Understanding the Zero Trust Posture Dashboard

Overview

The Zero Trust Posture Dashboard assesses how well your Elisity policies and associated configuration work to restrict lateral movement. It computes reachability scores for every device in your environment and tracks your progress toward full microsegmentation.

The dashboard analyzes device-to-device communication paths across your network. Instead of subjective assessments, you get numerical scores that demonstrate security posture to stakeholders — from network engineers to board-level executives.

This article covers how to interpret the Zero Trust Posture Score, understand each Score Factor, navigate the dashboard and its detail screens, and take specific actions to improve your scores.

Zero Trust Posture Score

The Zero Trust Posture Score is the top-level metric. It combines multiple Score Factors into a single security posture rating. Each active factor adds to both the numerator and denominator of the calculation, and the result is averaged into the Zero Trust Posture Score.

Score Ranges

Score Range	Security Posture	What It Means
0	Critical	No restrictions — device has unrestricted access to all destinations
1 – 25	Poor	Minimal restrictions in place; most communication paths remain open
26 – 50	Fair	Some restrictions applied; continued policy work needed
51 – 75	Good	Significant restrictions; majority of communication paths are denied
76 – 99	Excellent	Heavily restricted; only necessary communication paths remain open
100	Maximum	Complete isolation — all communication paths are denied by policy

The score evaluates every possible source-to-destination device pair in your environment. For each pair, the system determines whether your Elisity policies permit or deny communication. Your device score represents the percentage of communication paths that are denied by policy. A score of 75 means that 75% of all possible connections from that device are blocked.

Score Factors

The Zero Trust Posture Score combines several Score Factors, each measuring a different aspect of your segmentation. Understanding what each factor tracks helps you identify where to focus your effort.

Policy Deployment

The Policy Deployment Score measures how completely you have made policy decisions across all Policy Group intersections on a device-weighted basis. It tracks your progress from unmanaged traffic to explicit allow or deny decisions.

When you first deploy Elisity, traffic flows between Policy Groups without explicit management. As you deploy policies, you establish deliberate decisions for each Policy Group pair — explicitly allowing or denying traffic rather than leaving it unmanaged. Higher scores indicate that more Policy Group pairs have explicit decisions in place. This stage of deployment is aided by Policy Insights and the Elisity Assistant for automated analysis and recommendations.

This factor weights Policy Group intersections by the number of devices they affect. Policy decisions covering more devices have greater impact on your overall score, so prioritize high-device-count configurations first.

Least Privilege

The Least Privilege Score evaluates how restrictive your policies are when traffic is permitted. It measures whether you have limited allowed ports to only what is necessary for legitimate business operations.

A policy that allows all ports scores lower than one allowing only specific required ports. For example, a policy allowing only HTTPS (port 443) scores higher than a policy allowing all TCP traffic. The score reflects the percentage of communication paths denied by policy. Replace broad "permit all" policies with specific, port-limited policies, paired with a final deny action, to improve this score.

Malware Lateral Movement

The Malware Lateral Movement Score evaluates your exposure to ports commonly used by malware for lateral movement. This factor is based on the MITRE ATT&CK framework and focuses on techniques specifically used for lateral movement between systems.

The scoring system evaluates your policies against known attack vectors such as Remote Desktop Protocol (RDP), Server Message Block (SMB), Secure Shell (SSH), Windows Remote Management (WinRM), and other protocols frequently exploited by attackers. Higher scores indicate that fewer lateral movement attack vectors remain available.

MITRE ATT&CK Lateral Movement Techniques Tracked

Technique	MITRE ID	Ports	Risk
Remote Desktop Protocol (RDP)	T1021.001	TCP 3389	Interactive remote login to systems
SMB/Windows Admin Shares	T1021.002	TCP 445, 139	File sharing and remote execution via admin shares (C$, ADMIN$, IPC$)
DCOM	T1021.003	TCP 135	Remote code execution via RPC endpoint mapper
SSH	T1021.004	TCP 22	Remote shell access, file transfer (SCP/SFTP)
VNC	T1021.005	TCP 5900 – 5903	Remote graphical desktop access
WinRM	T1021.006	TCP 5985, 5986	PowerShell Remoting and remote command execution
Lateral Tool Transfer	T1570	TCP/UDP 21, 69	FTP/TFTP file transfer between internal systems
Exploitation of Remote Services	T1210	TCP/UDP 23, 161, 162, 1433, 3306, 5432, 1521, 27017	Telnet, SNMP, and database services vulnerable to exploitation
Alternate Authentication	T1550	TCP 88, 389, 636	Pass-the-hash and pass-the-ticket attacks via Kerberos/LDAP
Session Hijacking	T1563	TCP 3389, 22	Hijacking existing RDP or SSH sessions

Create explicit deny rules for high-risk ports in Policy Groups where those services are not required. Closing off these attack vectors reduces the paths available for lateral movement.

Future Score Factors

Dashboard Anatomy

The Zero Trust Posture Dashboard is organized top to bottom into the Zero Trust Score gauge, the Score Trend chart, the Score Factors section, and the Zero Trust Risk Attribution table. The current scope (for example All Sites) and the last refresh time are shown in the page header.

Zero Trust Score gauge

The Zero Trust Score gauge displays your aggregate Zero Trust Posture Score on a 0–100 scale, color-coded to match the score ranges described above. Alongside the score, the gauge shows the change versus the previous week so you can see at a glance whether your posture is improving, holding, or regressing.

Use this widget for executive reporting and overall progress tracking.

Score Trend chart

The Score Trend chart plots your scores over a selectable time range. The chart overlays four series — the Zero Trust Posture Score and each Score Factor (Policy Deployment, Least Privilege, Malware Lateral Movement) — so you can correlate movement in the overall score with movement in the underlying factors.

Use the time-period selector in the upper right of the widget to switch the range. If the overall Zero Trust Posture Score has moved unexpectedly, look at which factor lines diverged at the same time to identify the cause.

Score Factors Section

The Score Factors section presents the three contributing Score Factors as side-by-side cards. Each card shows the factor's current score out of 100, a week-over-week delta, and a short list of supporting metrics most relevant to that factor:

• Policy Deployment — Policy Needed, Independent Control, Simulated Policies, Activated Policies.
• Least Privilege — Average Allowed Ports, Average Denied Ports, Allowed Due to Missing Policy, Allowed Due to Simulation Mode.
• Malware Lateral Movement — Total Techniques Evaluated, Total Ports and Protocols Evaluated, Most Commonly Allowed Technique, Least Commonly Allowed Technique.

Each card includes a View Details link that opens the factor's detail screen for deeper analysis. To find the biggest opportunity for improvement, scan the Score Factors Section for the lowest-scoring card and click View Details.

Zero Trust Risk Attribution table

The Zero Trust Risk Attribution table sits at the bottom of the dashboard and provides a single grouped view of your scores. It uses a configurable Group By selector that lets you organize rows by:

• Site — group rows by physical or logical site.
• Policy Set — group rows by Policy Set.
• Distribution Zone — group rows by Distribution Zone.
• Policy Group — group rows by Policy Group.
• Device — display rows by individual device.

Group By accepts a primary and an optional secondary level (for example Site › Policy Group), letting you nest groupings. Expanding a row drills into the next level of detail down to individual devices.

Default columns include the Zero Trust Score, the Policy Score at the group and device levels, the Least Privilege score, and the Lateral Movement score. Sort by any column to identify the lowest-scoring rows; use the search, filter, column picker, refresh, and export controls in the toolbar to narrow or share the view.

Score Factor Detail Screens

Clicking View Details on any Score Factor card opens a detail screen for that factor. Each detail screen follows a consistent pattern:

• A gauge showing the current factor score and the week-over-week delta.
• Key metric cards that surface the underlying drivers of the score.
• A Policy Action Distribution chart that visualizes how communication paths break down across policy actions.
• A factor-specific Risk Attribution table with the same Group By controls as the main dashboard (Site, Policy Set, Distribution Zone, Policy Group, or Device).
• A Back button and breadcrumb at the top of the page for returning to the main dashboard.

Policy Deployment detail screen

The Policy Deployment detail screen exposes the underlying counts that drive the Policy Deployment Score and lets you identify exactly where explicit decisions are still needed.

Key metric cards

• Policy Needed — Policy Group intersections that still require an explicit allow or deny decision. These are unmanaged paths that lower your Policy Deployment Score; closing the gap is the primary lever for improving this factor.
• Simulated Policies — Policies currently in Simulation Mode. They are not enforcing yet, but they count toward the Policy Deployment Score at 10% of the weight of an Activated policy — partial credit for having made the policy decision but not yet enforced it. Activating a simulated policy converts that partial credit to full weight.
• Activated Policies — Policies currently active and enforcing. These are the only policies that improve your score.
• Independent Control — Policy Group intersections where enforcement is handled by a non-Elisity device such as a firewall or NGFW. These paths are credited as fully restricted in the score calculation (see Independent Control below).

Policy Action Distribution chart

The Policy Action Distribution chart shows the relative share of communication paths across each policy state — Policy Needed, Simulated, Activated, and Independent Control. A healthy distribution has a small Policy Needed segment and a Simulated segment that you are systematically converting into Activated.

Risk Attribution table columns

• Policy Group (or other Group By selection)
• Policy Score (Group) — the policy-decision coverage for the group as a whole
• Policy Score (Device) — the average policy-decision coverage across devices in the group
• Policy Needed — count of intersections still without an explicit decision
• Independent Control — count of intersections enforced externally
• Simulated Policies — count of policies in Simulation Mode
• Activated Policies — count of policies actively enforcing
• Allow All — percentage of paths covered by a permit-all policy. Use this column to spot the largest opportunities for least-privilege refinement.

Least Privilege detail screen

The Least Privilege detail screen surfaces port-level metrics and the specific reasons traffic is currently being allowed.

Port Statistics

• Average Allowed Ports — the percentage of total traffic permitted through segmentation policies.
• Average Denied Ports — the percentage of total traffic blocked by segmentation policies.

Sub-metric cards

• Deny All by Default — the percentage of paths that resolve to a default deny. This is the strongest least-privilege state and is what you are working toward.
• Allowed Due to Simulation Mode — paths that would be denied if the relevant policies were activated, but are currently allowed because those policies are still in Simulation Mode. Activating the policies converts these paths to denied.
• Policy Set Mismatch — paths allowed because the source and destination devices belong to mismatched Policy Sets. Reconcile the Policy Set assignments to close these paths.
• IP to Group Mappings — paths allowed because one of the endpoints could not be resolved to a Policy Group from its IP address. Improve the IP-to-Group mapping coverage to close these paths.

Policy Action Distribution chart

The Policy Action Distribution chart on the Least Privilege detail screen breaks down communication paths into five categories:

• Allow All — paths covered by a permit-all policy.
• Deny All — paths covered by a deny-all policy.
• Custom — paths covered by a custom security profile that limits allowed ports and protocols.
• Independent Control — paths whose enforcement is handled by a non-Elisity device.
• No Policy — paths that have no explicit policy applied (equivalent to Policy Needed).

Tightening this distribution away from Allow All and No Policy and toward Deny All and Custom is the central goal of least-privilege work.

Risk Attribution table columns

• Site › Policy Group (or other Group By selection)
• Least Privilege Score
• Device Reachability — the share of destinations a device can reach
• Avg. Allowed Ports — overall allowed-port percentage
• Avg. Allowed TCP — allowed-port percentage limited to TCP
• Avg. Allowed UDP — allowed-port percentage limited to UDP
• Avg. Allowed ICMP — allowed-protocol percentage for ICMP

Malware Lateral Movement detail screen

The Malware Lateral Movement detail screen breaks down your exposure by MITRE ATT&CK technique.

Key metric cards

• Total Ports and Protocols Evaluated — the total number of ports and protocols included in the lateral-movement evaluation.
• Avg. Ports Allowed via Custom Policies — the average percentage of evaluated ports that custom policies still permit. Lower is better.
• Most Commonly Allowed Technique — the MITRE technique most frequently allowed across your environment. This is your highest-leverage opportunity to reduce exposure.
• Least Commonly Allowed Technique — the MITRE technique least frequently allowed. Useful as a benchmark for your strongest restriction.

MITRE Techniques Evaluated tile grid

The MITRE Techniques Evaluated tile grid presents one tile per tracked MITRE technique. The card title shows the count of techniques in parentheses (for example, MITRE Techniques Evaluated (10)). Each tile shows the technique ID, the technique name, the affected ports, and a percentage representing the share of paths in your environment where the technique is still possible.

A right-side legend categorizes tiles by Exposed Ports, reflecting how many of the technique's tracked ports are currently allowed in your environment:

• High — broad exposure; prioritize remediation.
• Medium — moderate exposure.
• Low — minimal exposure.
• None — no remaining exposure.

Click any tile to open the Technique Exposure Details drawer (described below).

Risk Attribution table columns

The Risk Attribution table on this screen has a column per tracked MITRE technique, in addition to the Group By column and the overall Lateral Movement Score. Each technique column shows the percentage of paths in that group where the technique remains possible, allowing you to spot the groups that contribute most to a particular exposure.

Technique Exposure Details drawer

Clicking a technique tile or table cell opens the Technique Exposure Details drawer. The drawer is the bridge between a high-level technique exposure and the specific ports you need to deny in your policies.

The drawer shows:

• The technique ID and name (for example, T1210, Exploitation of Remote Services).
• The overall Exposure percentage for the technique across the current scope.
• A description of the technique, summarized from MITRE ATT&CK.
• A Learn More link to the MITRE ATT&CK reference page.
• A Port & Protocol Exposure table listing each port and protocol that contributes to the technique, along with the average percentage of paths where it is allowed and the average percentage allowed via custom policy.

How Scores Are Calculated

Understanding how scores are calculated helps you interpret the numbers and decide where to focus policy work.

Evaluation Process

The system evaluates every possible source-to-destination device pair in your environment. For each pair, it determines whether your current Elisity policies would permit or deny communication based on the configured security profiles and enforcement settings. Each flow is scored as either fully allowed (0) or fully denied (100); the device-level score is the average of those binary flow scores, which is what makes a score of 75 mean exactly "75% of flows are denied."

Score Interpretation

Your device score is the percentage of communication paths denied by policy. A score of 75 means 75% of all possible connections from that device are blocked. This straight percentage makes scores easy to read and act on.

Score Factor calculation

Each Score Factor isolates a different dimension of restriction:

• Policy Deployment is a coverage metric: the percentage of policy decisions you have made out of the total policy decisions to make, weighted by the number of devices each Policy Group intersection affects. The factor improves as unmanaged intersections are replaced with deliberate allow or deny decisions. Activated policies count at full weight; policies in Simulation Mode count at 10% of the weight of an Activated policy — partial credit for having made the decision but not yet enforced it.
• Least Privilege is a weighted port-openness score that rewards tightly scoped policies. TCP is weighted at 50%, UDP at 40%, and ICMP at 10%. Within each TCP and UDP weighting, well-known ports (0–1023) are weighted three times more heavily than registered ports (1024–49151) or dynamic ports (49152–65535), because restricting well-known ports has the greatest security impact.
• Malware Lateral Movement is derived from the MITRE ATT&CK lateral-movement techniques shown on the MITRE Techniques Evaluated tile grid. For each technique, the system calculates the percentage of paths in your environment where the technique remains possible — based on whether the technique's tracked ports and protocols are still allowed by policy — and averages those per-technique percentages across all flows. The factor reflects how restricted those techniques are overall.

Zero Trust Posture Score aggregation

The Zero Trust Posture Score is the arithmetic average of the active Score Factors. With all three factors active, each factor contributes equally to the average. If a factor is inactive in your environment, it is omitted from the average, so the result reflects only the active factors. As future Score Factors are introduced, they enter the same average.

Policy Evaluation

Score Factors weight policies differently based on their enforcement status. Policy Deployment credits Activated policies at full weight and policies in Simulation Mode at 10% — partial credit for having made the decision but not yet enforced it. Least Privilege and Malware Lateral Movement evaluate only Activated policies; paths governed by simulated policies are treated as not restricted, because a simulated policy is not actually blocking any traffic. This ensures the port-restriction and lateral-movement factors reflect real enforcement rather than planned restrictions.

Data Freshness

Dashboard scores are refreshed daily. The last update time is shown in the page header. For an on-demand assessment with the latest policy configurations, use the Snapshot feature.

Independent Control

Your network may include enforcement points beyond Elisity-managed network infrastructure — firewalls, NGFWs, or other security devices. The Zero Trust Dashboard recognizes these enforcement points as Independent Control and credits them in the score calculation.

How Independent Control is scored

Independent Control can be applied at three scopes — an individual Policy, a Site, or a Distribution Zone. When any of those is marked as Independent Control, the dashboard scores the affected communication paths as fully restricted (a score of 100). This gives credit for effective segmentation regardless of which device is doing the enforcement.

Mixed enforcement environments

In environments where some traffic is controlled by Elisity-managed network infrastructure and other traffic is controlled by external devices, the dashboard credits all effective segmentation. This supports mixed-vendor architectures and gradual migration strategies.

Where Independent Control appears

Independent Control is surfaced as a metric card on the Policy Deployment detail screen, as a category in the Policy Action Distribution charts on both the Policy Deployment and Least Privilege detail screens, and as a column in the Policy Deployment detail table.

Snapshot configuration options

The Snapshot feature provides additional capabilities for configuring Independent Control scenarios. While the dashboard provides a standard view, Snapshot allows more detailed configuration of external control parameters when generating specific assessments.

Improving Your Scores

Focus your improvement efforts based on your current scores and organizational priorities. Each Score Factor responds to a different set of actions.

Improving Policy Deployment Score

• Review unmanaged intersections: Identify Policy Group intersections that do not have explicit allow or deny decisions (the Policy Needed count on the Policy Deployment detail screen). Systematically review each Policy Group pair to assign an appropriate policy.
• Prioritize high-impact groups: Focus first on Policy Group intersections that affect large numbers of devices. These configurations have greater weight in your score and provide maximum security improvement per effort.
• Use Simulation Mode strategically: Before activating new policies, use Simulation Mode to test them and verify they will not disrupt legitimate business operations. Once validated, activate them to improve your score.
• Address missing policies systematically: Use the Group By controls and the Policies Needed column on the Policy Deployment detail table to find the highest-leverage gaps.

Improving Least Privilege Score

• Replace "Permit All" policies: Identify policies that allow all ports and replace them with custom security profiles specifying only required ports. Start with the most critical Policy Groups where broad access poses the greatest risk.
• Audit per-protocol metrics: Use the Avg. Allowed TCP / UDP / ICMP columns on the Least Privilege detail table to identify which protocols are broadly open across your environment. Focus on well-known ports (0–1023) first.
• Close path-level gaps surfaced by sub-metric cards:
  • Allowed Due to Simulation Mode - Activate Simulated Policies to close the gap
  • Policy Set Mismatch - This is informational and denotes that the policy configured between two devices in two different policy sets is different.
  • IP to Group Mappings - Enable Intelligent Tag Distribution on Distributions Zones or configure core Distributions Zones with the needed Group Mappings.
• Create purpose-built policies: Build specific security profiles for each type of communication. For example, separate policies for web traffic (ports 80, 443), database access (ports 1433, 3306), and administrative access (ports 22, 3389).
• Implement least-privilege principles: For each policy, start with a deny-all baseline and explicitly allow only the ports required for business operations.

Improving Malware Lateral Movement Score

• Create explicit deny rules: For Policy Groups where specific lateral movement ports are not required, create explicit deny rules for high-risk ports such as RDP (3389), SMB (445/139), SSH (22), and WinRM (5985/5986).
• Audit administrative protocols: Review which Policy Groups legitimately require administrative protocols like RDP and SSH.
• Create Administrative Policy Groups: Where administrative protocols are required consider moving administration workstations from the general Verified PCs Policy Group into a special limited Administrative PCs Policy group.
• Use the MITRE Techniques Evaluated tile grid: Prioritize remediation for techniques in the High Exposed Ports band. Open the Technique Exposure Details drawer to see the exact ports and protocols that drive a technique's exposure.
• Implement jump-box architecture: Consider consolidating administrative access through dedicated jump boxes or bastion hosts, allowing you to deny administrative protocols to most Policy Groups while maintaining necessary operational access.

General best practices

• Use multiple dashboard views: Switch the Risk Attribution table's Group By selector between Site, Policy Set, Distribution Zone, Policy Group, and Device to find improvement opportunities from different angles.
• Track progress over time: Use the Score Trend chart to monitor the effectiveness of your policy changes. Establish regular review cycles to ensure continued progress.
• Test before activation: Always test policies in Simulation Mode before activation. Review the impact analysis to ensure policies will not disrupt business operations, then activate validated policies.
• Drill into the lowest-scoring factor: When deciding where to start, click View Details on the lowest-scoring Score Factor card and work from the metric cards on that detail screen.

Sorting, Filtering, and Data Export

Sorting and grouping

All tables in the dashboard support sorting by any column header — click a column header to sort ascending or descending. The Risk Attribution tables also support the Group By selector described above, which controls how rows are organized rather than how they are sorted.

Search, filter, and column controls

Each table includes a search box for quick lookup, a filter control for more advanced narrowing, and a column picker for choosing which columns are visible. Use the refresh control to re-fetch the underlying data without leaving the page.

Data export

Each Risk Attribution table includes an export control for downloading the current view. For executive reporting and stakeholder communication, use the Snapshot feature to generate PDF reports with optional filtering by site, Policy Group, or other dimension.

API integration

Device-level scores are also available as device attributes via the Elisity API. You can pull them into external reporting tools, SIEM systems, or custom dashboards.

Frequently Asked Questions

Q: Why did my score change when I added new Policy Groups?

When you create new Policy Groups, they generate new Policy Group intersections that may not yet have policies assigned. This temporarily lowers your Policy Deployment Score because more intersections exist without explicit allow or deny decisions. Assigning policies to the new intersections restores and potentially improves your overall score.

Q: What does a score of 0 mean?

A score of 0 indicates that the device has unrestricted access to all evaluated destinations. No policies are blocking any communication paths. This typically occurs when policies have not yet been configured for the device's Policy Group intersections, or when all policies use "permit all" configurations.

Q: How often are scores updated?

Dashboard scores are refreshed daily. The last update time is shown in the page header. For immediate analysis with the most current policy configurations, use the Snapshot feature for on-demand assessment.

Q: What is the difference between the Dashboard and Snapshot?

The Dashboard provides an always-available view of your current posture scores, refreshed daily. The Snapshot feature lets you run on-demand assessments with more recent (up to 2 hour delay) device and policy data and provides additional configuration options, including filtering by specific sites or Policy Groups, and PDF report generation for stakeholder communication.

Q: How are policies in Simulation Mode treated?

Policies in Simulation Mode count toward the Policy Deployment Score at 10% of the weight of an Activated policy — partial credit for having made the decision. They do not improve the Least Privilege or Malware Lateral Movement scores, because those factors measure actual enforcement of port restrictions and a simulated policy is not blocking any traffic. Once you activate a simulated policy, its weight in Policy Deployment goes to 100% and the policy's port restrictions begin counting toward the other Score Factors.

Q: What is Independent Control?

When a Policy, Site, or Distribution Zone is marked as Independent Control, it indicates that enforcement is handled by a device outside the Elisity-managed network — for example, a firewall or other security appliance. These communication paths are scored as fully restricted (score of 100) because the external control provides effective segmentation.

Q: Can I export dashboard data for executive reporting?

Yes. Each Risk Attribution table includes an export control for the current view. For polished reporting, use the Snapshot feature to generate PDF reports suitable for executive presentation. Snapshots can be configured with specific filtering options and provide detailed analysis with current data. Device-level scores are also available via the Elisity API for integration with external reporting tools.

Q: How should I prioritize improvements when multiple Score Factors are low?

Start with the lowest-scoring Score Factor card on the main dashboard and click View Details. The detail screen's metric cards will show you exactly which underlying drivers are pulling the score down, and the Risk Attribution table will let you locate the highest-impact rows by device count or by score. Address the highest-leverage rows first, then re-evaluate after the next daily refresh.