ArcticScore’s scoring engine is code, not opinion. Every score is computed from verified evidence using deterministic rules — same inputs and same as-of date always produce the same score.
Each of the 8 security domains is assessed against documented criteria, using agreed directory evidence and ingested technical findings. The rules distinguish supported controls, missing support, and evidence that contradicts the stated posture.
Each interview response is cross-referenced against corresponding scan evidence. Where a claim and evidence disagree — “MFA is enforced everywhere” while the scan finds MFA-disabled accounts — the finding records the contradiction and the evidence decides the score, not the claim.
Documented scoring rules turn the assessed controls and findings into domain results. The same inputs and as-of date produce the same score; AI does not compute or adjust it.
The domain results produce a 0–100 composite score. Scope and evidence coverage are disclosed alongside it, so reviewers can see both the result and the limits of what was assessed.
Adversarial evidence verification means a stated control is not accepted as sufficient evidence on its own. ArcticScore compares it with collected technical evidence, records contradictions, and preserves the delivered record with integrity controls. In this methodology:
The result separates what the organization said, what the collected evidence showed, and how the scoring rules treated any difference.
Identity management, MFA enforcement, least privilege, account lifecycle
Internet-facing attack surface, exposed services, external scan findings
EDR coverage, patch cadence, OS hardening, configuration baselines
Internal scan findings, unpatched systems, lateral-movement exposure
Encryption at rest and transit, data classification, retention
Logging and monitoring coverage, alerting, incident response readiness
Backup cadence, restore drills, recovery objectives
Policy framework, risk ownership, security awareness and training
Two rules keep the score reproducible and separate it from AI-generated interpretation:
Every ArcticScore engagement produces a signed, timestamped evidence bundle. The score is computed from the findings in this bundle; the bundle’s integrity is independently verifiable through public cryptographic standards.
Linked record: Evidence events are linked so later alteration is detectable.
External timestamp: An RFC 3161 token provides a check independent of ArcticScore’s system clock.
Digital signature: The signed manifest and public verification material ship inside the bundle.
Offline verifier: The recipient can check declared files, record integrity, signature, and timestamp without calling ArcticScore.
The standalone verifier ships with every bundle as readable source with plain-English instructions. It checks the declared files, linked record, signature, and timestamp offline. It reports pass, fail, or unverified rather than silently accepting an incomplete record.
ArcticScore does not assert compliance with any specific regulatory framework (SOC 2, HIPAA, PCI, ISO 27001, etc.). The methodology assesses a firm’s security posture against 8 domains of generally accepted security controls. Mapping the results to a specific framework is the responsibility of the firm’s own compliance team or auditor. We provide the evidence; the assessor draws the conclusion. This avoids the unsubstantiated compliance assertions that plague the security assessment industry and ensures the methodology remains applicable across regulatory regimes.
No black box. Same inputs and same as-of date always produce the same score. The evidence chain and shipped verifier let any party re-verify integrity without ArcticScore.
Discuss an engagement