Understanding the controls list
When you open Controls, you see all controls organized by category, sorted so that categories with the lowest average maturity appear first. Within each category, not-started controls appear before in-progress ones. Each control row shows:- Control key — a unique identifier (for example,
SUC-12) - Title — a short description of what the control covers
- Category — one of 16 domains such as Access Control, Data Protection, or Incident Response
- Severity — 1 to 5, described below
- Status — not started, in progress, implemented, or not applicable
- Maturity — your self-assessed implementation level from 1 to 5
- Evidence count — the number of evidence items linked to this control
Filtering controls
Use the filter bar at the top to narrow the list:- By status
- By category
- By framework
Choose Not Started, In Progress, or Implemented to focus on a specific lifecycle stage. Selecting All Status removes the filter.
The severity scale
Severity reflects how critical a control is to your overall security posture.| Severity | Label | Priority |
|---|---|---|
| 5 | Critical | Required — address first |
| 4 | High | High priority |
| 3 | Medium | Standard priority |
| 2 | Low | Address when capacity allows |
| 1 | Minimal | Nice to have |
Implementing a control
Click any control row to open the control drawer and take action.Update the status
In the control drawer, change the status to reflect where you are:
- Not started — no work has begun
- In progress — implementation is underway but not complete
- Implemented — the control is fully in place
- Not applicable — this control does not apply to your environment
Set the maturity level
Rate your implementation maturity on the 1–5 scale:
Higher maturity amplifies a control’s contribution to your risk score. A control marked Implemented at maturity 1 contributes less than the same control at maturity 4.
| Level | Meaning |
|---|---|
| 1 | Initial — ad hoc, undocumented |
| 2 | Developing — partially documented |
| 3 | Defined — documented and consistent |
| 4 | Managed — measured and monitored |
| 5 | Optimized — continuously improved |
Link evidence
Click Link Evidence to attach one or more existing evidence items to the control, or upload a new item directly from the drawer. Evidence types include screenshots, PDFs, policies, audit reports, config exports, and attestations.Once evidence is linked and validated by an owner or admin, the control’s effective maturity updates. Effective maturity is what actually counts toward your score.
Automated evidence from integrations
If you have connected integrations (such as AWS Security Hub or Microsoft Secure Score), some controls may already have automated evidence attached. These appear with a provider badge and a “last collected” timestamp. You can supplement automated evidence with manual uploads.Stats bar
The five stat tiles at the top of the Controls page give you a quick overview:- Total — all controls in your library
- Implemented — controls with status = implemented
- In Progress — controls actively being worked on
- Not Started — controls with no work begun (shown in red when above 20)
- Avg Maturity — the average maturity rating across all controls, out of 5