What is a ransomware maturity assessment?

A ransomware maturity assessment evaluates an organization's defenses across key domains — prevention, detection, response, recovery, organizational preparedness, and governance — using a structured 1-5 maturity scale to identify gaps and prioritize improvements.

How long does the ransomware readiness assessment take?

The assessment covers 48 criteria across 6 domains and typically takes 15-30 minutes to complete. Results and prioritized recommendations are generated immediately with no account required.

What frameworks does this assessment align with?

The assessment aligns with NIST CSF 2.0, CIS Controls v8, and incorporates guidance from CISA, HHS HC3, FFIEC, and MS-ISAC. It is updated for 2026 to cover AI-generated phishing, Ransomware-as-a-Service (RaaS), double extortion, and software supply chain threats.

Is my assessment data stored or shared?

No. All assessment scoring and recommendations are generated entirely in your browser. No data is transmitted to any server or stored externally.

What is double extortion ransomware?

Double extortion ransomware is an attack technique where cybercriminals both encrypt the victim's data and exfiltrate it, threatening to publish it publicly if the ransom is not paid. Triple extortion adds a third threat such as a DDoS attack. This assessment covers preparedness for all extortion variants.

What is the 3-2-1-1-0 backup rule?

The 3-2-1-1-0 backup rule is a 2026 best practice: maintain 3 copies of data, on 2 different media types, with 1 offsite copy, 1 air-gapped or immutable copy, and 0 errors verified through regular restoration testing. This improves on the older 3-2-1 rule by requiring immutability and verified integrity.

Updated April 2026

About RansomwareMaturity.com

A free, browser-based ransomware readiness assessment tool — updated for the 2026 threat landscape, covering 7 domains and 80+ controls across all major industries.

Our Mission

RansomwareMaturity.com was built to give organizations of all sizes a structured, actionable way to benchmark their ransomware defenses and prioritize improvements — at no cost, with no account required, and with no data leaving your browser.

The threat landscape has fundamentally shifted. AI-generated phishing, Ransomware-as-a-Service affiliate models, double and triple extortion, software supply chain attacks, cloud workload ransomware, and identity-based no-malware techniques are now standard attack patterns. Preparation and measurable maturity — not just reactive response — is what separates organizations that recover in hours from those that recover in weeks.

What's New in 2026

Major additions and updates from the previous framework version:

AI & Agentic Security — entirely new domain covering prompt injection, AI agent inventory, and model supply chain
Cloud Security & SaaS Protection — CSPM, CIEM, SaaS backup for SharePoint/OneDrive/Salesforce
Data Classification & DLP — sensitive data discovery, exfiltration controls, shadow data
AD/Entra ID hardening — Tiered Admin Model, Credential Guard, LAPS, AD canary accounts
Out-of-band communications — dedicated subcriterion for war room and offline response coordination
Post-quantum cryptography — PQC migration roadmap and cryptographic algorithm inventory
Ransomware negotiation readiness — pre-engaged negotiation retainer and decryptor validation
Energy & Utilities — new industry profile covering TSA directives and NERC CIP
3-2-1-1-0 backup rule — updated from 3-2-1 to include immutability and zero-error verification
CIRCIA 72-hour reporting — pre-filing checklists and notification compliance procedures

Assessment Framework

Seven domains · 80+ controls · 1–5 maturity scale · Aligned with NIST CSF 2.0 and CIS Controls v8

Prevention Controls

EDR/XDR, ZTNA, AD/Entra ID hardening, CSPM/CIEM, data classification & DLP, firmware integrity

Detection Capabilities

24/7 MDR/SOC, ITDR, AI/ML behavioral anomaly detection, SOAR-driven alert triage

Response Readiness

Double/triple extortion playbooks, out-of-band comms plan, CIRCIA compliance, negotiation retainer

Recovery Capabilities

Air-gapped immutable backups, 3-2-1-1-0 strategy, clean-room recovery, chaos testing

Organizational Preparedness

AI phishing/deepfake simulations, MSP/RMM audits, software supply chain security (SBOM/SLSA)

Governance

Ransom payment policy with OFAC screening, post-quantum cryptography roadmap, cyber insurance pre-claims readiness

AI & Agentic SecurityNew 2026

AI agent inventory, prompt injection testing, model supply chain integrity, AI-generated malware defense

Unrated items count as Level 1 (lowest maturity) to prevent score inflation from skipping controls.

Framework Alignment

NIST CSF 2.0CIS Controls v8CISA KEV GuidanceHHS HC3FFIEC / GLBADORA (EU)CIRCIAMS-ISACPCI-DSS v4.0NIST AI RMF

Industry-Specific Guidance

The tool tailors criteria and recommendations for nine sectors, each reflecting sector-specific regulatory requirements, threat actors, and operational constraints.

Healthcare & Medical

Financial Services

Government & Public Sector

Education

Manufacturing & Industrial

Retail & eCommerce

Technology & Software

Energy & Utilities

Other Industries

Privacy & Data

All assessment scoring and recommendations are generated entirely in your browser using client-side logic. No assessment data, scores, or organization details are transmitted to any server or stored externally. The tool is safe to use with sensitive internal security information.

Take the Assessment