Secure Scores
Microsoft Secure Score performance across all managed tenants. We publish these numbers because transparency builds trust.
Per-Tenant Trends
Anonymised performance across 7 managed tenants
What is Microsoft Secure Score?
Microsoft Secure Score is a numerical representation of an organisation's security posture across Microsoft 365. It measures how many recommended security controls have been implemented, from multi-factor authentication and conditional access policies to data loss prevention and device compliance. A higher score means a more hardened environment.
The industry baseline shown here is the global average score for organisations of similar size and sector. Most organisations score between 30% and 50%. Our portfolio consistently scores above 75%, because every Tarbh Tech client receives the same security baseline during onboarding.
We publish these numbers openly because we believe transparency builds trust. If an MSP won't show you their security outcomes, ask yourself why. These are live numbers, updated daily, drawn directly from our managed tenant portfolio.
Not every security control is appropriate for every environment. Actual scores reflect the controls that can be safely enabled given each client's business requirements, legacy systems, and risk appetite. The 75% target represents our engineering standard; individual results may vary.
What's in the Baseline
Every client starts with the same engineered security foundation. Here's exactly what's included.
Identity & Access
- Conditional access policies
Location and device-based rules that protect who can sign in and from where
- MFA enforcement
Multi-factor authentication required for every user, every sign-in
- Privileged identity management
Admin accounts are time-limited and require justification to activate
Endpoint Security
- Microsoft Defender for Endpoint
Advanced threat detection and response on every managed device
- Intune device compliance
Only healthy, up-to-date devices can access your data
- BitLocker encryption
Full disk encryption so lost laptops don't mean lost data
Email Protection
- Defender for Office 365
Protection against malware, phishing links, and malicious attachments
- Ironscales anti-phishing
AI-powered detection that catches what built-in filters miss
- SPF, DKIM & DMARC hardening
We stop attackers from impersonating your domain in emails
Data Protection
- DLP policies
Automatic detection and blocking of sensitive data leaving your organisation
- Sensitivity labels
Classify and protect documents so only the right people can open them
- External sharing controls
Rules that govern what can be shared outside your organisation and how
Monitoring & Reporting
- 24/7 MDR via Blackpoint Cyber
Round-the-clock managed detection and response by dedicated security analysts
- Automated monthly reporting
Clear, jargon-free reports showing what happened and what improved
- Secure Score tracking
Your Microsoft Secure Score monitored and improved continuously
Compliance & CIS Alignment
- CIS Microsoft 365 Foundations Benchmark
Every tenant aligned to the industry-standard hardening framework for Microsoft 365
- Continuous assessment with CISA ScubaGear
Automated scanning against CIS controls to identify gaps and track remediation
- Ongoing monitoring via Maester.dev
Continuous compliance checks that flag drift before it becomes a risk
Why we standardise
Standardisation enables predictable security outcomes. When every client starts from the same baseline, we can publish our metrics with confidence, because the methodology is consistent, tested, and repeatable.
It also means your team gets the same level of protection as every other Tarbh Tech client, from day one. No corners cut, no “we’ll get to that later.” The baseline is the starting line, not the finish.
The standards landscape
There’s no shortage of security frameworks. Microsoft’s own Secure Score provides a useful starting point. NIST offers broad cybersecurity guidance. ISO 27001 covers organisational information security management. But when it comes to the specific hardening of Microsoft 365 environments, one framework stands above the rest.
Why CIS is the gold standard
The CIS Microsoft 365 Foundations Benchmark is maintained by the Center for Internet Security, an independent, non-profit organisation trusted by governments, enterprises, and managed service providers worldwide. Unlike vendor-provided recommendations, CIS benchmarks are consensus-driven, peer-reviewed, and prescriptive. They tell you exactly what to configure and why.
CIS benchmarks are also the basis of compliance requirements across multiple regulatory frameworks. When an auditor asks how your Microsoft 365 environment is hardened, a CIS-aligned posture is the answer they’re looking for.
Standards need context
Implementing CIS isn’t a switch you flip. The benchmark contains hundreds of recommendations, and not every control is appropriate for every organisation. A 15-person professional services firm has different operational realities to a 200-person manufacturer with factory floor devices.
That’s why we treat the CIS benchmark as our north star, not a rigid checklist. During onboarding, we assess each recommendation against your business context: your workflows, your users, your risk profile. Some controls are non-negotiable. Others need to be adapted, phased in, or deferred until the right infrastructure is in place. The result is a hardened environment that’s both secure and practical for the people who use it every day.
See how onboarding works
The baseline goes in during your first 90 days. Here's what that journey typically looks like.