Scoring methodology

Deterministic scoring. Checkable evidence.

ArcticScore’s scoring engine is code, not opinion. Every score is computed from verified evidence using deterministic rules — same inputs and same as-of date always produce the same score.

Four documented scoring stages

How the score is computed

1

Domain assessment

Each of the 8 security domains is assessed against documented criteria, using agreed directory evidence and ingested technical findings. The rules distinguish supported controls, missing support, and evidence that contradicts the stated posture.

2

Say-do reconciliation

Each interview response is cross-referenced against corresponding scan evidence. Where a claim and evidence disagree — “MFA is enforced everywhere” while the scan finds MFA-disabled accounts — the finding records the contradiction and the evidence decides the score, not the claim.

3

Rule-based scoring

Documented scoring rules turn the assessed controls and findings into domain results. The same inputs and as-of date produce the same score; AI does not compute or adjust it.

4

Composite score

The domain results produce a 0–100 composite score. Scope and evidence coverage are disclosed alongside it, so reviewers can see both the result and the limits of what was assessed.

What “adversarial evidence verification” means

Adversarial evidence verification means a stated control is not accepted as sufficient evidence on its own. ArcticScore compares it with collected technical evidence, records contradictions, and preserves the delivered record with integrity controls. In this methodology:

  • Every claim is independently tested against live infrastructure evidence, not against a policy document.
  • The verification is cryptographic: the evidence bundle carries a SHA-256 hash chain and RFC 3161 timestamps that let any party re-verify without ArcticScore’s involvement.
  • The say-do gap is a first-class finding category, surfaced explicitly rather than buried in a score.
  • Every bundle ships with a readable verifier so the target’s security team can inspect the integrity checks and run them offline without calling ArcticScore.

The result separates what the organization said, what the collected evidence showed, and how the scoring rules treated any difference.

Coverage

The 8 security domains

1. Identity & Access

Identity management, MFA enforcement, least privilege, account lifecycle

2. External Exposure

Internet-facing attack surface, exposed services, external scan findings

3. Endpoint & Config Hygiene

EDR coverage, patch cadence, OS hardening, configuration baselines

4. Internal Vulnerabilities

Internal scan findings, unpatched systems, lateral-movement exposure

5. Data Protection

Encryption at rest and transit, data classification, retention

6. Detection & Response

Logging and monitoring coverage, alerting, incident response readiness

7. Resilience / Recovery

Backup cadence, restore drills, recovery objectives

8. Governance & People

Policy framework, risk ownership, security awareness and training

Deterministic and verifiable by design

Two rules keep the score reproducible and separate it from AI-generated interpretation:

  • Deterministic: Documented rules compute the score. Same inputs and same as-of date produce the same result. No AI computes or adjusts any score.
  • Contradiction-aware: When a claim conflicts with collected evidence, the conflict is recorded as a finding and affects the relevant domain under the scoring rules.
  • Transparent: The deliverable connects findings to evidence references and explains how those findings affected the result.
Anchored in math

The evidence bundle — what anchors the score

Every ArcticScore engagement produces a signed, timestamped evidence bundle. The score is computed from the findings in this bundle; the bundle’s integrity is independently verifiable through public cryptographic standards.

Linked record: Evidence events are linked so later alteration is detectable.

External timestamp: An RFC 3161 token provides a check independent of ArcticScore’s system clock.

Digital signature: The signed manifest and public verification material ship inside the bundle.

Offline verifier: The recipient can check declared files, record integrity, signature, and timestamp without calling ArcticScore.

The standalone verifier ships with every bundle as readable source with plain-English instructions. It checks the declared files, linked record, signature, and timestamp offline. It reports pass, fail, or unverified rather than silently accepting an incomplete record.

Claim-safe methodology

ArcticScore does not assert compliance with any specific regulatory framework (SOC 2, HIPAA, PCI, ISO 27001, etc.). The methodology assesses a firm’s security posture against 8 domains of generally accepted security controls. Mapping the results to a specific framework is the responsibility of the firm’s own compliance team or auditor. We provide the evidence; the assessor draws the conclusion. This avoids the unsubstantiated compliance assertions that plague the security assessment industry and ensures the methodology remains applicable across regulatory regimes.

The score is the math. The math is checkable.

No black box. Same inputs and same as-of date always produce the same score. The evidence chain and shipped verifier let any party re-verify integrity without ArcticScore.

Discuss an engagement