1 minute read


I was introduced to the Cyber Defense Matrix circa 2015, shortly after it was released by Sounil Yu. The framework is based on two dimensions: Asset classes, or things you want to defend. And the NIST Five Functions, activities performed to defend assets, which range from identification through post-incident recovery.

I’ve always found this framework simple, adaptable, and useful for a wide variety of purposes:

  • As a organizational security leader, to catalog the organization’s cyber and information security controls
  • As a vendor, to map customers’ capabilities, and to illustrate where and how our own security solutions contribute to their program
  • As a security product leader, to visualize our current strengths, and to chart a path into new areas

No matter the use case, it’s an invaluable tool for discussion and alignment related to security controls, operations, maturity, products, and more. And for all of the times I’ve found myself remaking this matrix on mediums ranging from slide decks to paper flip charts, I’ve always wanted a tool to make it easier to get started, and easier to save our work.


The Cybersecurity Maturity Matrix is a simple tool for visualizing maturity, control coverage, and other aspects of your security program. It’s based on the Cyber Defense Matrix, and provides the following features:

  • Customizable asset classes: Start with the default set, or the original Cyber Defense Matrix asset classes, and then make any changes that you wish.
  • Four maturity levels: Each cell can be left empty or assigned one of three states:
  • Optional cell annotations: Use annotations to list products, responsible individuals or teams, or dates when you expect to reach a milestone.
  • Export to PNG: Drop the completed matrix into your doc or presentation in seconds.
  • JSON export and import: Export the details of your completed matrix to JSON, so that you can import and update it whenever you wish.

Try it now: https://cybermaturitymatrix.com

Something else you’d like to see? Drop me a line: cmm-feedback @ this domain.