CAPABILITY · SECURITY POSTURE

Measured security posture.
Improvable. Auditable. Comparable over time.

25+ security controls evaluated on each asset, on every heartbeat. 0-100 score per device and for your entire fleet. Time trends. Prioritized corrective actions. Integration with CrowdStrike, SentinelOne and Microsoft Defender.

See pricing Request demo

"How secure are we?"

It's the question the CEO or the board asks the CISO once a quarter. Without a defensible numerical answer, everything is opinion: "we're fine", "average", "we have some issues". Nothing comparable to the previous quarter.

Itamite answers with a number: 0-100 score calculated from 25+ real technical controls, measured on every heartbeat of every agent. Comparable month over month, comparable by site, department or tenant. Defensible to auditor, management and regulator.

THE CONTROLS

25+ controls grouped by criticality

Each control has a weight. Passing it adds; failing it subtracts. The final score is normalized 0-100 with clear ranges.

Critical (highest weight)

disk_encrypted (BitLocker/FileVault/LUKS active), antivirus_present (AV installed and operational), antivirus_up_to_date (signatures <7 days), os_eol (operating system supported), firewall_enabled (OS firewall active), smb_v1_disabled (SMBv1 disabled, WannaCry), screen_lock_enabled (automatic lock configured).

Important (medium weight)

os_patches_pending (no critical patches pending), secure_boot (Secure Boot active), windows_defender_real_time (real-time protection), ms_office_macros_blocked (macros blocked by default), rdp_nla_required (Network Level Auth required on RDP), uac_level (UAC configured correctly), usb_storage_blocked (USB policies on sensitive assets).

Informational (low weight)

bluetooth_enabled (Bluetooth disabled on sensitive), ipv6_enabled (IPv6 controlled), tpm_present (TPM chip present), tpm_version (TPM 2.0 or higher), wifi_security (WPA2/WPA3 not WEP), vpn_active (corporate VPN functional), guest_account_disabled, auto_login_disabled.

Score calculation

Weighted sum: each passed control adds its weight, each failed subtracts. Result normalized to 0-100. Ranges: 0-39 Critical (red), 40-69 Medium (amber), 70-100 Good (green). Threshold configurable per tenant in Configuration → Posture.

Custom rules (Enterprise)

Create your own controls evaluated automatically. Examples: "VPN mandatory on laptops" (type=laptop AND vpn_active=false), "Office 365 mandatory on Madrid site", "No Chrome on CEO assets" (strict whitelist), "Software testing only on VMs".

Documented exceptions

Control that technically doesn't apply to a specific asset: document exception with justification, author, review date. The control becomes "not applicable" in the report (gray, not red). Fully auditable.

AGGREGATED VIEW

From individual asset to global view

Score per asset in detail

Open any asset to see current score, which controls pass and which fail. Each failed control has recommended corrective action and a button to apply it remotely when automatable (BitLocker, patches, service configuration).

Aggregated tenant score

On dashboard you see mean fleet score, distribution by range (how many critical, medium, good), and controls table sorted by failure percentage. Click any control → list of assets failing it.

30/90/365 day trend

Mean score evolution chart. Detect patterns: sharp drop after Patch Tuesday because agents report pending patches, rise after internal hardening campaign, stagnation at X% indicates non-automatable controls pending.

Multi-tenant comparison (MSP)

If managing multiple companies (MSP), multi-tenant view sorts your clients by score. Identify in seconds which need priority attention. Generate comparative report to present to your support team.

FAQ

Posture questions

Does Itamite replace my EDR (CrowdStrike, SentinelOne...)?

No. Itamite measures security posture (correct control configuration), it doesn't detect threats in real time like an EDR. They're complementary layers: EDR stops active attacks, Itamite ensures device baseline configuration is resilient.

Can I change control weights?

Yes in Enterprise plan. Configuration → Posture → Weights → adjust each control 0-100. Default weights calibrated to CIS Controls v8 + ISO 27001 Annex A best practices. Change only if you have specific sector reasons.

How do I apply a fix for a failed control?

Three options depending on control: Remote command ("Apply fix" button on individual or mass assets, for automatable controls like BitLocker, patches, service). Declarative policy (recommended for large fleets, keeps the control correct continuously). Manual runbook (for non-automatable controls, Itamite links you to step-by-step runbook).

Does the score affect regulatory compliance?

Yes, indirectly. Posture controls are the same that NIS2, ENS, ISO 27001 require. High score = high compliance. But compliance is more demanding: requires signed evidence, not just the number.

How long until score improves after applying corrections?

Score recalculates on every heartbeat (15 min default). If you apply a remote fix, in less than 15 minutes you see the score rise. For controls requiring reboot (Secure Boot, BitLocker), the change reflects after first post-reboot heartbeat.

Can I set alerts when score drops?

Yes. Configuration → Notifications → Posture → define thresholds (e.g. "alert if tenant mean score drops below 75 in 24h" or "alert if critical asset drops below 50"). Notification by email, Slack, Teams or webhook.

Measure your real security posture

In 24 hours after deploying the agent, you have your fleet score on screen.