%

33 of 43 controls scored · 10 not yet assessed

Pass18

42%

Partial12

28%

Fail3

Not assessed10

23%

§ 03·A

Functions at a glance

status density by function

§ 03·B

Control ledger

43 controls

Control

Status

Name

Coverage

Evidence

Control 12 controls

1.1

Pass

Establish and Maintain Detailed Enterprise Asset Inventory

100%

1 ev

1.2

Pass

Address Unauthorized Assets

100%

1 ev

Control 23 controls

2.1

Pass

Establish and Maintain a Software Inventory

100%

1 ev

2.2

Not assessed

Ensure Authorized Software is Currently Supported

1 ev

2.3

Not assessed

Address Unauthorized Software

1 ev

Control 35 controls

3.1

Partial

Establish and Maintain a Data Management Process

65%

1 ev

3.3

Partial

Configure Data Access Control Lists

65%

1 ev

3.6

Partial

Encrypt Data on End-User Devices

65%

1 ev

3.2

Pass

Establish and Maintain a Data Inventory

100%

1 ev

3.4

Pass

Enforce Data Retention

100%

1 ev

Control 43 controls

4.7

Fail

Manage Default Accounts on Enterprise Assets and Software

25%

1 ev

4.1

Partial

Establish and Maintain a Secure Configuration Process

65%

1 ev

4.3

Pass

Configure Automatic Session Locking on Enterprise Assets

100%

1 ev

Control 54 controls

5.4

Fail

Restrict Administrator Privileges to Dedicated Administrator Accounts

25%

1 ev

5.2

Partial

Use Unique Passwords

65%

1 ev

5.1

Pass

Establish and Maintain an Inventory of Accounts

100%

1 ev

5.3

Not assessed

Disable Dormant Accounts

1 ev

Control 65 controls

6.5

Fail

Require MFA for Administrative Access

25%

1 ev

6.1

Pass

Establish an Access Granting Process

100%

1 ev

6.2

Pass

Establish an Access Revoking Process

100%

1 ev

6.3

Pass

Require MFA for Externally-Exposed Applications

100%

1 ev

6.4

Pass

Require MFA for Remote Network Access

100%

1 ev

Control 73 controls

7.1

Pass

Establish and Maintain a Vulnerability Management Process

100%

1 ev

7.2

Pass

Establish and Maintain a Remediation Process

100%

1 ev

7.3

Pass

Perform Automated Operating System Patch Management

100%

1 ev

Control 83 controls

8.2

Partial

Collect Audit Logs

65%

1 ev

8.3

Pass

Ensure Adequate Audit Log Storage

100%

1 ev

8.1

Not assessed

Establish and Maintain an Audit Log Management Process

1 ev

Control 92 controls

9.1

Partial

Ensure Use of Only Fully Supported Browsers and Email Clients

65%

1 ev

9.2

Pass

Use DNS Filtering Services

100%

1 ev

Control 103 controls

10.2

Partial

Configure Automatic Anti-Malware Signature Updates

65%

1 ev

10.3

Partial

Disable Autorun and Autoplay for Removable Media

65%

1 ev

10.1

Pass

Deploy and Maintain Anti-Malware Software

100%

1 ev

Control 114 controls

11.1

Not assessed

Establish and Maintain a Data Recovery Process

1 ev

11.2

Not assessed

Perform Automated Backups

1 ev

11.3

Not assessed

Protect Recovery Data

1 ev

11.4

Not assessed

Establish and Maintain an Isolated Instance of Recovery Data

1 ev

Control 131 control

13.1

Pass

Centralize Security Event Alerting

100%

1 ev

Control 145 controls

14.1

Partial

Establish and Maintain a Security Awareness Program

65%

1 ev

14.3

Partial

Train Workforce Members on Authentication Best Practices

65%

1 ev

14.4

Partial

Train Workforce Members on Data Handling Best Practices

65%

1 ev

14.2

Not assessed

Train Workforce Members to Recognize Social Engineering Attacks

1 ev

14.5

Not assessed

Train Workforce Members on Causes of Unintentional Data Exposure

1 ev

Evidence chain

sig

Manifest signed · bundle verified · 2026-05-15T23:34:52.960141+00:00

Assessment

CIS v8 IG2 · v8.0

Polaris automated

last assessed May 15, 2026

Scope

Contoso Defense Systems

30-day scan window

run 20260515T233445Z_ad-hoc

§ 03 · Compliance MatrixManifest · May 15, 2026

Last assessed May 15, 2026Polaris automated

SOC 2 TSC

3 controls failing · 41% not yet assessed.

Score of assessed controls

56%

16 of 27 controls scored · 11 not yet assessed

Pass5

19%

Partial8

30%

Fail3

11%

Not assessed11

41%

§ 03·A

Functions at a glance

status density by function

§ 03·B

Control ledger

27 controls

Control

Status

Name

Coverage

Evidence

CC18 controls

CC2.1

Fail

Obtains and uses relevant quality information

25%

0 ev

CC7.1

Fail

Monitors system components for anomalies

25%

0 ev

CC7.2

Fail

Detects and reports security incidents

25%

0 ev

CC5.1

Partial

Logical access security over information assets

65%

1 ev

CC5.2

Partial

Access restricted to authorized personnel

65%

1 ev

CC5.3

Partial

Security of access credentials

65%

1 ev

CC6.2

Partial

Encryption of data in transit

65%

1 ev

CC6.7

Partial

Restricts transmission and movement of data

65%

1 ev

CC6.3

Pass

Access to data is restricted and controlled

100%

1 ev

CC1.1

Not assessed

Demonstrates commitment to integrity and ethical values

1 ev

CC1.2

Not assessed

Board exercises oversight of internal controls

0 ev

CC3.1

Not assessed

Specifies objectives and identifies risks

0 ev

CC3.2

Not assessed

Identifies and assesses risks to objectives

0 ev

CC6.1

Not assessed

Encryption of data at rest

0 ev

CC6.6

Not assessed

Security measures against threats to infrastructure

0 ev

CC7.3

Not assessed

Evaluates and responds to security incidents

0 ev

CC7.4

Not assessed

Responds to identified security incidents

0 ev

CC8.1

Not assessed

Manages changes to infrastructure and software

0 ev

A3 controls

A1.2

Partial

Environmental protections and recovery mechanisms

65%

1 ev

A1.3

Partial

Tests recovery plan procedures

65%

1 ev

A1.1

Pass

Maintains availability commitments and system requirements

100%

1 ev

C2 controls

C1.1

Pass

Identifies and maintains confidential information

100%

1 ev

C1.2

Pass

Disposes of confidential information per policy

100%

1 ev

PI2 controls

PI1.1

Partial

Obtains and communicates processing integrity commitments

65%

1 ev

PI1.2

Pass

System inputs are complete, accurate, and valid

100%

1 ev

P2 controls

P1.1

Not assessed

Privacy notice provided to data subjects

0 ev

P1.2

Not assessed

Choice and consent obtained for data collection

0 ev

Evidence chain

sig

Manifest signed · bundle verified · 2026-05-15T23:34:52.960141+00:00

Assessment

SOC 2 TSC · v2017 TSC

Polaris automated

last assessed May 15, 2026

Scope

Contoso Defense Systems

30-day scan window

run 20260515T233445Z_ad-hoc

LOW COVERAGEFramework score below 30% — assessment is preliminary. Complete remaining controls before attesting.

§ 03 · Compliance MatrixManifest · May 15, 2026

Last assessed May 15, 2026Polaris automated (self-assessment posture, not C3PAO)

CMMC 2.0 Level 2

3 controls failing · 72% not yet assessed.

Score of assessed controls

25%

26 of 93 controls scored · 67 not yet assessed

Pass23

25%

Partial0

Fail3

Not assessed67

72%

§ 03·A

Functions at a glance

status density by function

§ 03·B

Control ledger

93 controls

Control

Status

Name

Coverage

Evidence

AC18 controls

AC.L2-3.1.6

Fail

Non-Privileged Account Use

25%

1 ev

AC.L2-3.1.3

Pass

Control CUI Flow

100%

1 ev

AC.L2-3.1.4

Pass

Separation of Duties

100%

1 ev

AC.L2-3.1.5

Pass

Least Privilege

100%

1 ev

AC.L2-3.1.7

Pass

Privileged Functions

100%

1 ev

AC.L2-3.1.8

Pass

Unsuccessful Logon Attempts

100%

1 ev

AC.L2-3.1.9

Not assessed

Privacy & Security Notices

1 ev

AC.L2-3.1.10

Not assessed

Session Lock

1 ev

AC.L2-3.1.11

Not assessed

Session Termination

1 ev

AC.L2-3.1.12

Not assessed

Remote Access Control

1 ev

AC.L2-3.1.13

Not assessed

Remote Access Encryption

1 ev

AC.L2-3.1.14

Not assessed

Remote Access Routing

1 ev

AC.L2-3.1.15

Not assessed

Privileged Remote Access

1 ev

AC.L2-3.1.16

Not assessed

Wireless Access Authorization

1 ev

AC.L2-3.1.17

Not assessed

Wireless Access Protection

1 ev

AC.L2-3.1.18

Not assessed

Mobile Device Connection

1 ev

AC.L2-3.1.19

Not assessed

Encrypt CUI on Mobile

1 ev

AC.L2-3.1.21

Not assessed

Portable Storage Use

1 ev

AT3 controls

AT.L2-3.2.1

Pass

Security Awareness

100%

1 ev

AT.L2-3.2.2

Not assessed

Role-Based Training

1 ev

AT.L2-3.2.3

Not assessed

Insider Threat Awareness

1 ev

AU9 controls

AU.L2-3.3.4

Fail

Audit Failure Alerting

25%

1 ev

AU.L2-3.3.1

Pass

System Auditing

100%

1 ev

AU.L2-3.3.2

Pass

User Accountability

100%

1 ev

AU.L2-3.3.8

Pass

Audit Protection

100%

1 ev

AU.L2-3.3.9

Pass

Audit Management

100%

1 ev

AU.L2-3.3.3

Not assessed

Event Review

1 ev

AU.L2-3.3.5

Not assessed

Audit Correlation

1 ev

AU.L2-3.3.6

Not assessed

Audit Reduction

1 ev

AU.L2-3.3.7

Not assessed

Authoritative Time Source

1 ev

CA4 controls

CA.L2-3.12.1

Not assessed

Security Assessments

1 ev

CA.L2-3.12.2

Not assessed

Plan of Action

1 ev

CA.L2-3.12.3

Not assessed

Security Control Monitoring

1 ev

CA.L2-3.12.4

Not assessed

System Security Plan

1 ev

CM9 controls

CM.L2-3.4.1

Pass

System Baseline Configuration

100%

1 ev

CM.L2-3.4.2

Pass

Security Configuration Enforcement

100%

1 ev

CM.L2-3.4.3

Not assessed

System Change Management

1 ev

CM.L2-3.4.4

Not assessed

Security Impact Analysis

1 ev

CM.L2-3.4.5

Not assessed

Access Restrictions for Change

1 ev

CM.L2-3.4.6

Not assessed

Least Functionality

1 ev

CM.L2-3.4.7

Not assessed

Nonessential Functionality

1 ev

CM.L2-3.4.8

Not assessed

Application Allowlisting

1 ev

CM.L2-3.4.9

Not assessed

User-Installed Software

1 ev

IA9 controls

IA.L2-3.5.3

Fail

Multifactor Authentication

25%

1 ev

IA.L2-3.5.4

Pass

Replay-Resistant Authentication

100%

1 ev

IA.L2-3.5.7

Pass

Password Complexity

100%

1 ev

IA.L2-3.5.8

Pass

Password Reuse Prohibition

100%

1 ev

IA.L2-3.5.5

Not assessed

Identifier Reuse Prevention

1 ev

IA.L2-3.5.6

Not assessed

Identifier Disabling

1 ev

IA.L2-3.5.9

Not assessed

Temporary Passwords

1 ev

IA.L2-3.5.10

Not assessed

Cryptographic Password Protection

1 ev

IA.L2-3.5.11

Not assessed

Obscure Feedback

1 ev

IR3 controls

IR.L2-3.6.1

Not assessed

Incident Handling

1 ev

IR.L2-3.6.2

Not assessed

Incident Reporting

1 ev

IR.L2-3.6.3

Not assessed

Incident Response Testing

1 ev

MA6 controls

MA.L2-3.7.1

Not assessed

System Maintenance

1 ev

MA.L2-3.7.2

Not assessed

Maintenance Controls

1 ev

MA.L2-3.7.3

Not assessed

Equipment Sanitization

1 ev

MA.L2-3.7.4

Not assessed

Media Inspection

1 ev

MA.L2-3.7.5

Not assessed

Nonlocal Maintenance

1 ev

MA.L2-3.7.6

Not assessed

Maintenance Personnel

1 ev

MP8 controls

MP.L2-3.8.1

Not assessed

Media Protection

1 ev

MP.L2-3.8.2

Not assessed

Media Access

1 ev

MP.L2-3.8.4

Not assessed

Media Markings

1 ev

MP.L2-3.8.5

Not assessed

Media Accountability

1 ev

MP.L2-3.8.6

Not assessed

Portable Storage Encryption

1 ev

MP.L2-3.8.7

Not assessed

Removable Media Control

1 ev

MP.L2-3.8.8

Not assessed

Shared Media

1 ev

MP.L2-3.8.9

Not assessed

CUI Backup Protection

1 ev

PE2 controls

PE.L2-3.10.2

Not assessed

Facility Protection

1 ev

PE.L2-3.10.6

Not assessed

Alternative Work Sites

1 ev

PS2 controls

PS.L2-3.9.1

Not assessed

Screen Individuals

1 ev

PS.L2-3.9.2

Not assessed

Personnel Actions

1 ev

RA3 controls

RA.L2-3.11.2

Pass

Vulnerability Scanning

100%

1 ev

RA.L2-3.11.1

Not assessed

Risk Assessments

1 ev

RA.L2-3.11.3

Not assessed

Vulnerability Remediation

1 ev

SC14 controls

SC.L2-3.13.6

Pass

Network Communication by Exception

100%

1 ev

SC.L2-3.13.8

Pass

Data in Transit Encryption

100%

1 ev

SC.L2-3.13.11

Pass

CUI Encryption

100%

1 ev

SC.L2-3.13.16

Pass

Data at Rest Encryption

100%

1 ev

SC.L2-3.13.2

Not assessed

Security Engineering

1 ev

SC.L2-3.13.3

Not assessed

Role Separation

1 ev

SC.L2-3.13.4

Not assessed

Shared Resource Control

1 ev

SC.L2-3.13.7

Not assessed

Split Tunneling Prevention

1 ev

SC.L2-3.13.9

Not assessed

Connection Termination

1 ev

SC.L2-3.13.10

Not assessed

Cryptographic Key Management

1 ev

SC.L2-3.13.12

Not assessed

Collaborative Device Control

1 ev

SC.L2-3.13.13

Not assessed

Mobile Code Control

1 ev

SC.L2-3.13.14

Not assessed

Voice over IP Control

1 ev

SC.L2-3.13.15

Not assessed

Communications Authenticity

1 ev

SI3 controls

SI.L2-3.14.3

Pass

Security Alerts & Advisories

100%

1 ev

SI.L2-3.14.6

Pass

Monitor Communications

100%

1 ev

SI.L2-3.14.7

Pass

Identify Unauthorized Use

100%

1 ev

Evidence chain

sig

Manifest signed · bundle verified · 2026-05-15T23:34:52.960141+00:00

Assessment

CMMC 2.0 Level 2 · v2.0 L2

Polaris automated (self-assessment posture, not C3PAO)

last assessed May 15, 2026

Scope

Contoso Defense Systems

30-day scan window

run 20260515T233445Z_ad-hoc

Compliance Posture

Posture is mixed, and lack of assessment coverage is still the main constraint.

Header metrics reflect evidence-backed CMMC control coverage. Framework rows below separate assessed posture from coverage so failing, partial, and not assessed do not collapse into one number.

Collection Gaps

1 unresolved input groups

In-Scope CMMC Controls

110

The control population used for evidence-backed CMMC coverage.

Assessed Coverage

22%

24 assessed / 110 in scope

Assessed Posture

67%

16 passing, 4 partial, 4 failing on the assessed set

Not Assessed

Coverage or manual evidence is still missing.

Assessed Posture

67%

Passing 16 • Partial 4 • Failing 4

Not Assessed

controls

Coverage or manual evidence is still missing.

PASSING

Evidence-backed.

PARTIAL

Proof gaps remain.

FAILING

Not currently met.

NOT ASSESSED

Coverage missing.

PASSING

Evidence-backed

PARTIAL

Proof gaps remain

FAILING

Not currently met

NOT ASSESSED

Coverage missing

Confidence Context

Compliance

Moderate

Coverage

100%

Freshness

May 15, 2026 23:34 UTC

Source

Snapshot-based evidence

Bias / Limits

1 unresolved input groups still drive Not Assessed controls and limit posture certainty.

Framework Workspace

Choose a framework

Stay inside the framework that matters for this audience without mixing mapped posture from unrelated standards into the first read.

Stay inside one framework at a time.

Framework View

Framework Posture Summary

Each row separates assessed posture from coverage so mapped framework summaries do not overstate certainty.

CMMC L2

24/110 assessed • 86 not assessed

16 pass

4 partial

4 fail

22% coverage

16 passing

4 partial

4 failing

86 not assessed

Coverage

22%

24/110 assessed

Pass rate 67%

Assessment Gaps

Coverage constraints that explain why some controls remain not assessed.

Collection gap

No live collection or usable manual artifact was available for this input.

Unlocks: the missing evidence needed to move controls out of Not Assessed.

Examples access_review_summary, terms_of_use_summary, lifecycle_summary

open gaps

Detail Explorer

Evidence-backed

Control Directory

Browse every in-scope control, including not-assessed rows. Open any control for exact evidence detail.

Directory

CMMC L2 110 controls

One working list for passing, partial, failing, and gap controls.

search filter_alt

Directory

CIS Controls v8 18 controls

One working list for passing, partial, failing, and gap controls.

search filter_alt

Directory

NIST CSF 23 controls

One working list for passing, partial, failing, and gap controls.

search filter_alt

Directory

SOC 2 33 controls

One working list for passing, partial, failing, and gap controls.

search filter_alt

Select Control

Control ID: —

Select a control

Click any control in the directory to review its status basis, evidence sources, limiting inputs, and remediation guidance.

rule_settings

Pick a control from the directory

The right rail opens evidence, rationale, and workflow only after a control is selected.

Secondary Support

Mapping Support

These mappings show where findings touch frameworks. They do not represent framework posture or pass rates by themselves.

Finding-to-framework mappings

Expand only when you need traceability from a finding to its mapped frameworks.

expand_more

hub Finding-to-Framework Mappings

Traceability support only. A checkmark indicates mapping coverage, not assessed posture.

Finding ID	Title	Severity	CIS	NIST	SOC2	ISO	CMMC
OnPremInfra-ONPREM-FW-001	On-Prem: Windows Firewall Disabled on One or More Profiles	Critical	—	check_circle	—	—	check_circle
Device-015	Critical Security Configuration Gaps Require Action	Critical	check_circle	check_circle	check_circle	check_circle	—
Network-010	NSG Rules Allow All Inbound Traffic	Critical	check_circle	check_circle	check_circle	check_circle	—
Identity-005	Legacy Authentication Still Allowed	High	check_circle	check_circle	check_circle	check_circle	—
Identity-008	40 Users Not Covered by MFA Policy	High	check_circle	check_circle	check_circle	check_circle	—
Identity-010	2 High-Risk User Accounts Detected	High	check_circle	check_circle	check_circle	check_circle	—
Security-001	3 Active Security Alerts (2 High, 1 Medium)	High	check_circle	check_circle	check_circle	check_circle	—
Email-005	Safe Links Protection Disabled	High	check_circle	check_circle	check_circle	check_circle	—
Email-006	Safe Attachments Protection Disabled	High	check_circle	check_circle	check_circle	check_circle	—
Email-007	Anti-Phishing Controls Are Not Fully Enabled	High	check_circle	check_circle	check_circle	check_circle	—
Email-008	Email Threat Detection/Containment Rate Is Below Target	High	check_circle	check_circle	check_circle	check_circle	—
Identity-014	FIDO2 / Passkey Authentication Not Enabled	High	check_circle	check_circle	check_circle	check_circle	—
Security-002	Failed and Risky Sign-In Volume Exceeds Baseline	High	check_circle	check_circle	check_circle	check_circle	—
Governance-002	Privileged High-Risk Administrative Operations Require Review	High	check_circle	check_circle	check_circle	check_circle	—
DataProtection-010	SharePoint External Sharing Is Enabled on Collaboration Sites	High	check_circle	check_circle	check_circle	check_circle	—
Governance-003	Secure Score Recommendation Backlog Is Accumulating	High	check_circle	check_circle	check_circle	check_circle	—
Application-006	Third-Party Application Consents Include Elevated-Risk Integrations	High	check_circle	check_circle	check_circle	check_circle	—
Identity-017	Strong Authentication Method Adoption Is Below Target	High	check_circle	check_circle	check_circle	check_circle	—
Security-003	Threat Pulse Indicates Elevated Active Alert Backlog	High	check_circle	check_circle	check_circle	check_circle	—
Infrastructure-001	Network Security Groups Allow Unrestricted Inbound Access	High	check_circle	check_circle	check_circle	check_circle	—
Infrastructure-002	Storage Accounts Allow Public Blob Access	High	check_circle	check_circle	check_circle	check_circle	—
Vulnerability-001	Security Configuration Gaps Require Remediation	High	check_circle	check_circle	check_circle	check_circle	—
Vulnerability-002	High-Severity Vulnerabilities Require Short-Term Remediation	High	check_circle	check_circle	check_circle	check_circle	—
Cost-001	Orphaned Cloud Resources Incurring Waste	High	check_circle	check_circle	check_circle	check_circle	—
ActiveDirectory-003	AD: Privileged Admin Footprint Controlled	High	check_circle	check_circle	check_circle	check_circle	—
ActiveDirectory-006	AD: LDAP Signing/Channel Binding Gap	High	check_circle	check_circle	check_circle	check_circle	—
OnPremInfra-ONPREM-FW-003	On-Prem: RDP Exposed Broadly Across Networks	High	—	check_circle	—	—	check_circle
OnPremInfra-ONPREM-NET-001	On-Prem: High-Risk Listening Ports Exposed	High	—	check_circle	—	—	check_circle
OnPremInfra-ONPREM-EP-005	On-Prem: Windows Update Not Configured or Current	High	—	check_circle	—	—	check_circle
OnPremInfra-ONPREM-CERT-001	On-Prem: Certificates Expiring Within 30 Days	High	—	check_circle	—	—	check_circle
OnPremInfra-ONPREM-AD-011	On-Prem: Password Policy Below Minimum Strength	High	—	check_circle	—	—	check_circle
Identity-025	Too Many Global Administrators	High	check_circle	check_circle	check_circle	check_circle	—
Identity-026	PIM Not Utilized for Privileged Roles	High	check_circle	check_circle	check_circle	check_circle	—
Identity-027	Legacy Authentication Sign-Ins Detected	High	check_circle	check_circle	check_circle	check_circle	—
Device-010	Managed Devices Missing Disk Encryption	High	check_circle	check_circle	check_circle	check_circle	—
Device-013	No Device Compliance Policies Defined	High	check_circle	check_circle	check_circle	check_circle	—
Device-016	High Endpoint Vulnerability Backlog	High	check_circle	check_circle	check_circle	check_circle	—
DataProtection-013	No DLP Policies Configured	High	check_circle	check_circle	check_circle	check_circle	—
DataProtection-017	Excessive Third-Party App Permissions	High	check_circle	check_circle	check_circle	check_circle	—
Network-013	Sensitive Email Encryption Not Enabled	High	check_circle	check_circle	check_circle	check_circle	—
Email-009	External Email Forwarding Rules Detected	High	check_circle	check_circle	check_circle	check_circle	—
Email-012	No Outbound Spam Policy Enabled	High	check_circle	check_circle	check_circle	check_circle	—
Email-013	Mail Flow Rules Bypass Security Filtering	High	check_circle	check_circle	check_circle	check_circle	—
Email-014	Auto-Forward to External Addresses Detected	High	check_circle	check_circle	check_circle	check_circle	—
Email-016	Multiple Domains Without DMARC	High	check_circle	check_circle	check_circle	check_circle	—
Endpoint-007	Managed Devices Missing BitLocker or Device Encryption	High	check_circle	check_circle	check_circle	check_circle	—
Endpoint-011	Defender Tamper Protection Disabled	High	check_circle	check_circle	check_circle	check_circle	—
Endpoint-013	Unsupported Operating Systems in Managed Fleet	High	check_circle	check_circle	check_circle	check_circle	—
Identity-018	Privileged Identity Management Not Protecting Admin Roles	High	check_circle	check_circle	check_circle	check_circle	—
Identity-020	Risky Sign-Ins Not Investigated	High	check_circle	check_circle	check_circle	check_circle	—

Appendix

Assessment Method and Input Coverage

Secondary reference material for assessability rules, input coverage, and existing POA&M items.

expand_more

Status Model

Implemented

Evidence supports implementation of the requirement.

In Progress

Some implementation exists, but proof or execution gaps remain.

Not Implemented

Evidence shows the requirement is not currently met.

Not Assessed

Evidence was not sufficient to determine implementation.

Assessment Gap Reasons

License gap

Required licensing or product capability was not available for collection.

Consent missing

Tenant consent or connector authorization blocked automated collection.

Collection failure

Automated collection failed or returned unusable results.

Manual review required

This requirement depends on document or interview evidence, not just telemetry.

Out of scope

The source input is not applicable to the scoped environment.

Collection gap

No live collection or usable manual artifact was available for this input.

Assessment Inputs

Dataset	State	Reason	Last Collected
access_review_summary	Gap	Collection gap	—
pim_role_settings	Assessed	Assessed	—
directory_roles	Assessed	Assessed	—
terms_of_use_summary	Gap	Collection gap	—
lifecycle_summary	Gap	Collection gap	—
sharepoint_sharing_settings	Gap	Collection gap	—
teams_policies	Assessed	Assessed	—
bitlocker_recovery_keys	Gap	Collection gap	—
records_management	Assessed	Assessed	—
retention_policies	Assessed	Assessed	—
data_governance_summary	Gap	Collection gap	—
risk_detection_summary	Gap	Collection gap	—
entra_recommendations	Gap	Collection gap	—
ca_whatif_results	Gap	Collection gap	—
arm_network_nsgs	Assessed	Assessed	—
arm_storage_accounts	Assessed	Assessed	—
arm_key_vaults	Assessed	Assessed	—
arm_sql_servers	Assessed	Assessed	—

Existing POA&M Items

ID	Weakness	Milestone
AC.L2-3.1.6	Non-Privileged Account Use	180 days
SC.L2-3.13.2	Security Engineering	180 days
AU.L2-3.3.4	Audit Failure Alerting	180 days
CM.L2-3.4.5	Access Restrictions for Change	180 days

§ 04 · Technical Evidence · Evidence Bundle

165 evidence envelopes, manifest verified · manifest-only provenance.

bundle · 20260515T233445Z_ad-hoc
run · 20260515T233445Z_ad-hoc · window — → May 15, 2026

Manifest root · SHA-256Manifest hash not embedded

SignerPolaris Platformkey not embedded

SignedManifest onlyDetached signature not embedded

Envelopes165from 5 collectors

Bundle size—deterministic

SignatureUnavailableNo embedded signature

Key fingerprint—public key

§ 04.1

Integrity

five dimensions of bundle integrity

Manifest verified

165 / 165 envelope hashes match

Collectors pinned

5 / 5 at pinned versions

Chain intact

collect → normalize → hash → bundle → sign → publish

Bundle signature

Detached signature not embedded

Collection gap

5 collectors failed output · envelopes not received

§ 04.2

Verify it yourself

The bundle is a signed, deterministic artifact. Any reviewer can reproduce the manifest root offline and compare the signature against the — printed in the masthead of every page. No Polaris backend required.

# verify-it-yourself · bundle signature + manifest integrity
polaris verify ./polaris-20260515T233445Z_ad-hoc.tar.zst \
    --pubkey polaris-signing.pub \
    --expect-sig —

# expected output
[ok]  signature        verified
[ok]  manifest_root    match
[ok]  envelopes        165 / 165 hashes match
[ok]  collectors       5 / 5 at pinned versions
[ok]  chain_of_custody collect → normalize → hash → bundle → sign → publish

Public signing key

—

Notary receipt

—

Reproducibility

deterministic manifest hashing · re-bundle of same inputs produces byte-identical output

§ 04.1b

Improve report coverage

2 coverage items · highest severity: medium

Coverage unlock ledger

2 gaps

API error - Polaris retry

Purview retention labels

What is incompleteRetention label evidence may be incomplete because the retention labels API returned an error.

Retry Purview retention labels, then handle Records Management consent if needed

OwnerPolaris first; customer Entra or Purview records-management admin if authorization is missing

Access/artifact neededMicrosoft Graph delegated RecordsManagement.Read.All for retention label reads

Customer actionIf the retry still fails with authorization, approve the delegated Records Management read path.

Polaris actionRetry the endpoint and show the exact Microsoft status code/message if it still fails.

Retry Purview collection

Rerun the Purview retention-label collector.
If the endpoint still errors, record the Microsoft status code and message in Technical Evidence.
If the error is authorization-related, request delegated RecordsManagement.Read.All approval from the customer's Purview or Entra admin.

After rerunUnlocked after rerun: retention-label evidence in Data Protection, Compliance Matrix, and Technical Evidence.

Microsoft lists this endpoint as delegated-only for work or school accounts. It is not fixed by Azure RBAC Reader.

Unlocks after rerunData Protection, Compliance Matrix, Technical Evidence

Technical source: Microsoft Graph / security labels retentionLabels

1 metric · 3 sections

Evidence not provided

Network Security

What is incompleteNetwork Security coverage is 0%. This means the report is missing evidence for that domain; it is not a clean result.

Confirm whether network security is in scope

Network Security is either not in scope yet or missing the source needed to assess it. Do not read 0% coverage as a clean network result.

OwnerCustomer Azure/network admin with Polaris support

Access/artifact neededAzure RBAC Reader for cloud network inventory, or firewall/network evidence for non-Azure scope

Customer actionEither mark Network Security out of scope with a reason, or grant/provide the network evidence source.

Polaris actionIf in scope, rerun Azure Resource Graph or ingest the network evidence and link it to findings.

Resolve Network Security coverage

Decide whether cloud and/or on-prem network security belongs in this assessment.
For Azure network evidence, assign Azure RBAC Reader to Polaris on each subscription.
For non-Azure network evidence, upload firewall, segmentation, or network-control exports.
If excluded, document the out-of-scope reason so the report does not imply a clean result.

After rerunUnlocked after rerun: NSG, public exposure, firewall, segmentation, and network-control evidence.

Out of scope is acceptable when intentional. Missing source data should be fixed or explicitly excluded.

Unlocks after rerunNetwork Security

Technical source: data_quality_by_domain

1 metric · 1 section

§ 04.3

Collection provenance

Paths, permissions, and measured source confidence

Collection provenance

These cards explain what fed the report, which permissions constrained collection, and how much of the evidence is directly observed versus inferred.

Collection sources54 collected · 0 partial

Permissions exercised2121 granted · 0 denied

Telemetry coverage77 observed · 0 inferred

Collection sources

5 paths · 4 collected · 0 partial

CISA ScubaGear CollectorNot CollectedMicrosoft 365 baseline hardening findings and federal-baseline appendix material · No Scuba baseline upload was detected in this run.

Method Upload `Invoke-ScubaGearCollector.ps1` output

Coverage Microsoft 365 baseline hardening findings and federal-baseline appendix material

Feeds Findings · Measurement Map · Federal Baseline appendix (Word)

Next action Run ScubaGear if you need Microsoft 365 baseline policy proof beyond native Graph coverage.

Azure Resource Manager (Reader RBAC)CollectedAzure infrastructure · exposure · key vault · ARM collection not enabled

Method Automatic after Azure RBAC Reader is granted on each subscription

Coverage Azure infrastructure, exposure, key vault, SQL, backup, and recovery posture

Feeds Azure Infrastructure and ARM Coverage · Coverage Unlock Matrix · Measurement Map

Next action Keep subscription Reader scope current and validate accessible subscriptions before release.

Microsoft Graph APICollectedIdentity · endpoint · collaboration · 21/21 endpoint checks returned cloud telemetry.

Method Automatic after Graph admin consent

Coverage Identity, endpoint, collaboration, security, and permission telemetry

Feeds Overview KPIs · Findings · Measurement Map · Permission Collection Status · Coverage Unlock Matrix

Next action Use as the primary cloud evidence lane for this report.

On-Prem AD CollectorCollectedTier-0 groups · LDAP signing · NTLM · 0 on-prem AD coverage items landed in the dedicated AD/Tier-0 path.

Method Upload `Invoke-ADOnPremCollector.ps1` output

Coverage Tier-0 groups, LDAP signing, NTLM, trusts, ACLs, and on-prem AD hygiene

Feeds On-Prem Active Directory Assessment · Tier-0 Privileged Groups · Coverage Unlock Matrix · Measurement Map

Next action Treat this as the authoritative lane for the dedicated on-prem AD report sections.

PowerShell Security Collection UploadCollectedAD · firewall · endpoint · 24 evidence-backed controls across 14 evidence domains.

Method Upload `Invoke-SecurityCollection.ps1` output

Coverage AD, firewall, endpoint, audit, backup, and certificate evidence for compliance scoring

Feeds CMMC Evidence Snapshot · Evidence Summary · Coverage Unlock Matrix · Measurement Map

Next action Use this lane for evidence-backed compliance coverage, not for dedicated AD narrative sections.

Permission Collection Status21 / 21 granted0 denied · 0 partial · all granted endpoints pulled

Expand to inspect the full per-endpoint grid (21 rows)

Endpoint	Permission	Domain	Status
Device Compliance	DeviceManagementManagedDevices.Read.All	Endpoint	granted_and_pulled
Risky Users	IdentityRiskyUser.Read.All	Identity	granted_and_pulled
Conditional Access	Policy.Read.All	Identity	granted_and_pulled
Backup Health	Reader (ARM)	Infrastructure	granted_and_pulled
Backup Jobs	Reader (ARM)	Infrastructure	granted_and_pulled
Backup Vaults	Reader (ARM)	Infrastructure	granted_and_pulled
Key Vaults	Reader (ARM)	Infrastructure	granted_and_pulled
Network Security Groups	Reader (ARM)	Network	granted_and_pulled
Recovery Readiness	Reader (ARM)	Infrastructure	granted_and_pulled
SQL Servers	Reader (ARM)	Infrastructure	granted_and_pulled
Storage Accounts	Reader (ARM)	Infrastructure	granted_and_pulled
MFA Coverage	Reports.Read.All	Identity	granted_and_pulled
Privileged Accounts	RoleManagement.Read.All	Identity	granted_and_pulled
Secure Score	SecurityEvents.Read.All	Security	granted_and_pulled
Secure Score Controls	SecurityEvents.Read.All	Security	granted_and_pulled
Security Alerts	SecurityEvents.Read.All	Security	granted_and_pulled
Vulnerability Assessment	SecurityEvents.Read.All	Vulnerability Management	granted_and_pulled
Defender TVM Recommendations	SecurityRecommendation.Read.All (WindowsDefenderATP)	Vulnerability Management	granted_and_pulled
Defender Software Inventory	Software.Read.All (WindowsDefenderATP)	Vulnerability Management	granted_and_pulled
User Summary	User.Read.All	Identity	granted_and_pulled
Defender TVM Vulnerabilities	Vulnerability.Read.All (WindowsDefenderATP)	Vulnerability Management	granted_and_pulled

Telemetry coverage

7 metrics · 7 observed · 0 inferred

Metric	Source	Permission	Confidence
—	Microsoft Graph Reports	Reports.Read.All	OBSERVED
—	Microsoft Graph Reports	Reports.Read.All	OBSERVED
—	Microsoft Graph Policies	Policy.Read.All	OBSERVED
—	Microsoft Graph Conditional Access	Policy.Read.All	OBSERVED
—	Identity Protection	IdentityRiskEvent.Read.All	OBSERVED
—	Microsoft Defender Secure Score	SecurityEvents.Read.All	OBSERVED
—	Microsoft Intune	DeviceManagementManagedDevices.Read.All	OBSERVED

Chain of custody

collect → normalize → hash → bundle → sign → publish

Collect

raw queries to source APIs + agents

—

collector fleet · raw payloads

Normalize

map to polaris-schema

—

envelopes produced

Hash

sha-256 per envelope · canonical JSON

—

leaf hashes → merkle root

Bundle

deterministic frame · manifest + payloads

—

manifest assembled

Sign

HMAC/ed25519 over manifest root

—·—·—

unsigned · halt

Publish

append-only object store

—

receipt recorded

§ 04.4

Collector fleet

5 modules · pinned version and runtime output shown separately

Collector	Scope	Host	Runtime	Records	Module hash	Status
network.topologyv1.0.0	on-prem	DAL-DC01.corp.contoso.local	0.0s	31	—	failed output
ad.tier_0v1.0.0	on-prem	DAL-DC01.corp.contoso.local	0.0s	6	—	failed output
ad.attack_pathv1.0.0	on-prem	DAL-DC01.corp.contoso.local	0.0s	24	—	failed output
adcs.pkiv1.0.0	on-prem	DAL-CA01.corp.contoso.local	0.0s	10	—	failed output
gpo.securityv1.0.0	on-prem	DAL-DC01.corp.contoso.local	0.0s	7	—	failed output

0 verified5 failed output78 records0.0s total runtime

§ 04.5

Envelope stream

Showing 6 of 12 · click to expand payload

Showing 6 of 12

Collection gap reflected in §04.1 integrity · affected envelopes were not received

otherartifact_manifest · collectedhash f8ad9f06ef77f8646bc9a079e6f39e9c24ed0392529ea94a3fbe78042f2d23baMay 15, 23:34▾ hide

payload · 109 bytesother

artifact: On-Prem: Windows Firewall Disabled on One or More Profiles.txt
type: collected
bytes: 0
sha256: —

Envelope hash

f8ad9f06ef77f8646bc9a079e6f39e9c24ed0392529ea94a3fbe78042f2d23ba

Source

collected

Supports findings

no findings · reference material

otherartifact_manifest · collectedhash 0e7b601962ccae8da856694f515f0b2319e5a982a1d21922df99c57fd60dbb0bMay 15, 23:34▶ show

otherartifact_manifest · collectedhash 122363e7ddb94a9c35014107c591fbfc10f7df54432ad3959a07def6be4bf7eaMay 15, 23:34▶ show

otherartifact_manifest · collectedhash 0c25378937e972a4499004deb945b9c044957bc61d418ece01410e3360781ecbMay 15, 23:34▶ show

otherartifact_manifest · collectedhash deecd0a84d2d8c1517d7ea70a348d2d77bef9434a3036a3df189e18efda37d2bMay 15, 23:34▶ show

otherartifact_manifest · collectedhash 76009adabff43655322f26ac4d9c90cdf7232e535f35800c3cf0e479121e5bbbMay 15, 23:34▶ show

§ 04.6

Artifact manifest

80 artifacts · manifest-only mode

Manifest-only bundle80 artifacts in this bundlePer-artifact hashes and byte sizes are not embedded; verify the manifest root and custody chain above.

§ 04.7

Visual evidence

Browser screenshot gallery not included in this artifact set

Browser screenshots were not packaged with this run. The report content above remains valid; this artifact set simply does not include a screenshot gallery.

Tenant Identity and Consent Completeness

Technical Evidence

Use this workspace to verify tenant identity, consent completeness, and the current telemetry baseline before digging into the detailed evidence sections below.

scheduleMay 15, 2026 23:34 UTC

Tenant Name

Contoso Defense Systems

Tenant ID

a1b2c3d4-e5f6-7890-abcd-ef1234567890

Consent Completeness

Consent completeness: Complete (11/11 report-scope permissions granted and collected).

admin_panel_settings

Coverage Unlock

Expand Assessment Coverage

Grant additional Microsoft 365 permissions to unlock more data sources and deeper analysis.

Deeper app-risk coverage

Full auth-method detail

More Exchange telemetry

Fewer evidence gaps

open_in_newRe-authorize in Azure

Tenant Baseline

Tenant Overview

This baseline should orient the rest of the evidence tab.

group

Total Users

150

admin_panel_settings

Admins

devices

Managed Devices

150

shield

Secure Score

56.7%

verified_user

MFA Coverage

94.0%

dns

Verified Domains

MFA Coverage Detail

User MFA

94.0%

Admin MFA

100.0%

Users With MFA

Users Without MFA

Collection Health

Total Endpoints

Successful

Failed

Endpoint	Status	Objects	Permission
Secure Score	Collected	—	SecurityEvents.Read.All
MFA Coverage	Collected	—	Reports.Read.All
Risky Users	Collected	—	IdentityRiskyUser.Read.All
Privileged Accounts	Collected	—	RoleManagement.Read.All
Conditional Access	Collected	—	Policy.Read.All
Device Compliance	Collected	—	DeviceManagementManagedDevices.Read.All
Security Alerts	Collected	—	SecurityEvents.Read.All
User Summary	Collected	—	User.Read.All
Secure Score Controls	Collected	—	SecurityEvents.Read.All
Network Security Groups	Collected	—	Reader (ARM)
Storage Accounts	Collected	—	Reader (ARM)
Key Vaults	Collected	—	Reader (ARM)
SQL Servers	Collected	—	Reader (ARM)
Backup Health	Collected	—	Reader (ARM)
Backup Vaults	Collected	—	Reader (ARM)
Backup Jobs	Collected	—	Reader (ARM)
Recovery Readiness	Collected	—	Reader (ARM)
Vulnerability Assessment	Collected	—	SecurityEvents.Read.All
Defender TVM Vulnerabilities	Collected	—	Vulnerability.Read.All (WindowsDefenderATP)
Defender TVM Recommendations	Collected	—	SecurityRecommendation.Read.All (WindowsDefenderATP)
Defender Software Inventory	Collected	—	Software.Read.All (WindowsDefenderATP)

Data Collection Paths and Landing Zones

Collection Paths

Collected

Partial

Not Collected

This is the direct operator answer to "where does the data go?" Each collection lane lists the report sections it feeds and the next action needed to improve coverage.

Collected

Microsoft Graph API

Automatic after Graph admin consent

What It Feeds

Identity, endpoint, collaboration, security, and permission telemetry

21/21 endpoint checks returned cloud telemetry.

Report Sections

Overview KPIs
Findings
Measurement Map
Permission Collection Status
Coverage Unlock Matrix

Next Action

Use as the primary cloud evidence lane for this report.

Collected

Azure Resource Manager (Reader RBAC)

Automatic after Azure RBAC Reader is granted on each subscription

What It Feeds

Azure infrastructure, exposure, key vault, SQL, backup, and recovery posture

ARM collection not enabled

Report Sections

Azure Infrastructure and ARM Coverage
Coverage Unlock Matrix
Measurement Map

Next Action

Keep subscription Reader scope current and validate accessible subscriptions before release.

Collected

PowerShell Security Collection Upload

Upload `Invoke-SecurityCollection.ps1` output

Modules: ActiveDirectory, NetworkFirewall, EndpointSecurity, AuditConfig, BackupStatus, CertificateStore

What It Feeds

AD, firewall, endpoint, audit, backup, and certificate evidence for compliance scoring

24 evidence-backed controls across 14 evidence domains.

Report Sections

CMMC Evidence Snapshot
Evidence Summary
Coverage Unlock Matrix
Measurement Map

Next Action

Use this lane for evidence-backed compliance coverage, not for dedicated AD narrative sections.

Collected

On-Prem AD Collector

Upload `Invoke-ADOnPremCollector.ps1` output

What It Feeds

Tier-0 groups, LDAP signing, NTLM, trusts, ACLs, and on-prem AD hygiene

0 on-prem AD coverage items landed in the dedicated AD/Tier-0 path.

Report Sections

On-Prem Active Directory Assessment
Tier-0 Privileged Groups
Coverage Unlock Matrix
Measurement Map

Next Action

Treat this as the authoritative lane for the dedicated on-prem AD report sections.

Not Collected

CISA ScubaGear Collector

Upload `Invoke-ScubaGearCollector.ps1` output

What It Feeds

Microsoft 365 baseline hardening findings and federal-baseline appendix material

No Scuba baseline upload was detected in this run.

Report Sections

Findings
Measurement Map
Federal Baseline appendix (Word)

Next Action

Run ScubaGear if you need Microsoft 365 baseline policy proof beyond native Graph coverage.

Azure Infrastructure and ARM Coverage

Subscription scope, infrastructure coverage, and recovery evidence stay separate here so Azure posture is not overstated.

ARM Access Model

Azure RBAC on each customer subscription is required before infrastructure posture can be treated as complete.

not_assessed

Required Role

Reader

Accessible Subscriptions

Collection Failures

Subscriptions

NSGs

Storage

Key Vaults

Public IPs

ARM collection not enabled

ARM Subscription Scope

Subscription	Subscription ID	State
No Azure subscriptions were enumerated in this run. Grant Reader on each target subscription before treating Azure posture as complete.

ARM Security Summary

Is LiveTrue

Statusnot_assessed

Network Security Groups

Name	Resource Group	Rules Count
nsg-edge-westus2	—	—

Key Vaults

Name	Resource Group	SKU
kv-prod	—	—

SQL Servers

Name	Resource Group	State
sql-prod	—	—

Storage Accounts

Name	Resource Group	Kind
stapp01	—	—

Public IPs

Name	IP Address	Allocation
—	52.160.14.27	—
—	20.45.71.11	—

Backup Vaults

Name	Resource Group	Type
contoso-rsv-prod-eastus	rg-backup-prod	—
contoso-rsv-dr-westus	rg-backup-dr	—

Backup Jobs

Name	Status	Start Time
—	Completed	2026-05-15T20:09:51.299207+00:00
—	Completed	2026-05-15T19:29:51.299207+00:00
—	Completed	2026-05-15T18:24:51.299207+00:00

Recovery Readiness

Is LiveTrue

Overall Statushealthy

Rto Target Hours24

Rto Actual Hours8

Rpo Target Hours4

Rpo Actual Hours1

Rto Statushealthy

Rpo Statushealthy

Device Inventory

devices

Device Compliance

150 managed devices

96.7%

Total

150

Compliant

145

Non-Compliant

Device Inventory Detail

Device	OS	Status
—	Windows	—
—	macOS	—
—	iOS	—
—	Total	—

Privileged Accounts

No data collected for Privileged Accounts.

Conditional Access Policies

Total Policies

Enforced

Report Only

Disabled

Unnamed PolicyEnforced

On-Prem Active Directory Assessment

Domain

—

AD Score

0.0

Domain Controllers

DC-01 (Windows Server 2022, current)DC-02 (Windows Server 2019, 1 update pending)

Tier 0 Groups

Domain Admins (4)Enterprise Admins (2)Schema Admins (1)Administrators (6)Account Operators (0)Backup Operators (2)Server Operators (0)

Control	Status	Severity
AD Connect Sync Healthy	Pass	High
Legacy Authentication Active	Fail	High
Privileged Admin Footprint Controlled	Partial	Medium
Brute-Force Activity Monitored	Pass	High
Risky Sign-In Pressure Controlled	Pass	Medium
LDAP Signing/Channel Binding Gap	Fail	High
NTLMv1 Disabled	Pass	Medium
Domain Controller Patch Baseline Gap	Partial	High

Forest Topology

Static map of the on-prem Active Directory forest assembled from the PowerShell collector bundles. Sites sit on the top band, domain controllers below them, certificate authorities across the bottom. Crimson halos mark nodes carrying open findings; a gold ring marks Global Catalog DCs; dashed crimson arcs flag trusts with SID filtering disabled.

View the interactive tactical map

Sites

Domain Controllers

Certificate Authorities

Trusts

Findings

SiteDomain ControllerCertificate AuthorityGlobal Catalog ringFinding haloUnsafe trust (SID filtering off)

Risky Users

Total Risky

High Risk

Medium Risk

User	Risk Level	Detail
Marcus Williams	High	—
Jennifer Park	High	—
Emily Rodriguez	Medium	—
James Okafor	Medium	—
Rachel Kim	Medium	—
Thomas Bergstrom	Low	—

Guest Users

person_add

External Guest Summary

Total Guests

Inactive Guests

Dataset Actionability Matrix

Assessed

29/41

Not Assessed

Not Consented

Dataset Key	Dataset Name	Domain	Status	Next Action
oauth_grants_summary	OAuth Permission Grants	Identity / Apps	Assessed	Review findings
oauth_risk	OAuth App Permissions	Identity / Apps	Assessed	Review findings
log_analytics_summary	Log Analytics / Sentinel	Monitoring	Assessed	Review findings
service_principal_summary	Service Principal Audit	Identity / Apps	Assessed	Review findings
sharepoint_sites	SharePoint Sites (Raw)	Collaboration / Data	Assessed	Review findings
sharepoint_summary	SharePoint Summary	Collaboration / Data	Assessed	Review findings
sharepoint_sharing_settings	SharePoint Sharing Settings	Collaboration / Data	Not Consented	Grant consent
teams_inventory_summary	Teams Inventory	Collaboration	Assessed	Review findings
teams_summary	Teams Summary	Collaboration	Assessed	Review findings
named_locations_summary	Named Locations	Identity	Assessed	Review findings
sign_in_summary	Sign-In Analysis	Identity	Assessed	Review findings
retention_policies	Retention Policies	Data Protection	Assessed	Review findings
admin_operations_summary	High-Risk Admin Operations	Monitoring	Assessed	Review findings
high_risk_operations	High-Risk Operations Timeline	Monitoring	Assessed	Review findings
arm_public_ips	ARM Public IP Inventory	Infrastructure	Assessed	Review findings
configuration_status	Assessment Configuration Health	Platform	Not Assessed	Enable collection
secure_score_recommendations	Secure Score Recommendations	Security	Assessed	Review findings
vulnerability_data	Vulnerability Evidence (Detailed)	Endpoint	Assessed	Review findings
vulnerability_summary	Vulnerability Summary	Endpoint	Assessed	Review findings
guest_users_list	Guest Users	Identity / Collaboration	Assessed	Review findings
backup_health	Backup Security Posture	Resilience	Assessed	Review findings
backup_jobs	Backup Jobs	Resilience	Assessed	Review findings
backup_vaults	Backup Vaults	Resilience	Assessed	Review findings
recovery_readiness	Recovery Readiness	Resilience	Assessed	Review findings
bitlocker_recovery_keys	BitLocker Recovery Key Coverage	Endpoint	Not Consented	Grant consent
exchange_transport_rules	Exchange Transport Rules	Email	Not Consented	Grant consent
intune_app_protection	Intune App Protection	Endpoint	Assessed	Review findings
managed_app_policies	Managed App Policies	Endpoint	Assessed	Review findings
pim_role_settings	PIM Role Settings	Identity	Assessed	Review findings
teams_policies	Teams Policies	Collaboration	Assessed	Review findings
defender_tvm_detail	Defender TVM — CVE Detail	Vulnerability	Not Assessed	Enable collection
attack_simulation_campaigns	Attack Simulation Campaigns	Awareness	Not Assessed	Enable collection
auth_methods_policy	Authentication Methods Policy	Identity	Assessed	Review findings
device_posture_rollup	Device Posture Rollup	Endpoint	Assessed	Review findings
purview_labels	Purview Sensitivity Labels	Data Protection	Not Assessed	Enable collection
purview_policies	Purview DLP Policies	Data Protection	Not Assessed	Enable collection
accesspackage_summary	Entra Access Package Summary	Identity Governance	Not Assessed	Enable collection
entitlement_reviews	Entitlement Reviews	Identity Governance	Not Assessed	Enable collection
entra_recommendations	Entra Recommendations	Identity	Not Consented	Grant consent
lifecycle_summary_deep	Entra Lifecycle Workflows — Detail	Identity Governance	Not Assessed	Enable collection
onprem_operations	On-Prem Operations (Collector Bundles)	On-Prem Infrastructure	Assessed	Review findings

Security Feature Scorecard

No data collected for Security Feature Scorecard.

Coverage Unlock Matrix

All permissions are granted. No coverage gaps detected.

Permission Collection Status

Granted

Not Granted

Endpoint	Permission	Status	Domain
Device Compliance	DeviceManagementManagedDevices.Read.All	Granted + Pulled	Endpoint
Risky Users	IdentityRiskyUser.Read.All	Granted + Pulled	Identity
Conditional Access	Policy.Read.All	Granted + Pulled	Identity
Backup Health	Reader (ARM)	Granted + Pulled	Infrastructure
Backup Jobs	Reader (ARM)	Granted + Pulled	Infrastructure
Backup Vaults	Reader (ARM)	Granted + Pulled	Infrastructure
Key Vaults	Reader (ARM)	Granted + Pulled	Infrastructure
Network Security Groups	Reader (ARM)	Granted + Pulled	Network
Recovery Readiness	Reader (ARM)	Granted + Pulled	Infrastructure
SQL Servers	Reader (ARM)	Granted + Pulled	Infrastructure
Storage Accounts	Reader (ARM)	Granted + Pulled	Infrastructure
MFA Coverage	Reports.Read.All	Granted + Pulled	Identity
Privileged Accounts	RoleManagement.Read.All	Granted + Pulled	Identity
Secure Score	SecurityEvents.Read.All	Granted + Pulled	Security
Secure Score Controls	SecurityEvents.Read.All	Granted + Pulled	Security
Security Alerts	SecurityEvents.Read.All	Granted + Pulled	Security
Vulnerability Assessment	SecurityEvents.Read.All	Granted + Pulled	Vulnerability Management
Defender TVM Recommendations	SecurityRecommendation.Read.All (WindowsDefenderATP)	Granted + Pulled	Vulnerability Management
Defender Software Inventory	Software.Read.All (WindowsDefenderATP)	Granted + Pulled	Vulnerability Management
User Summary	User.Read.All	Granted + Pulled	Identity
Defender TVM Vulnerabilities	Vulnerability.Read.All (WindowsDefenderATP)	Granted + Pulled	Vulnerability Management

Integration Status

cloudConnected

Azure Resource Manager

ARM subscription security, public IPs, and resource inventory

backupConnected

Azure Backup & DR

Backup vaults, job status, and recovery readiness

bug_reportLimited

Defender Vulnerability

Secure Score configuration recommendations; Defender TVM CVE data not collected

policyConnected

Microsoft Purview

DLP policies, retention, and compliance posture

monitorConnected

Log Analytics / Sentinel

Log ingestion, workspace health, and SIEM coverage

Environment Snapshot & License Detail

Property	Value
Tenant ID	a1b2c3d4-e5f6-7890-abcd-ef1234567890
Tenant Name	Contoso Defense Systems
Primary Domains	contoso.onmicrosoft.com, contoso.com, contoso.mail.onmicrosoft.com
Run ID	20260515T233445Z_ad-hoc
Collector Version	fffea76

SKU Name	Assigned	Total	Utilization
SPB	120	130	92.3%
EXCHANGESTANDARD	5	5	100.0%
FLOW_FREE	28	10000	0.3%
POWER_BI_STANDARD	4	50	8.0%

Measurement Map

Metric	Data Source	Permission Required	Confidence
MFA coverage %	Microsoft Graph Reports	Reports.Read.All	Observed
Admin MFA coverage %	Microsoft Graph Reports	Reports.Read.All	Observed
Legacy auth blocked	Microsoft Graph Policies	Policy.Read.All	Observed
Enabled CA policy count	Microsoft Graph Conditional Access	Policy.Read.All	Observed
Risky sign-ins (count)	Identity Protection	IdentityRiskEvent.Read.All	Observed
Secure Score %	Microsoft Defender Secure Score	SecurityEvents.Read.All	Observed
Device compliance %	Microsoft Intune	DeviceManagementManagedDevices.Read.All	Observed

Data Coverage Audit

Collected

Missing

Total Audited

Data Collected

check_circleTenant Overview

check_circleBaseline Metrics

check_circleDevice Compliance

check_circlePrivileged Accounts

check_circleCa Policy Summary

check_circleOnprem Ad Assessment

check_circleOnprem Ad Technical

check_circleSecurity Feature Scorecard

check_circlePermission Collection Status

check_circleEnvironment Snapshot

check_circleLicense Overview

check_circleLicense Utilization

check_circleMeasurement Map

check_circleIntegrations

check_circleFindings

check_circleOauth Grants Summary

check_circleLog Analytics Summary

check_circleService Principal Summary

check_circleSharepoint Sites

check_circleSharepoint Summary

check_circleTeams Inventory Summary

check_circleTeams Summary

check_circleNamed Locations Summary

check_circleRetention Policies

check_circleAdmin Operations Summary

check_circleArm Public Ips

check_circleSecure Score Recommendations

check_circleVulnerability Data

check_circleVulnerability Summary

check_circleGuest Users List

check_circleBackup Jobs

check_circleBackup Vaults

check_circleRecovery Readiness

check_circleExchange Transport Rules

check_circleIntune App Protection

check_circleManaged App Policies

check_circlePim Role Settings

check_circleTeams Policies

check_circleArm Security Summary

check_circlePurview Summary

check_circleDlp Summary

check_circlePositive Findings

check_circleThreat Pulse Summary

check_circleConditional Access

check_circleMfa Coverage

check_circleDevice Inventory

check_circleDevice Configuration Policies

check_circleSecure Score

check_circleSecure Score Controls

check_circleAd Tier0 Groups

check_circleAd Controls

check_circleAd Security Score

check_circleAd Metrics

check_circleAd Domain Controllers

check_circleGuest Summary

check_circleRisky Users Summary

check_circleOnprem Ad Environment

check_circleEvidence Controls

check_circleEvidence Poam

check_circleEvidence Sprs Score

Data Missing

cancelRisky Users

cancelGuest Users

Full Data Explorer

data_objectData manifest (225 top-level keys) — click to expand

{
  "_html_security": {"type": "dict", "size": "3 keys"}
  "_report_mode": {"type": "str", "size": "11 chars"}
  "accesspackage_summary": {"type": "dict", "size": "0 keys"}
  "action_items": {"type": "list", "size": "11 items"}
  "ad_action_plan": {"type": "list", "size": "4 items"}
  "ad_assessment_available": {"type": "bool", "size": "bool"}
  "ad_collection_status": {"type": "str", "size": "0 chars"}
  "ad_connect_health": {"type": "dict", "size": "4 keys"}
  "ad_controls": {"type": "list", "size": "8 items"}
  "ad_coverage_items": {"type": "list", "size": "0 items"}
  "ad_domain_controllers": {"type": "list", "size": "3 items"}
  "ad_findings": {"type": "list", "size": "3 items"}
  "ad_kerberos": {"type": "dict", "size": "3 keys"}
  "ad_ldap_signing": {"type": "dict", "size": "2 keys"}
  "ad_metrics": {"type": "dict", "size": "6 keys"}
  "ad_ntlm_telemetry": {"type": "dict", "size": "3 keys"}
  "ad_security_score": {"type": "dict", "size": "6 keys"}
  "ad_tier0_groups": {"type": "list", "size": "7 items"}
  "ad_trusts": {"type": "list", "size": "0 items"}
  "admin_operations_summary": {"type": "dict", "size": "5 keys"}
  "app_registrations_summary": {"type": "dict", "size": "14 keys"}
  "arm_collection_status": {"type": "SafeString", "size": "12 chars"}
  "arm_diagnostic_settings": {"type": "dict", "size": "1 keys"}
  "arm_key_vaults": {"type": "list", "size": "1 items"}
  "arm_network_nsgs": {"type": "list", "size": "1 items"}
  "arm_policy_assignments": {"type": "dict", "size": "1 keys"}
  "arm_private_endpoints": {"type": "dict", "size": "0 keys"}
  "arm_public_ips": {"type": "list", "size": "2 items"}
  "arm_public_paas_count": {"type": "int", "size": "int"}
  "arm_resource_tags": {"type": "dict", "size": "1 keys"}
  "arm_security_summary": {"type": "dict", "size": "3 keys"}
  "arm_sql_servers": {"type": "list", "size": "1 items"}
  "arm_storage_accounts": {"type": "list", "size": "1 items"}
  "artifact_contract_validation": {"type": "dict", "size": "4 keys"}
  "artifacts": {"type": "list", "size": "0 items"}
  "assessment_period": {"type": "dict", "size": "2 keys"}
  "assessment_ready": {"type": "bool", "size": "bool"}
  "assessment_ref": {"type": "SafeString", "size": "36 chars"}
  "attack_simulation_campaigns": {"type": "dict", "size": "0 keys"}
  "auth_methods_detail": {"type": "dict", "size": "4 keys"}
  "auth_methods_policy": {"type": "dict", "size": "5 keys"}
  "auth_methods_summary": {"type": "dict", "size": "4 keys"}
  "backup_dashboard": {"type": "dict", "size": "8 keys"}
  "backup_health": {"type": "dict", "size": "4 keys"}
  "backup_jobs": {"type": "list", "size": "3 items"}
  "backup_status": {"type": "dict", "size": "0 keys"}
  "backup_vaults": {"type": "list", "size": "2 items"}
  "baseline_gap_actions": {"type": "list", "size": "1 items"}
  "baseline_metrics": {"type": "dict", "size": "16 keys"}
  "bitlocker_recovery_keys": {"type": "dict", "size": "3 keys"}
  "branding": {"type": "dict", "size": "11 keys"}
  "ca_gap_analysis": {"type": "dict", "size": "5 keys"}
  "ca_mfa_coverage": {"type": "dict", "size": "8 keys"}
  "ca_policy_summary": {"type": "dict", "size": "5 keys"}
  "ca_whatif_results": {"type": "dict", "size": "5 keys"}
  "cis_v8_assessment": {"type": "dict", "size": "5 keys"}
  "collection_gaps": {"type": "dict", "size": "8 keys"}
  "collection_health_summary": {"type": "dict", "size": "12 keys"}
  "combined_posture": {"type": "dict", "size": "8 keys"}
  "compliance_context": {"type": "dict", "size": "5 keys"}
  "compliance_data_quality": {"type": "dict", "size": "5 keys"}
  "compliance_decision_queue": {"type": "list", "size": "10 items"}
  "compliance_denominators": {"type": "dict", "size": "6 keys"}
  "compliance_evidence_inventory": {"type": "list", "size": "18 items"}
  "compliance_framework_controls": {"type": "dict", "size": "4 keys"}
  "compliance_policies_summary": {"type": "dict", "size": "3 keys"}
  "compliance_probe_audit": {"type": "list", "size": "18 items"}
  "compliance_probe_audit_summary": {"type": "dict", "size": "6 keys"}
  "composite_rating": {"type": "dict", "size": "8 keys"}
  "conditional_access": {"type": "dict", "size": "6 keys"}
  "configuration_status": {"type": "dict", "size": "0 keys"}
  "consent_completeness": {"type": "dict", "size": "6 keys"}
  "consent_completeness_line": {"type": "SafeString", "size": "86 chars"}
  "contract_contradiction_dashboard": {"type": "dict", "size": "3 keys"}
  "contradiction_dashboard": {"type": "dict", "size": "3 keys"}
  "cost_summary": {"type": "dict", "size": "6 keys"}
  "current_permission_health": {"type": "dict", "size": "8 keys"}
  "data_governance_summary": {"type": "dict", "size": "8 keys"}
  "data_quality_by_domain": {"type": "list", "size": "11 items"}
  "data_quality_gate": {"type": "dict", "size": "4 keys"}
  "data_status_semantics": {"type": "dict", "size": "3 keys"}
  "decision_points": {"type": "list", "size": "1 items"}
  "defender_summary": {"type": "dict", "size": "7 keys"}
  "defender_tvm_detail": {"type": "dict", "size": "0 keys"}
  "device_compliance": {"type": "dict", "size": "14 keys"}
  "device_configuration_policies": {"type": "dict", "size": "5 keys"}
  "device_inventory": {"type": "list", "size": "4 items"}
  "device_inventory_footnote": {"type": "SafeString", "size": "34 chars"}
  "device_posture_rollup": {"type": "dict", "size": "6 keys"}
  "directory_roles": {"type": "dict", "size": "3 keys"}
  "dlp_summary": {"type": "dict", "size": "4 keys"}
  "domain_stats": {"type": "dict", "size": "11 keys"}
  "domain_validations": {"type": "dict", "size": "7 keys"}
  "email_security": {"type": "dict", "size": "27 keys"}
  "entitlement_reviews": {"type": "dict", "size": "0 keys"}
  "entra_recommendations": {"type": "dict", "size": "6 keys"}
  "environment_snapshot": {"type": "dict", "size": "10 keys"}
  "evidence_assessment_available": {"type": "bool", "size": "bool"}
  "evidence_assessment_results": {"type": "dict", "size": "6 keys"}
  "evidence_controls": {"type": "list", "size": "24 items"}
  "evidence_coverage": {"type": "dict", "size": "7 keys"}
  "evidence_domain_rollup": {"type": "dict", "size": "14 keys"}
  "evidence_findings": {"type": "list", "size": "8 items"}
  "evidence_manifest": {"type": "dict", "size": "1 keys"}
  "evidence_poam": {"type": "list", "size": "4 items"}
  "evidence_sprs_score": {"type": "dict", "size": "4 keys"}
  "exchange_transport_rules": {"type": "dict", "size": "4 keys"}
  "expanded_domain_rollup": {"type": "dict", "size": "17 keys"}
  "failed_endpoints": {"type": "list", "size": "0 items"}
  "findings": {"type": "list", "size": "164 items"}
  "findings_by_domain": {"type": "dict", "size": "11 keys"}
  "findings_generation_status": {"type": "SafeString", "size": "2 chars"}
  "generated_at": {"type": "SafeString", "size": "32 chars"}
  "guest_detail_inventory": {"type": "dict", "size": "3 keys"}
  "guest_summary": {"type": "dict", "size": "11 keys"}
  "guest_users_list": {"type": "list", "size": "5 items"}
  "high_risk_operations": {"type": "dict", "size": "5 keys"}
  "implicit_actions": {"type": "list", "size": "11 items"}
  "inferred_findings": {"type": "list", "size": "0 items"}
  "integrations": {"type": "dict", "size": "3 keys"}
  "interleaved_action_plan": {"type": "list", "size": "15 items"}
  "intune_app_protection": {"type": "dict", "size": "3 keys"}
  "legacy_auth_summary": {"type": "dict", "size": "5 keys"}
  "legacy_auth_users": {"type": "dict", "size": "6 keys"}
  "license_overview": {"type": "dict", "size": "10 keys"}
  "license_summary": {"type": "dict", "size": "6 keys"}
  "license_utilization": {"type": "dict", "size": "4 keys"}
  "lifecycle_summary": {"type": "dict", "size": "6 keys"}
  "lifecycle_summary_deep": {"type": "dict", "size": "0 keys"}
  "log_analytics_summary": {"type": "dict", "size": "13 keys"}
  "managed_app_policies": {"type": "dict", "size": "3 keys"}
  "managed_devices_summary": {"type": "dict", "size": "3 keys"}
  "mde_summary": {"type": "dict", "size": "18 keys"}
  "measurement_map": {"type": "list", "size": "7 items"}
  "mfa_coverage": {"type": "dict", "size": "12 keys"}
  "named_locations_summary": {"type": "dict", "size": "4 keys"}
  "next_7_days_actions": {"type": "list", "size": "10 items"}
  "nist_csf_assessment": {"type": "dict", "size": "6 keys"}
  "oauth_audit": {"type": "dict", "size": "1 keys"}
  "oauth_grants_summary": {"type": "dict", "size": "4 keys"}
  "oauth_risk": {"type": "dict", "size": "5 keys"}
  "oauth_risk_rollup": {"type": "dict", "size": "7 keys"}
  "observed_findings": {"type": "list", "size": "139 items"}
  "onedrive_usage": {"type": "dict", "size": "0 keys"}
  "onprem_ad_assessment": {"type": "dict", "size": "10 keys"}
  "onprem_ad_environment": {"type": "dict", "size": "17 keys"}
  "onprem_ad_technical": {"type": "dict", "size": "17 keys"}
  "onprem_collector_bundles": {"type": "list", "size": "5 items"}
  "onprem_compliance_fanout": {"type": "dict", "size": "3 keys"}
  "onprem_infra_assessment": {"type": "dict", "size": "7 keys"}
  "onprem_operations": {"type": "dict", "size": "7 keys"}
  "org_slug": {"type": "SafeString", "size": "4 chars"}
  "organization_info": {"type": "dict", "size": "8 keys"}
  "overview_drilldowns": {"type": "dict", "size": "3 keys"}
  "password_policies": {"type": "dict", "size": "3 keys"}
  "permission_collection_status": {"type": "dict", "size": "15 keys"}
  "permission_status": {"type": "dict", "size": "0 keys"}
  "pim_role_settings": {"type": "dict", "size": "3 keys"}
  "pim_summary": {"type": "dict", "size": "0 keys"}
  "positive_findings": {"type": "list", "size": "6 items"}
  "prior_snapshot": {"type": "str", "size": "0 chars"}
  "prior_snapshots": {"type": "list", "size": "0 items"}
  "privileged_access_rollup": {"type": "dict", "size": "7 keys"}
  "privileged_accounts": {"type": "list", "size": "7 items"}
  "purview_labels": {"type": "dict", "size": "0 keys"}
  "purview_policies": {"type": "dict", "size": "0 keys"}
  "purview_summary": {"type": "dict", "size": "9 keys"}
  "recovery_readiness": {"type": "dict", "size": "8 keys"}
  "remediation": {"type": "dict", "size": "3 keys"}
  "renderable_detail_datasets": {"type": "dict", "size": "3 keys"}
  "report_metadata": {"type": "dict", "size": "9 keys"}
  "report_mode": {"type": "SafeString", "size": "10 chars"}
  "report_schema_version": {"type": "SafeString", "size": "5 chars"}
  "report_scope_audit": {"type": "list", "size": "15 items"}
  "report_scope_audit_summary": {"type": "dict", "size": "6 keys"}
  "reporting_contract_validation": {"type": "dict", "size": "6 keys"}
  "retention_policies": {"type": "dict", "size": "3 keys"}
  "risk_detection_summary": {"type": "dict", "size": "0 keys"}
  "risky_sign_ins_30d": {"type": "dict", "size": "6 keys"}
  "risky_signins_summary": {"type": "dict", "size": "6 keys"}
  "risky_users_summary": {"type": "dict", "size": "5 keys"}
  "rule_catalog": {"type": "list", "size": "135 items"}
  "run_id": {"type": "SafeString", "size": "23 chars"}
  "runbook": {"type": "dict", "size": "6 keys"}
  "secure_score": {"type": "dict", "size": "10 keys"}
  "secure_score_benchmarks": {"type": "dict", "size": "5 keys"}
  "secure_score_controls": {"type": "dict", "size": "4 keys"}
  "secure_score_recommendations": {"type": "dict", "size": "3 keys"}
  "security_alerts_summary": {"type": "dict", "size": "9 keys"}
  "security_feature_scorecard": {"type": "dict", "size": "5 keys"}
  "sensitivity_labels_summary": {"type": "dict", "size": "3 keys"}
  "service_principal_summary": {"type": "dict", "size": "5 keys"}
  "sharepoint_sharing_settings": {"type": "dict", "size": "2 keys"}
  "sharepoint_sites": {"type": "dict", "size": "5 keys"}
  "sharepoint_summary": {"type": "dict", "size": "4 keys"}
  "sign_in_summary": {"type": "dict", "size": "7 keys"}
  "snapshot_metrics": {"type": "dict", "size": "4 keys"}
  "soc2_assessment": {"type": "dict", "size": "5 keys"}
  "software_inventory_summary": {"type": "dict", "size": "6 keys"}
  "source_coverage": {"type": "dict", "size": "10 keys"}
  "source_data": {"type": "dict", "size": "16 keys"}
  "source_provenance": {"type": "dict", "size": "12 keys"}
  "sp_audit": {"type": "dict", "size": "9 keys"}
  "sprs_score": {"type": "int", "size": "int"}
  "subscribed_skus": {"type": "dict", "size": "3 keys"}
  "tactical_lists": {"type": "dict", "size": "5 keys"}
  "teams_inventory_summary": {"type": "dict", "size": "5 keys"}
  "teams_policies": {"type": "dict", "size": "3 keys"}
  "teams_summary": {"type": "dict", "size": "3 keys"}
  "tenant_display_name": {"type": "SafeString", "size": "23 chars"}
  "tenant_identity_issues": {"type": "list", "size": "0 items"}
  "tenant_overview": {"type": "dict", "size": "16 keys"}
  "tenant_overview_checklist": {"type": "list", "size": "7 items"}
  "terms_of_use_summary": {"type": "dict", "size": "4 keys"}
  "third_party_summary": {"type": "dict", "size": "4 keys"}
  "threat_hunting": {"type": "dict", "size": "3 keys"}
  "threat_pulse_summary": {"type": "dict", "size": "7 keys"}
  "topology_collection_status": {"type": "dict", "size": "10 keys"}
  "trend_summary": {"type": "dict", "size": "3 keys"}
  "trust_layer": {"type": "dict", "size": "3 keys"}
  "unknowns_register": {"type": "list", "size": "1 items"}
  "value_model": {"type": "dict", "size": "5 keys"}
  "vulnerability_data": {"type": "dict", "size": "11 keys"}
  "vulnerability_rollup": {"type": "dict", "size": "8 keys"}
  "vulnerability_summary": {"type": "dict", "size": "16 keys"}
}

9 DCs across 4 sites · 1 trust bypass SID filtering.

Sites

2 countries

Domain controllers

3 FSMO holders · 3 GC

Cert authorities

4 ADCS findings

Trusts

1 sidFilter off

Findings

27 placed · 25 unplaced

Drift · 30d

Baseline pending

trend unlocks at next scan

Sites & replication context3 DNS zones · 4 DHCP scopes · 3 site links

Dallas-HQ

3 DCs

Dallas · US

4 subnets · 1 DHCP · 3 site links

Huntsville

4 DCs

Huntsville · US

3 subnets · 1 DHCP · 1 site links

Crystal-City

1 DCs

Arlington · US

2 subnets · 1 DHCP · 1 site links

Edinburgh

1 DCs

Edinburgh · GB

2 subnets · 1 DHCP · 1 site links

DNS zones33 AD-integrated · corp.contoso.local, research.contoso.local

DHCP scopes44 sites covered · DAL-Corp, HSV-Corp

Replication links3slowest DAL-EDI · 180m · lagging

Topology digest9 DCs · 4 sites · 4 DHCP · 3 links · 52 findings

Domains

corp.contoso.local7 DCs
research.contoso.local2 DCs

Sites

Dallas-HQ3 DCs · US
Huntsville4 DCs · US
Crystal-City1 DCs · US
Edinburgh1 DCs · GB

Infrastructure

3 DNS zoneszone inventory
4 DHCP scopessite coverage
3 site linksreplication paths

Risky trusts

legacy-supplier.examplesidFilter off

Placement

27 placedmapped to graph nodes
25 unplacedneeds asset binding

Legend

Tier-0 DC
Tier-1 DC
Global catalog
P0 alert
Cert authority
Trust · safe
Trust · risky

ctrl+scroll zoom · drag pan · r reset

Topology findings · 52

27 placed · 25 unplaced · click row to highlight on map

Showing 20 of 52

ID	Sev	Title	Node	Domain	Control
PHASE5-AD04-FSMO-dal-dc01.corp.contoso.local	P1	FSMO concentration: dal-dc01.corp.contoso.local holds 3/5 roles — single point of failure	dal-dc01.corp.contoso.local	corp.contoso.local	AD-04
PHASE5-AD04-FSMO-res-dc01.research.contoso.local	P1	FSMO concentration: res-dc01.research.contoso.local holds 5/5 roles — single point of failure	res-dc01.research.contoso.local	research.contoso.local	AD-04
OnPrem-NET-SIDFILTER-LEGACY	P0	External trust to legacy-supplier.example has SID filtering disabled	dal-dc01.corp.contoso.local	—	—
OnPrem-NET-EDI-REPL-LAG	P1	Edinburgh DC replication lag exceeds 4h threshold	dal-dc01.corp.contoso.local	—	—
OnPrem-AD-T0-DA-MFA	P0	2 Domain Admins without MFA	dal-dc01.corp.contoso.local	—	—
OnPrem-AD-T0-KRBTGT-247	P0	krbtgt password age 247 days exceeds 180-day threshold	dal-dc01.corp.contoso.local	—	—
OnPrem-AD-T0-ADMINSDHOLDER-PKI	P0	AdminSDHolder ACL contains unexpected GenericWrite ACE for PKI vendor	dal-dc01.corp.contoso.local	—	—
OnPrem-AD-T0-ADMINSDHOLDER-BACKUP	P1	AdminSDHolder ACL contains unexpected WriteDACL ACE for backup vendor	dal-dc01.corp.contoso.local	—	—
OnPrem-AD-T0-PROTECTED-USERS-EMPTY	P1	Protected Users group has zero members	dal-dc01.corp.contoso.local	—	—
OnPrem-AD-T0-PASSWORD-POLICY	P1	Default Domain Password Policy minimum length is 12 (CMMC L2 gap)	dal-dc01.corp.contoso.local	—	—
OnPrem-AP-UNCONSTRAINED-PRINT	P0	DAL-PRINT01 has unconstrained Kerberos delegation	dal-dc01.corp.contoso.local	—	—
OnPrem-AP-UNCONSTRAINED-FILE	P0	HSV-FILE02 has unconstrained Kerberos delegation	dal-dc01.corp.contoso.local	—	—
OnPrem-AP-KERBEROASTABLE-14	P1	14 Kerberoastable service accounts	dal-dc01.corp.contoso.local	—	—
OnPrem-AP-ASREP-LEGACY	P1	Service account svc_legacy_ctip_connector is AS-REP roastable	dal-dc01.corp.contoso.local	—	—
OnPrem-AP-ASREP-MES	P1	Service account svc_mes_ctl is AS-REP roastable	dal-dc01.corp.contoso.local	—	—
OnPrem-AP-RC4-PERMITTED	P2	34 accounts still accept RC4 Kerberos encryption	dal-dc01.corp.contoso.local	—	—
OnPrem-ADCS-ESC1-DC	P0	ADCS template certifies domain controllers without signature (ESC1)	dal-ca01.corp.contoso.local	—	—
OnPrem-ADCS-ESC1-SMARTCARD	P0	ADCS template CorpUserSmartcard is ESC1 vulnerable	dal-ca01.corp.contoso.local	—	—
OnPrem-ADCS-ESC4-WORKSTATION	P1	ADCS template ContoWorkstationAuth is ESC4 (weak ACL) vulnerable	dal-ca01.corp.contoso.local	—	—
OnPrem-ADCS-CA-EXPIRY-57D	P1	Enterprise Issuing CA certificate expires in 57 days	dal-ca01.corp.contoso.local	—	—
OnPrem-GPO-SMB-SIGN	P0	SMB server signing is not required domain-wide	dal-dc01.corp.contoso.local	—	—
OnPrem-GPO-SMB1-47	P1	Legacy SMBv1 enabled on 47 endpoints	dal-dc01.corp.contoso.local	—	—
OnPrem-GPO-LDAP-SIGN	P1	LDAP signing is optional (LDAPServerIntegrity=1)	dal-dc01.corp.contoso.local	—	—
OnPrem-GPO-PS-LOGGING-203	P2	PowerShell script-block logging disabled across 203 hosts	dal-dc01.corp.contoso.local	—	—
OnPrem-GPO-LSA-PROTECT	P2	LSA Protection (RunAsPPL) is not enabled	dal-dc01.corp.contoso.local	—	—
OnPrem-GPO-NTLMV1	P2	Legacy NTLMv1 authentication is still allowed	dal-dc01.corp.contoso.local	—	—
OnPrem-GPO-SYSVOL-ACL	P3	SYSVOL permissions hardened (no action required)	dal-dc01.corp.contoso.local	—	—
Findings not yet placed on topology · 25 unknown-kind or unresolved asset
OnPrem-a838cee6bbdebeade5b6f87e45bd47bf	P0	External trust to legacy-supplier.example has SID filtering disabled	Unplaced	infrastructure	—
OnPrem-bb5a9d6f577335e859fca4309670b184	P1	Edinburgh DC replication lag exceeds 4h threshold	Unplaced	infrastructure	—
OnPrem-b2f1b05d8a827a2e5c84fa24de42f482	P0	2 Domain Admins without MFA	Unplaced	identity	—
OnPrem-bed89eaf2193e46f4ff4e32592dae478	P0	krbtgt password age 247 days exceeds 180-day threshold	Unplaced	identity	—
OnPrem-16f7917e737ec4706ddf063523c83342	P0	AdminSDHolder ACL contains unexpected GenericWrite ACE for PKI vendor	Unplaced	identity	—
OnPrem-a44af409d7d11e59c1493a0dbe64697b	P1	AdminSDHolder ACL contains unexpected WriteDACL ACE for backup vendor	Unplaced	identity	—
OnPrem-f0f7d0c50d45e6b1a1ec9b4d31aa74e3	P1	Protected Users group has zero members	Unplaced	identity	—
OnPrem-196a963ef20ace8c875acdb6bd3cd146	P1	Default Domain Password Policy minimum length is 12 (CMMC L2 gap)	Unplaced	identity	—
OnPrem-8ca006d6163ddcbbaba1e7966c2eadbf	P0	DAL-PRINT01 has unconstrained Kerberos delegation	Unplaced	identity	—
OnPrem-fa9a1cc45e2cca28fe8473c0489bcad6	P0	HSV-FILE02 has unconstrained Kerberos delegation	Unplaced	identity	—
OnPrem-973c8114634333ec705572385c76c6a8	P1	14 Kerberoastable service accounts	Unplaced	identity	—
OnPrem-115a403197926fcf3729afc5e5c88fd4	P1	Service account svc_legacy_ctip_connector is AS-REP roastable	Unplaced	identity	—
OnPrem-2e376a0ca89c5193bc5bbd75360d2e4d	P1	Service account svc_mes_ctl is AS-REP roastable	Unplaced	identity	—
OnPrem-97a5bcd3de1156ed22b2c2c6bf46b7c4	P2	34 accounts still accept RC4 Kerberos encryption	Unplaced	identity	—
OnPrem-4aa38d65ce3032519d1f521931c464da	P0	ADCS template certifies domain controllers without signature (ESC1)	Unplaced	identity	—
OnPrem-76680815350c3b60af20b49eed10bff4	P0	ADCS template CorpUserSmartcard is ESC1 vulnerable	Unplaced	identity	—
OnPrem-0f0e6181ecd6d31732ee82cce27690dd	P1	ADCS template ContoWorkstationAuth is ESC4 (weak ACL) vulnerable	Unplaced	identity	—
OnPrem-ec4b457d71895584370f8701340b7c3a	P1	Enterprise Issuing CA certificate expires in 57 days	Unplaced	identity	—
OnPrem-2481dae51698953372cf8077e7873270	P0	SMB server signing is not required domain-wide	Unplaced	identity	—
OnPrem-ad9235417f447a7ed15961e756550e6e	P1	Legacy SMBv1 enabled on 47 endpoints	Unplaced	identity	—
OnPrem-a249894fcd65540f5d07fd99f55e1c4b	P1	LDAP signing is optional (LDAPServerIntegrity=1)	Unplaced	identity	—
OnPrem-d9410d7869f255a0fec2355e9aefcf99	P2	PowerShell script-block logging disabled across 203 hosts	Unplaced	identity	—
OnPrem-0f77e63ab314918dcaf223a564609ca8	P2	LSA Protection (RunAsPPL) is not enabled	Unplaced	identity	—
OnPrem-42f2c00314d0c3e902ae242f5915f138	P2	Legacy NTLMv1 authentication is still allowed	Unplaced	identity	—
OnPrem-2033c52168ea3ca38362f4cc45adf8dd	P3	SYSVOL permissions hardened (no action required)	Unplaced	identity	—

P1PHASE5-AD04-FSMO-dal-dc01.corp.contoso.local

FSMO concentration: dal-dc01.corp.contoso.local holds 3/5 roles — single point of failure

Node: dal-dc01.corp.contoso.local
Domain: corp.contoso.local
Control: AD-04

P1PHASE5-AD04-FSMO-res-dc01.research.contoso.local

FSMO concentration: res-dc01.research.contoso.local holds 5/5 roles — single point of failure

Node: res-dc01.research.contoso.local
Domain: research.contoso.local
Control: AD-04

P0OnPrem-NET-SIDFILTER-LEGACY

External trust to legacy-supplier.example has SID filtering disabled

Node: dal-dc01.corp.contoso.local
Domain: —
Control: —

P1OnPrem-NET-EDI-REPL-LAG

Edinburgh DC replication lag exceeds 4h threshold

Node: dal-dc01.corp.contoso.local
Domain: —
Control: —

P0OnPrem-AD-T0-DA-MFA

2 Domain Admins without MFA

Node: dal-dc01.corp.contoso.local
Domain: —
Control: —

P0OnPrem-AD-T0-KRBTGT-247

krbtgt password age 247 days exceeds 180-day threshold

Node: dal-dc01.corp.contoso.local
Domain: —
Control: —

P0OnPrem-AD-T0-ADMINSDHOLDER-PKI

AdminSDHolder ACL contains unexpected GenericWrite ACE for PKI vendor

Node: dal-dc01.corp.contoso.local
Domain: —
Control: —

P1OnPrem-AD-T0-ADMINSDHOLDER-BACKUP

AdminSDHolder ACL contains unexpected WriteDACL ACE for backup vendor

Node: dal-dc01.corp.contoso.local
Domain: —
Control: —

P1OnPrem-AD-T0-PROTECTED-USERS-EMPTY

Protected Users group has zero members

Node: dal-dc01.corp.contoso.local
Domain: —
Control: —

P1OnPrem-AD-T0-PASSWORD-POLICY

Default Domain Password Policy minimum length is 12 (CMMC L2 gap)

Node: dal-dc01.corp.contoso.local
Domain: —
Control: —

P0OnPrem-AP-UNCONSTRAINED-PRINT

DAL-PRINT01 has unconstrained Kerberos delegation

Node: dal-dc01.corp.contoso.local
Domain: —
Control: —

P0OnPrem-AP-UNCONSTRAINED-FILE

HSV-FILE02 has unconstrained Kerberos delegation

Node: dal-dc01.corp.contoso.local
Domain: —
Control: —

P1OnPrem-AP-KERBEROASTABLE-14

14 Kerberoastable service accounts

Node: dal-dc01.corp.contoso.local
Domain: —
Control: —

P1OnPrem-AP-ASREP-LEGACY

Service account svc_legacy_ctip_connector is AS-REP roastable

Node: dal-dc01.corp.contoso.local
Domain: —
Control: —

P1OnPrem-AP-ASREP-MES

Service account svc_mes_ctl is AS-REP roastable

Node: dal-dc01.corp.contoso.local
Domain: —
Control: —

P2OnPrem-AP-RC4-PERMITTED

34 accounts still accept RC4 Kerberos encryption

Node: dal-dc01.corp.contoso.local
Domain: —
Control: —

P0OnPrem-ADCS-ESC1-DC

ADCS template certifies domain controllers without signature (ESC1)

Node: dal-ca01.corp.contoso.local
Domain: —
Control: —

P0OnPrem-ADCS-ESC1-SMARTCARD

ADCS template CorpUserSmartcard is ESC1 vulnerable

Node: dal-ca01.corp.contoso.local
Domain: —
Control: —

P1OnPrem-ADCS-ESC4-WORKSTATION

ADCS template ContoWorkstationAuth is ESC4 (weak ACL) vulnerable

Node: dal-ca01.corp.contoso.local
Domain: —
Control: —

P1OnPrem-ADCS-CA-EXPIRY-57D

Enterprise Issuing CA certificate expires in 57 days

Node: dal-ca01.corp.contoso.local
Domain: —
Control: —

Account	Roles	MFA Status	Last sign-in
admin.breakglass@contoso.com	Global Admin	Registered	2025-06-20 11:00:00+00:00
david.mitchell@contoso.com	Security Admin	Registered	2026-02-07 08:30:00+00:00
emily.rodriguez@contoso.com	SharePoint Admin	Registered	2026-02-05 13:20:00+00:00
kevin.patel@contoso.com	Helpdesk Admin	Registered	2026-02-07 10:00:00+00:00
michael.torres@contoso.com	Global Admin, User Admin	Registered	2026-02-07 09:15:00+00:00
rachel.kim@contoso.com	Exchange Admin	Registered	2026-02-06 16:45:00+00:00
sarah.chen@contoso.com	Global Admin	Registered	2026-02-07 14:30:00+00:00

Name	UPN	Domain	Last sign-in
Amanda Foster	amanda.foster_clientcorp.example.com#EXT#@contoso.onmicrosoft.com	clientcorp.example.com	Not collected
Robert Hayes	robert.hayes_partnerfirm.example.com#EXT#@contoso.onmicrosoft.com	partnerfirm.example.com	Not collected
Diana Petrova	diana.petrova_outsideaudit.example.com#EXT#@contoso.onmicrosoft.com	outsideaudit.example.com	Not collected
Carlos Mendez	carlos.mendez_vendorservices.example.com#EXT#@contoso.onmicrosoft.com	vendorservices.example.com	Not collected
stale-contractor	old.contractor_defunct-company.example.com#EXT#@contoso.onmicrosoft.com	defunct-company.example.com	Not collected

Name	UPN	Domain	Last sign-in
Amanda Foster	amanda.foster_clientcorp.example.com#EXT#@contoso.onmicrosoft.com	clientcorp.example.com	Not collected
Robert Hayes	robert.hayes_partnerfirm.example.com#EXT#@contoso.onmicrosoft.com	partnerfirm.example.com	Not collected
Diana Petrova	diana.petrova_outsideaudit.example.com#EXT#@contoso.onmicrosoft.com	outsideaudit.example.com	Not collected
Carlos Mendez	carlos.mendez_vendorservices.example.com#EXT#@contoso.onmicrosoft.com	vendorservices.example.com	Not collected
stale-contractor	old.contractor_defunct-company.example.com#EXT#@contoso.onmicrosoft.com	defunct-company.example.com	Not collected

Name	UPN	Domain	Last sign-in
Amanda Foster	amanda.foster_clientcorp.example.com#EXT#@contoso.onmicrosoft.com	clientcorp.example.com	Not collected
Robert Hayes	robert.hayes_partnerfirm.example.com#EXT#@contoso.onmicrosoft.com	partnerfirm.example.com	Not collected
Diana Petrova	diana.petrova_outsideaudit.example.com#EXT#@contoso.onmicrosoft.com	outsideaudit.example.com	Not collected
Carlos Mendez	carlos.mendez_vendorservices.example.com#EXT#@contoso.onmicrosoft.com	vendorservices.example.com	Not collected
stale-contractor	old.contractor_defunct-company.example.com#EXT#@contoso.onmicrosoft.com	defunct-company.example.com	Not collected

Action	Priority
Deploy Microsoft Sentinel workspace	Required
Connect Azure AD sign-in and audit logs	Required
Connect Microsoft 365 audit logs	Required
Configure alert rules for critical events	Required
Set up automated incident response playbooks	Recommended

Remediation Action	Priority
Audit non-privileged account usage: ensure daily operations use standard accounts, not admin accounts	Required
Create separate admin accounts (e.g., adm-username@) for each IT staff member	Required
Configure Conditional Access to require compliant device + MFA for admin account sign-in	Required
Block admin accounts from accessing email, Teams, and other productivity workloads	Required
Implement privileged access workstations (PAWs) for administrative tasks	Required

Remediation Action	Priority
Enable MFA for all users via Conditional Access -- Entra ID > Protection > Conditional Access > + New policy -- All users required to use MFA	Required
Configure phishing-resistant MFA for privileged accounts -- Entra ID > Protection > Conditional Access > + New policy (with authentication strength) -- Admins required to use FIDO2 or Windows Hello for Business	Required
Block legacy authentication (doesn't support MFA) -- Entra ID > Protection > Conditional Access > + New policy -- Legacy protocols blocked	Required
Review and complete MFA registration for all users -- Entra ID > Users > Per-user MFA > Multi-factor authentication -- All users have at least one MFA method registered	Required
Deploy FIDO2 security keys to privileged users -- Entra ID > Security > Authentication methods > FIDO2 security key -- FIDO2 keys distributed and registered for admins	Required
Configure MFA registration campaign -- Entra ID > Protection > Authentication methods > Registration campaign -- Users prompted to register additional MFA methods	Required
Monitor MFA usage and gaps -- Entra ID > Monitoring > Sign-in logs > Filter: MFA requirement -- Dashboard showing MFA adoption and any bypasses	Required

Remediation Action	Priority
Enable advanced auditing in Microsoft 365: Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true	Required
Configure audit log alerts for security events: failed sign-ins, privilege escalation, bulk operations	Required
Deploy Microsoft Sentinel or forward audit logs to an existing SIEM for centralized analysis	Required
Create detection rules for anomalous behavior patterns (impossible travel, mass downloads, rule creation)	Required
Establish a weekly audit log review process with documented findings and actions taken	Required

Remediation Action	Priority
Document incident response plan -- Create IRP document -- Written IRP with phases: Preparation, Detection, Analysis, Containment, Eradication, Recovery, Lessons Learned	Required
Define incident severity levels and escalation paths -- Document in IRP -- Severity matrix (Critical/High/Medium/Low) with response timeframes and escalation contacts	Required
Enable Microsoft Sentinel for detection -- Azure Portal > Microsoft Sentinel > + Create -- Sentinel workspace connected with Azure AD and M365 data connectors	Required
Deploy Sentinel analytics rules for detection -- Microsoft Sentinel > Analytics > + Create > Scheduled query rule -- Detection rules active for common attack patterns	Required
Create incident response playbooks -- Microsoft Sentinel > Automation > + Create > Playbook -- Automated playbooks for common incident types (phishing, malware, compromised account)	Required
Establish communication protocols -- Document in IRP -- Communication plan including: internal notifications, external reporting (DoD within 72 hours), customer notification procedures	Required
Conduct tabletop exercise -- Schedule and execute -- Annual tabletop exercise completed with documented lessons learned	Required

Name	IP Address	Associated Resource
Unknown	52.160.14.27	Unassociated
Unknown	20.45.71.11	vm-finance-jumpbox

Device	OS	Owner
SRP-PC001	Windows	sarah.chen@contoso.com
SRP-PC012	Windows	marcus.williams@contoso.com
SRP-MAC003	macOS	emily.rodriguez@contoso.com
SRP-PC025	Windows	james.okafor@contoso.com
SRP-IPAD005	iOS	rachel.kim@contoso.com
SRP-PC038	Windows	thomas.bergstrom@contoso.com
SRP-PC006	Windows	emily.watson@contoso.com
SRP-PC007	Windows	james.liu@contoso.com
SRP-MAC006	macOS	maria.garcia@contoso.com
SRP-iPHONE004	iOS	priya.patel@contoso.com

Remediation Action	Priority
Deploy architecturally sound security designs: defense-in-depth with multiple control layers	Required
Implement network segmentation — separate CUI data stores from general-purpose networks	Required
Enable Azure Private Endpoints for all data services (Storage, CosmosDB, SQL)	Required
Configure DLP policies to prevent CUI from leaving the controlled environment	Required
Document the security architecture including network diagrams and data flow maps	Required

Remediation Action	Priority
Define and document authorized software for all organizational systems	Required
Deploy application control using Microsoft Defender Application Control (WDAC) or AppLocker	Required
Block unapproved software installation via Intune app management policies	Required
Maintain a software allowlist and review quarterly	Required
Audit installed software on all devices: Get-MgDeviceManagementDetectedApp \| Select DisplayName, DeviceCount	Required

Remediation Action	Priority
Deploy Microsoft Defender for Endpoint on all managed devices	Required
Enable real-time protection, cloud-delivered protection, and automatic sample submission	Required
Configure anti-malware policies in Intune: scheduled scans (weekly full, daily quick)	Required
Enable Defender SmartScreen for Edge browser and Windows	Required
Deploy ASR (Attack Surface Reduction) rules in audit mode, then enforce after 30 days	Required

Remediation Action	Priority
Deploy Microsoft Defender for Endpoint P2 with EDR (Endpoint Detection and Response) capabilities	Required
Enable automated investigation and remediation in Defender XDR	Required
Configure Defender for Identity to detect lateral movement and credential theft in Active Directory	Required
Deploy Microsoft Defender for Cloud Apps for shadow IT detection and SaaS application monitoring	Required
Enable attack disruption capabilities to automatically contain compromised users and devices	Required