Where you stand. Where to go next.
STACK Compass scores your security program across 12 capability domains, weights every gap by urgency, and turns the result into a prioritized Gantt roadmap and a NIST CSF 2.0 lifecycle rollup — in one sitting, defensible to your board.
Score. Target. Prioritize. Plan.
Four steps from blank assessment to a board-ready roadmap. Re-run any time; history is preserved so trends are real, not retold.
1 · Score Where You Are
For each capability, pick your current maturity on a 0–4 CMMI scale: None, Ad-hoc, Defined, Managed, Optimized. No interview cycle, no consultant — your team owns the rating.
2 · Set Where You're Going
Pick a target maturity per capability — Compass does not assume everything should be Optimized. A 2 target on something low-risk is a legitimate, defensible choice.
3 · Weight by Urgency
Low, Medium, High, Critical. The same maturity gap on a high-blast-radius capability ranks above the same gap on something nice-to-have.
4 · Get the Gantt
Compass computes urgency × gap, ranks every capability, schedules initiatives with effort and duration, and renders a 12+ week Gantt — highest-priority items at week 0.
NIST CSF 2.0 Rollup
Domains project onto the six CSF 2.0 functions — Govern, Identify, Protect, Detect, Respond, Recover — so leadership sees lifecycle posture, not just point controls.
Re-Assess Any Time
Quarterly is the cadence most teams settle on. Every prior assessment is preserved with its score, so the year-end board chart is real progress, not a retold story.
The full surface of a modern security program
Seven foundational domains plus five emerging 2026 surfaces most legacy programs have never scored — DSPM, AppSec, AI risk, software supply chain, and strategic governance.
Identity & Access
MFA, SSO, joiner/mover/leaver, PAM, access reviews, service account inventory.
Network
NGFW management, segmentation, ZTNA, DNS filtering, wireless hardening.
Endpoint & Device
EDR/XDR, patching, full-disk encryption, MDM posture, application allow-listing.
Cloud & SaaS
CSPM, IaC scanning, secrets management, M365/Google/Slack baselines, data residency.
Backup & Resilience
Immutable backups, restore testing, RTO/RPO definition, DR plan exercised annually.
Detection & Response
Log coverage, tuned SIEM, SOC/on-call, IR runbooks, tabletop within 12 months.
Compliance & Governance
Policy library, framework mapping, continuous evidence, risk register, awareness training.
Vendor & Third-Party
Vendor inventory, due diligence, DPAs and security addenda, ongoing monitoring.
Strategic Governance
Board reporting, risk appetite, budget alignment, RACI, outcome metrics, multi-year strategy.
Application & Code
SAST, SCA, secrets scanning, DAST, mandatory code review, secure-coding training.
Data Security Posture
Classification, DSPM tooling, DLP, encryption at rest and in transit, retention, access logging.
AI & Agent Security
AI inventory, prompt-injection defense, RAG controls, agent capability bounds, training-data hygiene.
Built for the people who own the program
Compass is the artifact you carry into the board meeting, the buyer security review, and the cyber-insurance renewal — and the same artifact your team uses to plan the next quarter.
CISOs & Security Directors
Turn "we need to do better at X" into a scored, ranked, time-phased plan with a defensible scoring methodology. The Gantt doubles as a budget defense.
vCISOs & MSP Practices
One consistent, comparable posture artifact across every client. Standardize the security advisory deliverable; spend the engagement on remediation, not bespoke scorecards.
Cyber Insurance & Buyers
Brokers use Compass as a pre-binding posture conversation. Enterprise buyers accept the scorecard as proof a vendor's program is real, not a list of certificates.
What teams ask before adopting Compass
Straight answers on methodology, scope, and where Compass fits next to your existing GRC or compliance work.
Is this the same as STACK Compli?
No. Compass tells you what your program should do next — strategy. Compli tracks whether you're doing the compliance work for specific frameworks (SOC 2, ISO 27001, HIPAA, ISO 42001) — controls, evidence, auditor reviews. Most teams run both. See Compli →
Where does the scoring methodology come from?
0–4 CMMI maturity scale (None, Ad-hoc, Defined, Managed, Optimized). Domain selection draws from NIST CSF 2.0, CIS Controls v8, and the 2026 emerging-coverage surfaces (DSPM, AppSec, AI, supply chain, governance) that legacy frameworks underweight.
Can I try it before committing?
Yes — every new sign-up gets a demo tier that unlocks the IAM domain, the full Gantt generator, and the CSF rollup. Paid tiers unlock the other 11 domains, history, exports, and peer benchmarks.
What separation of duties does it support?
Four per-app roles — viewer, editor, admin, auditor — plus per-user overrides. An external advisor can be granted read-only access to the assessment and roadmap without touching anything else; every change is audit-logged.