Security Scoreboard

The Security Scoreboard is a point-based assessment of how well your PAM-Pro deployment is hardened. It reflects your current configuration state and is useful for gauging the security posture of your implementation, identifying gaps before an audit, and demonstrating due diligence to compliance reviewers.

PAM-Pro Security Scoreboard showing a 90 out of 120 point score with hardening checks grouped by identity, data, network, and operations
The Scoreboard reflects your current configuration at the time you view it. It is not a live monitoring feed - it is a snapshot of your hardening posture based on the settings and integrations PAM-Pro can verify. Completing all available checks achieves the maximum score.

Scoring System

Each hardening check carries a point value. The total possible score is 120 points. Checks are grouped into four categories:

  • Identity - Controls related to authentication strength and access policy enforcement.
  • Data - Controls related to encryption, key management, and audit immutability.
  • Network - Controls related to transport security and access restrictions.
  • Operations - Controls related to how PAM-Pro itself is deployed and authenticated to Azure.

Some checks are marked Auto-verified - PAM-Pro evaluates these automatically based on your deployment configuration. Others require you to configure external controls (such as Conditional Access policies in Entra ID) and then confirm them.

Checks marked Add-on or Coming Soon are optional or not yet available - they do not reduce your score if uncompleted.

Hardening Checks Reference

Identity Controls

  • MFA Step-up Authentication (+15 pts) - Require Multi-Factor Authentication for all password checkouts via Entra ID Conditional Access. Requires an active SSO configuration and a Conditional Access policy targeting the PAM-Pro application.
  • Device Compliance Requirement (+15 pts) - Require Intune-managed and compliant devices for PAM-Pro access. Configured via Conditional Access device compliance policy.
  • Risk-Based Credential Rotation (+10 pts) - Configure Entra ID Identity Protection to trigger password rotation for high-risk sign-ins. Requires Entra ID P2.

Data Controls

  • Immutable Audit Storage - WORM (+15 pts) - Auto-verified - PAM-Pro enforces immutability policies on the audit-log container. This check confirms the backend storage is write-protected. Verified automatically.
  • HSM-Backed Key Vault (+10 pts) - Add-on - Upgrade to Azure Key Vault Premium or Managed HSM for FIPS 140-3 Level 3 compliance. Available as a paid add-on.
  • Cross-Tenant Key Vault Isolation (+5 pts) - Coming Soon - Deploy key material directly into your own Azure tenant while using the PAM-Pro SaaS frontend. Hybrid deployment model. Not yet available.

Network Controls

  • Location-Based Access Control (+10 pts) - Restrict PAM-Pro access to trusted IP ranges, VPN, or named locations via Conditional Access.
  • Enforce TLS 1.3 Only (+5 pts) - Ensure the PAM-Pro client does not fall back to TLS 1.1 or 1.2. All connections should use TLS 1.3.

Operations Controls

  • No Client Secrets in Backend (+15 pts) - Auto-verified - PAM-Pro uses System-Assigned Managed Identities for Key Vault and Blob access. No client secrets are used for service-to-service authentication. Verified automatically.

Scoreboard and Compliance Export

The Scoreboard results are included in the compliance evidence export generated from the Compliance Frameworks page. When you export a SOC2 Security Brief, the current Scoreboard state is embedded as a System Configuration Snapshot - providing auditors with a point-in-time record of your security hardening posture alongside the audit trail evidence.

© 2026 Huntoso LLC. All rights reserved.

Contact Support