Compliance

Compliance Posture & Scoring

How posture scores are computed, how control assessments work, and how to track remediation velocity over time.

What Is a Posture Score?

Your compliance posture score is a percentage representing how well your scanned applications align with a specific compliance framework. A score of 85% means 85% of the testable controls in that framework are passing based on your most recent scan results.

How Scores Are Computed

For each framework, APVISO evaluates every testable control:

  1. Passing — no open findings mapped to this control. The control is considered satisfied.
  2. Failing — one or more open findings (severity Low or above) are mapped to this control.
  3. Not assessed — no scans have tested this control, or the control is administrative/procedural and outside the scope of automated testing.

The posture score is calculated as:

score = passing_controls / (passing_controls + failing_controls) * 100

Controls marked not_assessed are excluded from the calculation to avoid penalizing you for controls that cannot be tested automatically.

Control Assessment Details

Click any control in the compliance dashboard to see:

  • The control description and requirement text.
  • All findings mapped to this control, with their current status.
  • Historical assessment results from previous scans.

History Tracking

APVISO records your posture score after every scan. The compliance dashboard includes a timeline chart showing how each framework's score has changed over time. Use this to:

  • Demonstrate improvement to auditors and stakeholders.
  • Identify regressions — a dropping score indicates new vulnerabilities affecting previously passing controls.
  • Correlate score changes with specific scans or deployments.

Remediation Velocity

The compliance dashboard tracks your average time to remediate findings mapped to each framework. This metric — remediation velocity — shows how quickly your team addresses compliance-relevant vulnerabilities. Faster remediation velocity indicates a more mature security program.

Improving Your Score

  1. Review failing controls and the findings mapped to them.
  2. Prioritize findings that affect the most controls across multiple frameworks.
  3. Fix the underlying vulnerabilities and run retests to confirm.
  4. The posture score updates automatically when findings are marked as fixed.

Exporting Posture Data

Export compliance posture data as JSON or CSV from the compliance dashboard. You can also access it via the API at GET /api/compliance/posture. This is useful for feeding data into GRC platforms, executive dashboards, or audit documentation.

Back to Knowledge Base