A transparent look at what the tool measures, how scores are calculated, and how to interpret your results.
The DevSecOps Maturity Calculator is a free, self-directed assessment that helps security teams, DevOps engineers, and CISOs understand their organization's current security posture and where to focus improvement efforts.
It is structured around 7 assessment domains covering 58 questions total. You rate each practice on a 1–5 scale, and the tool instantly calculates a maturity score per domain and an overall maturity level. You can then export a full PDF report.
Browser-only
No data leaves your device
58 questions
Across 7 domains
~10 minutes
To complete a full assessment
Each question is answered using a 1–5 slider. Be honest — this tool is for internal benchmarking, not external audit. The goal is an accurate baseline, not a high score.
Not implemented
This practice does not exist in your organization.
Ad-hoc / planned
Informally done in some places, or actively being planned but not yet in place.
Partially implemented
Exists in some teams or projects but is inconsistently applied organization-wide.
Mostly implemented
Consistently applied across most teams with minor gaps or exceptions.
Fully implemented
Comprehensively in place, enforced, measured, and continuously improved.
Each domain score is the percentage of the maximum possible score for that domain. Every question contributes equally. Sliders you haven't moved default to 1 (the slider minimum), so your score reflects the full domain, not just questions you've touched.
domain_score = (sum_of_responses / (total_questions × 5)) × 100
Example: 8 questions, responses average 3.5
(28 / 40) × 100 = 70%
The overall maturity score is the simple average of all 7 domain scores. This is then mapped to a maturity level (1–5) using 20-point bands. Critically, the report calculates scores dynamically from your actual responses — so even if you didn't touch every slider, the score is always accurate.
overall_score = average(all 7 domain scores)
Maturity level mapping:
0–20% → Level 1: Initial
21–40% → Level 2: Managed
41–60% → Level 3: Defined
61–80% → Level 4: Measured
81–100% → Level 5: Optimized
Each domain is designed to be independently actionable — you can prioritize improvements domain by domain.
Evaluates how deeply security is embedded across every Software Development Lifecycle phase — from security requirements and threat modeling in planning, through SAST/DAST in development and testing, to vulnerability management during maintenance and decommissioning.
Assesses how security is woven into your CI/CD pipeline and engineering culture — automated security gates, IaC scanning, SBOM generation, supply chain verification, and developer security training.
Maps your controls to the OWASP Top 10 (2021) — the industry-standard list of the most critical web application security risks — plus the OWASP API Security Top 10 (2023) for modern API exposure.
Benchmarks your cloud security posture against CSA principles — IAM least privilege, defense in depth, CSPM tooling, data classification, container/serverless security, and cloud-specific incident response.
Reviews how your development team writes secure code — input validation, output encoding, parameterized queries, error handling, dependency auditing, and cryptographic hygiene.
Evaluates platform-specific security controls for mobile apps and web applications — TLS 1.3, FIDO2/passkeys, Content Security Policy, session management, and API abuse protections.
New for 2026 — assesses your readiness for AI-era threats: prompt injection mitigation, model poisoning defenses, AI-generated code review, LLM output validation, and AI supply chain risk management.
Based on CMM-inspired maturity modeling adapted for DevSecOps.
Security is ad-hoc and reactive. Controls exist informally but are inconsistently applied. Teams respond to security issues after the fact.
Basic security practices are established and documented, but adoption is inconsistent across projects or teams. Some security gates exist.
Standard security processes are defined, followed organization-wide, and integrated into the SDLC. Security is a shared responsibility.
Security metrics are collected and actively used to drive improvements. Security KPIs are tracked and reported at an organizational level.
Continuous improvement based on metrics, threat intelligence, red-teaming, and feedback loops. Security is deeply embedded in culture.
Identify your weakest domain
The report surfaces which domain scored lowest. Start there — incremental improvement in your worst area has the highest risk-reduction ROI.
Read the domain recommendations
Each domain includes a maturity-level-specific recommendation tailored to where you are now, not generic advice.
Export and share the PDF report
Share results with your CISO, engineering leadership, or board to communicate your security posture in a structured, visual format.
Reassess quarterly
Run the assessment again after implementing improvements to track progress. Security maturity is a journey — benchmark regularly.
Engage a professional for critical gaps
A self-assessment is a starting point. For compliance, penetration testing, or high-severity gaps, engage qualified security professionals.
Other free security tools from the Vibehack network.
The full assessment takes about 10 minutes. No sign-up required.
Start the Assessment