Primary driver: Goal Alignment improved 4 pts after closing the Patch Management gap.
Executive communication for security leaders
Make your program legible to the board.
Forest measures your security program by capability, scores its maturity against where it needs to be, and tells you and your board exactly what to fix first.
Primary driver: Goal Alignment improved 4 pts after closing the Patch Management gap.
The communication gap
Your board doesn't speak EDR.
The audit committee, the CFO, the board... they decide your budget and they can't read a controls matrix. Every quarter, the maturity work gets lost in translation. Forest does the translation for you.
“We're observing regression in IAM KPIs and have a coverage gap in our SOAR playbooks pending the EDR migration.”
“Identity controls are behind plan. Three of twelve domains need a decision from the CISO by Jun 30. Everything else is on track.”
The CAMP™ methodology
Capability assessment, not control checkboxes.
CAMP (Capability And Maturity Prioritization) is the intelligence model inside Forest. It measures what your organization can actually do, scores how mature each capability is, and turns the gaps into a ranked list of decisions.
Measure what you do
A capability is a discrete function the org performs. "Patch Management," not "CIS Control 7.4." Ninety-four of them, across twelve domains on the CS vertical.
Score current vs. target
Each capability is rated 0–5 today and 0–5 for where it needs to be. Targets follow your risk appetite and our onboarding process can assess your current stage accurately.
Weight by business impact
A 1–3 multiplier set per organization. Compliance required capabilities carry more weight than nice-to-haves.
Know what to fix first
Gap × criticality gives every capability an integer priority from 0 to 15. A deterministic, defensible order of operations.
The platform · two tools
RINGS and CANOPY.
RINGS measures how mature your program is. CANOPY measures what your stack costs to get there. Read one against the other and every budget question answers itself.
Objective: turn 94 capabilities into one defensible picture of where the program is and where it needs to be.
RINGS is the assessment engine. Every capability is scored “current x target” and weighted by criticality. Think as concentric maturity rings, one per domain, so the gap between today and target is visible at a glance. Rings holds the Forest Score, the heat map, and the ranked priority list based on your CAMP.
Objective: show what every tool costs, what it covers, and where the spend overlaps.
CANOPY maps your tools to the capabilities they cover, annualizes the spend, and flags renewals and redundancy. Because every tool ties back to a RINGS capability, CANOPY can answer the question RINGS raises: “we have a gap here, what do we already pay for that closes it?”
Monitor maturity
One number you can stand behind.
The Forest Score rolls your whole program into a single figure with a quarter-over-quarter delta and one sentence explaining the move. Underneath it: sub-scores, what changed, and every domain sorted by gap. The answer to “what should my team fix first?” without scrolling.
A score that trends
Watch maturity move quarter over quarter, with the primary driver named in plain language.
Benchmarked against peers
See where you stand against your cohort: “retail, 1000+ employees: 58. You're 4 points ahead.”
Domains sorted by gap
Current, target, and gap on every domain ranked, so the conversation starts at the top.
Capability heat map
The whole program on one grid.
Twelve domains, governance to physical security. Each carries a maturity gap and a criticality weight; Forest multiplies them into a priority you can defend in any budget conversation.
| Domain | Current | Target | Gap | Criticality | Priority | Band |
|---|---|---|---|---|---|---|
| AI/ML Security | 1 | 5 | 4 | 3 | 12 | Critical |
| Identity & Access Management | 2 | 5 | 3 | 3 | 9 | High |
| Security Operations | 2 | 5 | 3 | 3 | 9 | High |
| Cloud Security | 3 | 5 | 2 | 3 | 6 | Medium |
| Data Protection | 3 | 5 | 2 | 3 | 6 | Medium |
| Compliance & Risk | 3 | 5 | 2 | 3 | 6 | Medium |
| Third Party & Supply Chain | 2 | 4 | 2 | 2 | 4 | Medium |
| Application Security | 3 | 4 | 1 | 2 | 2 | Low |
| Network Security | 3 | 4 | 1 | 2 | 2 | Low |
| Asset Configuration Mgmt | 2 | 3 | 1 | 2 | 2 | Low |
| Endpoint & Device Security | 4 | 4 | 0 | 2 | 0 | On target |
| Physical & Environmental | 3 | 3 | 0 | 1 | 0 | On target |
The priority engine
A ranked list of decisions.
Every recommendation traces back to a capability with non-zero priority without spend heuristics and arbitrary multipliers. The Dashboard hands your team the next three things to do, already mapped to a roadmap horizon.
Stand up AI data security controls
Capability "AI Data Security" is in scope with a maturity gap and no confirmed tool coverage. Add tooling mapped to this capability.
Close the identity provisioning gap
Current maturity 2 against a target of 5 on a criticality-3 domain. Standardize joiner-mover-leaver automation across business units.
Add attack surface management coverage
Capability "Attack Surface Management (ASM/EASM)" is in scope with a gap and no confirmed tool coverage. Add tooling mapped to this capability.
Retail GroupBoard security brief
Period ending Jun 30, 2026
Prepared by Forest
For the period ending Jun 30, 2026, the security program is on plan overall, with identity and data above target and response behind plan. Three decisions are needed from the CISO this quarter.
Communicate up
The brief writes itself.
Forest opens every summary the way a board wants it: plain, quantified, and closing on a decision. Export to PDF for the audit committee or drop the numbers straight into your PPT board deck.
Board-ready language by default
“Identity controls are behind plan” instead of “we're seeing IAM KPI regression.”
One-click export
Print to PDF locked to letter dimensions, or hand the cited figures to your PPT deck.
Defensible, every quarter
Deterministic scoring means the same inputs always produce the same brief. Auditors love it.
See where your program really stands.
Run a CAMP assessment and walk into your next board meeting with one score, a ranked list of decisions, and a brief you didn't have to translate.
