Executive communication for security leaders

Make your program legible to the board.

Forest measures your security program by capability, scores its maturity against where it needs to be, and tells you and your board exactly what to fix first.

How CAMP works
14 daysFrom kickoff to a board-ready brief
94Capabilities scored, not control checkboxes
0LLMs required — scoring is deterministic
Forest ScoreLive
62/ 100▲ 4 QoQ

Primary driver: Goal Alignment improved 4 pts after closing the Patch Management gap.

Goal alignment76 ▲4
Coverage68 ▲2
Execution discipline54 ▼1
Framework-agnostic, framework-traceable
NIST CSF 2.0CIS v8.1ISO 27002CCPAGDPRNIS-2

The communication gap

Your board doesn't speak EDR.

The audit committee, the CFO, the board... they decide your budget and they can't read a controls matrix. Every quarter, the maturity work gets lost in translation. Forest does the translation for you.

What the program sounds like

“We're observing regression in IAM KPIs and have a coverage gap in our SOAR playbooks pending the EDR migration.”

What the board hears in Forest

“Identity controls are behind plan. Three of twelve domains need a decision from the CISO by Jun 30. Everything else is on track.”

The CAMP™ methodology

Capability assessment, not control checkboxes.

CAMP (Capability And Maturity Prioritization) is the intelligence model inside Forest. It measures what your organization can actually do, scores how mature each capability is, and turns the gaps into a ranked list of decisions.

01 / Capability

Measure what you do

A capability is a discrete function the org performs. "Patch Management," not "CIS Control 7.4." Ninety-four of them, across twelve domains on the CS vertical.

02 / Maturity

Score current vs. target

Each capability is rated 0–5 today and 0–5 for where it needs to be. Targets follow your risk appetite and our onboarding process can assess your current stage accurately.

03 / Criticality

Weight by business impact

A 1–3 multiplier set per organization. Compliance required capabilities carry more weight than nice-to-haves.

04 / Priority

Know what to fix first

Gap × criticality gives every capability an integer priority from 0 to 15. A deterministic, defensible order of operations.

0
None
Does not exist
1
Initial
Ad hoc, reactive
2
Managed
Team-specific
3
Defined
Standardized
4
Quantitative
Measured by KPIs
5
Optimized
Continuously improving
Priority = Target, Current, Criticality
Priority is the urgency of improvement. How far you are from target, weighted by how much the capability matters. It never feeds the maturity score, so the two stay honest.

The platform · two tools

RINGS and CANOPY.

RINGS measures how mature your program is. CANOPY measures what your stack costs to get there. Read one against the other and every budget question answers itself.

For the CISO · capability owners
RINGSCapability + Maturity

Objective: turn 94 capabilities into one defensible picture of where the program is and where it needs to be.

RINGS is the assessment engine. Every capability is scored “current x target” and weighted by criticality. Think as concentric maturity rings, one per domain, so the gap between today and target is visible at a glance. Rings holds the Forest Score, the heat map, and the ranked priority list based on your CAMP.

Capability assessmentMaturity ScoresPriority engine
forest.coach
Maturity62/100
Identity & Access42 · 68
Security Operations49 · 70
Cloud Security55 · 70
Application Security62 · 72
forest.coach
Annual spend
$4.2M
▲ $180K YoY
Tools tracked
87
▼ 3 consolidated
Overlap
14%
≈ $580K to save
Tool · domainMaturityAnnualHealth
SplunkSecurity Operations
$680KHealthy
CrowdStrikeEndpoint & Device
$580KHealthy
OktaIdentity & Access
$340KWatch
LaceworkCloud Security
$220KRisk
For the CFO + CISO · the stack
CANOPYStack + Contracts

Objective: show what every tool costs, what it covers, and where the spend overlaps.

CANOPY maps your tools to the capabilities they cover, annualizes the spend, and flags renewals and redundancy. Because every tool ties back to a RINGS capability, CANOPY can answer the question RINGS raises: “we have a gap here, what do we already pay for that closes it?”

Spend ledgerCapability coverageRenewal & overlap

Monitor maturity

One number you can stand behind.

The Forest Score rolls your whole program into a single figure with a quarter-over-quarter delta and one sentence explaining the move. Underneath it: sub-scores, what changed, and every domain sorted by gap. The answer to “what should my team fix first?” without scrolling.

A score that trends

Watch maturity move quarter over quarter, with the primary driver named in plain language.

Benchmarked against peers

See where you stand against your cohort: “retail, 1000+ employees: 58. You're 4 points ahead.”

Domains sorted by gap

Current, target, and gap on every domain ranked, so the conversation starts at the top.

forest.coach
Forest / CISO dashboardLast assessment · 14 days ago
Forest Score
62/ 100▲ 4

Primary driver: Goal Alignment improved 4 pts after closing the Patch Management gap.

What changed · 30 days
Goal alignment+4
Coverage+2
Execution discipline−1
Org · 50%
58▲2
Goal · 20%
76▲4
Coverage · 15%
68▲2
Execution · 15%
54▼1
Domains · sorted by gapCurrent · Target · Gap
Identity & Access Management
42·68·26
Security Operations
49·70·21
Cloud Security
55·70·15
Application Security
62·72·10
Third Party & Supply Chain
66·70·4

Capability heat map

The whole program on one grid.

Twelve domains, governance to physical security. Each carries a maturity gap and a criticality weight; Forest multiplies them into a priority you can defend in any budget conversation.

Domain priority · current assessment
CriticalHighMediumLowOn target
DomainCurrentTargetGapCriticalityPriorityBand
AI/ML Security154312Critical
Identity & Access Management25339High
Security Operations25339High
Cloud Security35236Medium
Data Protection35236Medium
Compliance & Risk35236Medium
Third Party & Supply Chain24224Medium
Application Security34122Low
Network Security34122Low
Asset Configuration Mgmt23122Low
Endpoint & Device Security44020On target
Physical & Environmental33010On target

The priority engine

A ranked list of decisions.

Every recommendation traces back to a capability with non-zero priority without spend heuristics and arbitrary multipliers. The Dashboard hands your team the next three things to do, already mapped to a roadmap horizon.

12Critical
tooling_gap·add_tool·AI/ML Security

Stand up AI data security controls

Capability "AI Data Security" is in scope with a maturity gap and no confirmed tool coverage. Add tooling mapped to this capability.

Immediate
0–3 months
9High
maturity_gap·improve·Identity & Access

Close the identity provisioning gap

Current maturity 2 against a target of 5 on a criticality-3 domain. Standardize joiner-mover-leaver automation across business units.

Near-term
3–12 months
9High
tooling_gap·add_tool·Security Operations

Add attack surface management coverage

Capability "Attack Surface Management (ASM/EASM)" is in scope with a gap and no confirmed tool coverage. Add tooling mapped to this capability.

Near-term
3–12 months
Northwind
Retail Group
Board security brief
Period ending Jun 30, 2026
Prepared by Forest
Executive summary

For the period ending Jun 30, 2026, the security program is on plan overall, with identity and data above target and response behind plan. Three decisions are needed from the CISO this quarter.

Identity & Accessat target
Data Protectionat target
Security Operationswatch
Incident Responsebehind plan
AI/ML Securitybehind plan
Forest Score 62 ▲4Peer cohort 58

Communicate up

The brief writes itself.

Forest opens every summary the way a board wants it: plain, quantified, and closing on a decision. Export to PDF for the audit committee or drop the numbers straight into your PPT board deck.

Board-ready language by default

“Identity controls are behind plan” instead of “we're seeing IAM KPI regression.”

One-click export

Print to PDF locked to letter dimensions, or hand the cited figures to your PPT deck.

Defensible, every quarter

Deterministic scoring means the same inputs always produce the same brief. Auditors love it.

94
Capabilities scored per assessment, end to end
12
Domains, from governance to physical security
0–15
Integer priority on every capability without fractions, no fudge
6
NIST CSF 2.0 functions mapped, govern to recover

See where your program really stands.

Run a CAMP assessment and walk into your next board meeting with one score, a ranked list of decisions, and a brief you didn't have to translate.

Forest — capability intelligence for the enterprise