Frequently asked questions

Maturity is scored 0 to 5 for each capability, and certain answers in your CAMP assessment act as gates. A gate question caps how high a capability can score until the underlying practice is in place. If you answered that a process exists but is undocumented or inconsistent, the capability cannot reach the higher levels that require it to be Defined, Quantitative, or Optimized.

This is intentional. A capability is only as mature as its weakest foundation. You cannot be measuring and optimizing a process you have not yet documented.

To move up, revisit the gating answers for that capability. The scoring is deterministic, so once the foundational practice is reflected in your responses, the cap lifts and your maturity reflects the higher level.

Forest always traces a score back to the inputs that produced it, so you can see exactly which answer set the ceiling.

Unknown means a capability has not yet been assessed. You have not answered the CAMP questions for it, so Forest has no maturity value to score.

This is different from a maturity of 0, which means None: you assessed the capability and confirmed the function does not exist. Unknown is the absence of an answer, not the absence of a control.

Forest keeps Unknown capabilities visible rather than guessing, because an honest gap in your assessment is more useful than an invented score. Unknown capabilities do not contribute to your Org Score or domain scores until you complete them.

To resolve them, return to the CAMP assessment and answer the open capabilities. The more you complete, the higher your capability coverage, which is one of the inputs to your Forest Score.

Yes. CAMP is your baseline assessment, and you are meant to revisit it as your program changes. Security maturity moves over time, and your assessment should reflect that.

You can update individual capability answers as practices improve, or work back through the full assessment when you want a fresh baseline. Because scoring is deterministic, updated answers immediately recalculate your maturity, Org Score, domain scores, and the recommendations that flow from them.

Reassessing is the normal way to show progress. As you close gaps and lift gated capabilities past their previous caps, your scores rise to match the work you have done.

A useful rhythm is to reassess after major changes, such as a tool rollout or a process you have newly documented, so your scores stay aligned with reality rather than drifting out of date.

Contracts in Forest track spend and renewal timing, and you can associate them with the capabilities a tool supports. This lets you see where your security budget is going relative to the functions it covers.

With spend mapped to capabilities, two patterns become visible. Overlap is when several contracts fund the same capability, which often signals an opportunity to consolidate. Underinvestment is when a high-criticality capability has little or no spend behind it.

One point to keep clear: contracts support spend and renewal tracking, but they do not drive your scores on their own. Maturity comes from your CAMP assessment, not from how much you pay. A well-funded capability can still score low if the practice behind it is immature.

Use spend allocation to inform decisions about cost and renewals, then let your capability maturity guide where the work actually needs to go.

A thorough CAMP assessment usually needs input from across your security program, so Forest lets you bring contributors into the work rather than answering everything alone.

From your dashboard, invite teammates to join your organization and contribute to the assessment. Spreading the work matters because the people closest to each function give the most accurate answers. Your identity lead knows the real state of provisioning, your operations team knows how incidents are actually handled, and that accuracy is what makes your scores trustworthy.

Contributors answer the capabilities they own, and the scoring stays deterministic regardless of who entered the input. Every result still traces cleanly back to the answers behind it.

The more accurate the inputs, the more your Forest Score, benchmarks, and recommendations reflect your real program rather than one person's best guess.

No. Your assessment data, capability scores, contracts, and roadmaps belong to your organization and are not shared with vendors.

When Forest compares your performance to your industry and size cohort, it uses a privacy-preserving peer average. You see how you compare against an aggregate of similar organizations, never against named companies, and no other organization sees your individual results. The comparison flows one way and stays anonymized.

Contracts you track for spend and renewals are also private to your organization. They support your own visibility into cost and timing, and they do not expose your data to the vendors involved.

A peer comparison shows a performance difference against an anonymized average. It never reveals who the peers are or surfaces your data to them.

Every recommendation is capability-driven and generated from your CAMP assessment using deterministic rules. Forest calculates priority for each capability as (target maturity − current maturity) × criticality, then surfaces the capabilities where the weighted gap is largest.

A capability that is compliance-required (criticality 3) and sits well below its target will outrank a nice-to-have that is only slightly behind. That is why a recommendation can move up the list even when its raw maturity gap looks modest.

Because the rules are deterministic, you can trace any recommendation back to the inputs that produced it: the capability, its current and target maturity, and its criticality. Nothing is generated by guesswork.

If a recommendation does not match your intent, adjust the inputs behind it. Change the target or revisit the criticality, and the priority recalculates accordingly.

Benchmarks compare your performance against a privacy-preserving average of organizations in your industry and size cohort. Forest takes the same scoring it applies to you, the criticality-weighted maturity across your capabilities, and measures it against the aggregate performance of similar peers.

The result is a peer delta: the difference between your score and the cohort average. A positive delta means you are ahead of the average for your cohort, a negative delta means you trail it.

One distinction matters. A peer delta is a performance difference, not a gap. A gap is the distance between your current maturity and your own target. You can sit below the peer average on a capability you have deliberately deprioritized, and that is a defensible choice, not a deficiency.

The calculation is deterministic, so the same inputs always produce the same benchmark.

Changing a target maturity changes the gap for that capability, and the effects flow through deterministically.

Priority recalculates first. Since priority is (target maturity − current maturity) × criticality, raising a target widens the gap and pushes the capability up your recommendation list. Lowering it narrows the gap and moves the capability down, or off the list once you have met the new target.

Your roadmap projections update to reflect the revised destination, and goal alignment, one of the inputs to your Forest Score, shifts based on how your current state tracks against your stated targets.

Your current maturity does not change. A target is where you intend to be, not where you are.

Set targets to reflect what your organization actually needs, not the maximum possible. A target of 5 on a nice-to-have capability will distort your priorities.

The Forest Score is your headline number from 0 to 100, and it combines four inputs:

• Org Score (50%): your criticality-weighted maturity across in-scope capabilities, also scored 0 to 100.

• Goal alignment (20%): how well your current state tracks against the targets you have set.

• Capability coverage (15%): how much of your program you have actually assessed rather than left Unknown.

• Execution discipline (15%): how consistently you are following through on the work your assessment implies.

Each input comes from your own data: your CAMP answers, your targets, and your progress. The calculation is deterministic, so the same inputs always produce the same score, and you can trace the headline number back to the four components beneath it.

Raising any input raises the score. The largest lever is Org Score, since it carries half the weight.