What CAMP measures

CAMP, short for Capability And Maturity Prioritization, is the baseline assessment that tells Forest where your security program actually stands. It measures two things for every capability: how mature the capability is today, and how much that capability matters to your organization.

A capability is a discrete security function or process, such as Patch Management or Identity Provisioning. Capabilities are the source of truth in Forest. Everything else, from your Org Score to your roadmap, traces back to how each capability is assessed here.

The two scales

Maturity is scored 0 to 5:

• 0 None no capability in place

• 1 Initial ad hoc or reactive

• 2 Managed repeatable but inconsistent

• 3 Defined documented and standardized

• 4 Quantitative measured and controlled

• 5 Optimized continuously improved

Criticality rates how important a capability is to you: 1 nice-to-have, 2 core, 3 compliance-required. See Criticality ratings for how that judgment is made.

How it is organized

Capabilities are grouped into 12 domains, including Identity & Access Management, Cloud Security, Security Operations, and AI/ML Security. Working domain by domain keeps the assessment focused, since each area has its own owners and evidence. See Domain-by-domain completion for that flow.

Maturity tells you how well you do something. Criticality tells you how much it matters. Forest uses both together to decide what to fix first.