Security Scores
Understand endpoint security posture with automated checks and compliance mapping.
How Scoring Works
Each agent receives a security score (0-100) based on automated checks that run periodically. The score is a weighted average of individual check results. A higher score means the endpoint is better aligned with security best practices.
View security scores from:
- Agent Detail → Security tab — Score for a single endpoint
- API:
GET /api/agents/:id/security-score— Latest score and history
Score history is retained so you can track improvement or regression over time.
Security Checks
MaxRMM evaluates the following security checks on each endpoint:
| Check | What It Verifies | Impact on Score |
|---|---|---|
| Disk Encryption (BitLocker) | Whether the system drive has BitLocker or another full-disk encryption solution enabled | High |
| Windows Firewall | Whether Windows Firewall is enabled for all profiles (Domain, Private, Public) | High |
| AV Definitions Current | Whether antivirus definitions are up to date (within 3 days) | High |
| Automatic Updates | Whether Windows automatic updates are enabled | Medium |
| Password Policy | Whether local password policy meets minimum complexity and length requirements | Medium |
| Guest Account Disabled | Whether the built-in Guest account is disabled | Low |
| Remote Desktop Disabled | Whether RDP is disabled (or, if enabled, whether NLA is required) | Medium |
Each check returns a status (pass or fail) and evidence (the actual value found on the endpoint, e.g., "BitLocker: XtsAes256, Protection: On").
Compliance Framework Mapping
MaxRMM maps each security check to controls in common compliance frameworks. This helps MSPs demonstrate to their clients that endpoints meet regulatory requirements.
Supported Frameworks
| Framework | Description |
|---|---|
| HIPAA | Health Insurance Portability and Accountability Act — healthcare data protection |
| NIST 800-171 | Protecting Controlled Unclassified Information (CUI) in non-federal systems |
| SOC 2 | Service Organization Control — trust services criteria for SaaS/service providers |
| CIS Benchmarks | Center for Internet Security — prescriptive hardening standards for Windows |
Mapping Examples
| Check | Framework | Control | Title |
|---|---|---|---|
| Disk Encryption | HIPAA | 164.312(a)(2)(iv) | Encryption at Rest |
| Disk Encryption | NIST | 3.13.11 | CUI Encryption |
| Disk Encryption | SOC2 | CC6.1 | Logical Access - Encryption |
| Windows Firewall | NIST | 3.13.1 | Boundary Protection |
| Windows Firewall | CIS | 9.1.1 | Firewall Domain Profile |
| AV Definitions | HIPAA | 164.312(a)(1) | Access Control - AV |
| AV Definitions | NIST | 3.14.1 | Malicious Code Protection |
| AV Definitions | SOC2 | CC6.8 | Malware Detection |
| Automatic Updates | CIS | 18.9.108.1.1 | Configure Auto Updates |
| Automatic Updates | HIPAA | 164.312(c)(1) | Patch Compliance |
| Guest Account | CIS | 1.1.1 | Guest Account Status |
| Remote Desktop | CIS | 18.9.65.3.3.1 | RDP Access Control |
Compliance Bridge API
Retrieve the full compliance mapping for an agent:
GET /api/agents/:id/compliance-bridgeResponse includes:
agentIdandhostnamescore— current numeric scorechecks— array of check results, each with status, evidence, and mapped frameworksframeworks— list of all applicable frameworks for this agent's results
Score History
Track how an agent's security score changes over time:
GET /api/agents/:id/security-score?days=30Returns the latest score plus a history array going back the specified number of days. Use this to identify trends and verify that remediation efforts are improving security posture.