Domain scores
Domain scores apply the Org Score formula within each of the 12 CAMP domains so you can see strength and weakness by area.
Last updated June 1, 2026
Domain scores break your program down by area so a single headline number does not hide where you are strong and where you are exposed. Forest scores each of the 12 CAMP domains on the same 0 to 100 scale as your Org Score.
How they are calculated
A domain score applies the Org Score formula, criticality-weighted maturity, but limited to the capabilities that sit inside that one domain. The Forest Intelligence Service runs the same deterministic calculation per domain, so a domain score is directly comparable to your overall Org Score and to other domains.
The 12 domains are Identity & Access Management, Endpoint & Device Security, Network Security, Cloud Security, Application Security, Data Protection, Compliance & Risk, Security Operations, Asset & Configuration Management, AI/ML Security, Third-Party & Supply Chain Security, and Physical & Environmental Security.
Why they matter
Two organizations can share an Org Score and have entirely different risk shapes. One might be even across domains; another might be excellent in Identity & Access Management and thin in Cloud Security. Domain scores expose that shape so you can target effort where the weighted maturity is lowest and the criticality is highest.
A low domain score is not automatically a priority. Pair it with criticality. A weak domain full of nice-to-have capabilities matters less than a moderate domain full of compliance-required ones.
To move from a low domain score to specific work, look at your capability gaps, which identify the individual capabilities furthest below target.