---
name: zero-trust-assessor
description: Runs a Zero Trust gap analysis across identity, device, network, application, data, and infrastructure pillars and produces a maturity scorecard with prioritised roadmap.
version: 1.0.0
author: VantagePoint Networks
audience: IT Managers, Information Security Leads, Enterprise Architects, MSP Account Managers
output_format: Formatted Markdown ZTA assessment with per-pillar scorecard, gap findings, prioritised roadmap, and executive summary.
license: MIT
---

# Zero Trust Assessor

A structured Zero Trust Architecture (ZTA) gap analysis that uses the NIST SP 800-207 model and Microsoft's Zero Trust framework, then turns the gaps into a prioritised, costed roadmap. No vendor lock-in.

## How to use this skill

1. Download this `SKILL.md` file.
2. Place it in `~/.claude/commands/` (macOS / Linux) or `%USERPROFILE%\.claude\commands\` (Windows).
3. Run `/zero-trust-assessor` in Claude Code. Describe your current state across the 6 pillars (it will prompt). Receive the assessment.

## When to use this

- A board paper has demanded "we move to Zero Trust" and you need to answer "where do we stand?".
- A cyber insurance policy or major customer contract requires ZTA self-attestation.
- You're scoping a multi-year security programme and need a structured baseline.
- A breach incident has surfaced gaps; you want a coherent forward plan rather than ad-hoc fixes.
- You're an MSP scoping a customer's security maturity engagement.

## What you'll get

- **Maturity scorecard** across the 6 ZTA pillars: Identity, Device, Network, Application, Data, Infrastructure. Each scored 0-4 (Traditional / Initial / Advanced / Optimal).
- **Per-pillar findings** — what exists, what's missing, what's broken, with evidence references.
- **Prioritised roadmap** — Quick wins (< 90 days), Phase 1 (3-12 months), Phase 2 (12-24 months), Phase 3 (24-36 months).
- **Cost & effort estimates** per roadmap item.
- **Dependencies map** — which controls block which.
- **Executive summary** — 5-line readout for the board.

## Clarifying questions I will ask you

For each of the 6 pillars, expect 4-6 questions. Examples below.

### Identity
- Are all human users on a single IdP, or do multiple IdPs / local accounts exist?
- Is MFA enforced for 100% of users? For privileged users, is it phishing-resistant?
- Is access just-in-time (PIM / equivalent) or permanent?
- Are quarterly access reviews actually happening with evidence?
- How are service accounts / service principals managed?

### Device
- What % of endpoints are managed by MDM / EDR / UEM?
- Is device compliance a Conditional Access requirement for sensitive apps?
- BYOD posture? Allowed at all? Allowed with restrictions? Blocked?
- Patch SLA — what's promised, what's actually achieved?
- Endpoint detection coverage on servers and on edge devices?

### Network
- Flat network, segmented, or micro-segmented?
- Is east-west traffic inspected, or only north-south?
- Is internal access remote-from-office gated by ZTNA / VPN / nothing?
- Is egress traffic inspected (DLP / web filter) or open?
- Are guest, IoT, OT networks segregated?

### Application
- Are apps catalogued? (Inventory)
- Is access to apps via SSO + Conditional Access, or per-app credentials?
- Are admin / dev / data planes for apps separate?
- Application security testing — SAST / DAST / SCA in CI?
- WAF / API gateway in front of internet-facing apps?

### Data
- Is data classified? Are labels applied?
- DLP — at rest, in motion, in use?
- Encryption — at rest with customer-managed keys? In transit TLS 1.2+?
- Backup — separated from prod credentials? Tested restore?
- Data egress monitored?

### Infrastructure
- Cloud account structure — single, sprawl, or organised?
- Privileged Access Management for infrastructure (jump boxes, PAW, vault)?
- Configuration drift detection?
- Asset inventory accuracy (SBOM, CMDB)?
- IaC vs click-ops?

## Output template

```markdown
# Zero Trust Assessment — <organisation> — YYYY-MM

**Assessment ID:** ZTA-<YYYY-MM>
**Conducted by:** <name>
**Frameworks referenced:** NIST SP 800-207, Microsoft Zero Trust, CISA ZTMM v2

## 1. Executive Summary
> <5 lines: overall maturity (e.g. "Initial"), strongest pillar, weakest pillar, top recommendation, target maturity in 12 / 24 / 36 months.>

## 2. Maturity Scorecard

Maturity model:
- 0 — Traditional (perimeter-only, implicit trust within)
- 1 — Initial (some Zero Trust principles applied tactically)
- 2 — Advanced (consistent application across most assets)
- 3 — Optimal (automated, integrated, telemetry-driven)
- 4 — Adaptive (continuous risk-based decisions everywhere)

| Pillar | Current | Target (12mo) | Target (24mo) | Gap |
|---|---|---|---|---|
| Identity | 1 | 2 | 3 | -2 |
| Device | 1 | 2 | 2 | -1 |
| Network | 0 | 1 | 2 | -2 |
| Application | 1 | 2 | 3 | -2 |
| Data | 0 | 1 | 2 | -2 |
| Infrastructure | 1 | 2 | 3 | -2 |
| **Overall** | **0.7** | **1.7** | **2.5** | -1.8 |

## 3. Pillar findings

### Identity (current: 1 / target: 3)
**What's working:**
- <e.g. Single IdP (Entra ID), all users>
- <e.g. MFA enforced for 95% of users>

**Gaps:**
1. **No PIM** — Global Admin held permanently by 4 users. **Recommendation:** PIM rollout, 8-hour activations, approval for top 3 roles. **Effort:** S. **Quarter:** Q1.
2. **Service accounts have interactive sign-in capability and weak passwords.** **Recommendation:** Move to managed identities / OIDC; password rotation < 90 days; vault any remaining secrets. **Effort:** M. **Quarter:** Q2.
3. **No access reviews** — last quarterly review skipped. **Recommendation:** Reinstate quarterly cycle, use the `/access-review` skill. **Effort:** XS. **Quarter:** Q1.

**Pillar maturity progression:** 1 → 2 in 3 months (PIM), 2 → 3 in 12 months (passwordless rollout, full conditional access maturity).

### Device (current: 1 / target: 2)
<same structure>

### Network (current: 0 / target: 2)
<same structure>

### Application (current: 1 / target: 3)
<same structure>

### Data (current: 0 / target: 2)
<same structure>

### Infrastructure (current: 1 / target: 3)
<same structure>

## 4. Prioritised Roadmap

### Quick wins (< 90 days)
| # | Action | Pillar | Effort | Cost band | Owner |
|---|---|---|---|---|---|
| 1 | PIM rollout for top 6 admin roles | Identity | S | <£5k (config only) | Identity Lead |
| 2 | Reinstate quarterly access review | Identity | XS | £0 | Security Lead |
| 3 | Block legacy auth in Entra ID (CA001) | Identity | XS | £0 | Identity Lead |
| 4 | Enable mailbox audit log + retention | Data | XS | £0 | M365 Admin |
| 5 | Roll out hardware FIDO2 keys to admins | Identity | S | £2k | Identity Lead |

### Phase 1 (3-12 months)
| # | Action | Pillar | Effort | Cost band | Owner |
|---|---|---|---|---|---|
| 1 | Roll out Conditional Access policy library (CA001-010) | Identity | M | £0 (E3+) | Identity Lead |
| 2 | Defender for Endpoint to all endpoints + servers | Device | M | <£20k/year | Endpoint Lead |
| 3 | Segment internal network (VLAN re-baselining) | Network | L | <£40k | Network Lead |
| 4 | DLP starter pack (Purview) | Data | M | <£15k/year | Compliance Lead |
| 5 | Internal CA for service-to-service mTLS | Application | L | <£10k | Platform Lead |

### Phase 2 (12-24 months)
<similar table>

### Phase 3 (24-36 months)
<similar table>

## 5. Dependencies Map
Roadmap items aren't independent. Some block others.

- **PIM (Phase 1, Identity)** depends on: PIM eligibility (Entra ID P2)
- **Conditional Access policy library** depends on: PIM (admins must use PIM activation, then CA evaluates)
- **DLP starter** depends on: Sensitivity labels (must classify before protecting)
- **Network micro-segmentation** depends on: Asset inventory accurate to 95%+ (cannot segment what you can't identify)

## 6. Cost summary

| Phase | Cost band | Notes |
|---|---|---|
| Quick wins | < £10k | Mostly configuration, hardware tokens |
| Phase 1 | £80k - £150k | Defender E5 add-on, Purview, network rebuild |
| Phase 2 | £150k - £300k | ZTNA platform, mTLS, micro-segmentation |
| Phase 3 | £100k - £250k | Adaptive controls, telemetry / SIEM scale |
| **Total 36-month** | **£340k - £710k** | Excludes existing licence baseline |

Indicative only — depends on org size, licensing posture, and vendor selection.

## 7. Risks if not addressed
- **Identity:** ransomware via stolen admin token (probability High in 24 months)
- **Device:** unmanaged laptop becomes pivot for AD compromise (Medium)
- **Network:** lateral movement after initial breach (High — flat network is a force multiplier)
- **Application:** internet-facing app compromise → access internal (Medium)
- **Data:** PII exfil unnoticed (High)
- **Infrastructure:** cloud config drift creates exposure window (Medium)

## 8. Reference standards alignment

| Standard | This assessment uses |
|---|---|
| NIST SP 800-207 | Pillar definitions, policy engine model |
| CISA Zero Trust Maturity Model v2 | 5 pillars + 3 cross-cutting (vis., automation, governance) |
| Microsoft Zero Trust framework | Identity / Endpoints / Apps / Data / Infrastructure / Network pillars |
| ISO 27001:2022 | Where ZTA controls map to Annex A controls |
```

## Example invocation

**User:** "/zero-trust-assessor — we have ~250 staff, single Entra ID tenant, MFA on most users, AD on-prem still around for legacy app, Cisco network, no SD-WAN, basic DLP via Purview. Want to know where to focus."

**What the skill will do:**
1. Walk through 6 pillars with targeted questions (PIM? CA? Device compliance? Network segmentation? DLP scope? Cloud accounts?).
2. Score each pillar 0-4 with evidence reference.
3. Produce a 12 / 24 / 36-month roadmap that's realistic for a 250-staff org (not enterprise overkill).
4. Flag the 3-5 dependencies that determine sequence (e.g. "you can't do CA properly without PIM first").
5. Give cost bands so finance can react.

## Notes for the requester

- **Be honest about today.** Inflated current-state scores produce a useless roadmap.
- **Pillars don't progress evenly.** Identity often races ahead while Network lags. That's normal — identity matters most for blast radius.
- **Cost bands are bands, not quotes.** Treat them as planning anchors.
- **Maturity ≠ better all the time.** Going from 0 to 1 is huge value. Going from 3 to 4 is diminishing returns. Don't chase Optimal everywhere.
- **Vendor-agnostic by design.** This skill doesn't recommend specific products. Use the `/vendor-evaluator` skill for selection.
- **"Good" looks like:** the security board reads section 1 and signs off the roadmap. Engineering knows what's in Phase 1 this quarter. Finance can plan the budget.