You've [visualized your preventive policies](/guardrails/blog/2025/12/visualize-preventive-policies). You understand what org policies exist, which security objectives they enforce, and where they're attached in your organizational hierarchy. Now comes the next question: **How well are you preventing security risks?** Where are the gaps in your coverage, which objectives should you focus on to raise the bar, and what's the best way to reduce risk and prevent alerts? Understanding your preventive posture means measuring how well you're achieving those security objectives, discovering where you can improve, and finding the most effective preventive controls to implement. ## Scoring Your Preventive Coverage In the [previous post](/guardrails/blog/2025/12/visualize-preventive-policies), you saw how Turbot Guardrails evaluates your preventive policies and helps you understand what's being prevented. Guardrails automatically maps those preventive controls into security [objectives](https://turbot.com/guardrails/docs/prevention/objectives). Objectives align to multiple dimensions: - **[Priorities](https://turbot.com/guardrails/docs/prevention/objectives/priorities)** (P1 through P5) - P1 objectives are foundational controls that should be implemented everywhere, P5 are hygiene - **[Categories](https://turbot.com/guardrails/docs/prevention/objectives/categories)** - Identity & Access, Data Governance, Network Perimeter, Core Infrastructure, and others - **[Layers](https://turbot.com/guardrails/docs/prevention/preventions/layers)** - Build (IaC scanning), Access (API blocking), Config (resource defaults), Runtime (continuous monitoring) Guardrails [scores](https://turbot.com/guardrails/docs/prevention#prevention-scores) each objective on a 0-5 scale based on your coverage across these layers. An objective with preventive controls at multiple layers scores higher than one with single-layer protection. The scoring considers which objectives have preventions in place, how strong those preventions are (access layer preventions score highest at 0.95, build layer at 0.75), and how important the objectives are (P1 objectives weighted 8x more than P5).

Dashboard showing preventive posture scoring across objectives, priorities, categories, and layers

View your preventive posture scored across multiple dimensions

The dashboard shows your overall [prevention score](https://turbot.com/guardrails/docs/prevention#prevention-scores) (0-5 scale) reflecting how effectively your preventions meet security objectives across all accounts. Below that, you see your preventive posture broken down across all these dimensions. You can see which priorities have gaps, which categories need attention, which layers are strong or weak, and which specific objectives need improvement. Scores aggregate at every level - by objective, account, category, and benchmark - giving you multiple perspectives on where to focus. ## Aligning to Industry Benchmarks Objectives map to industry frameworks and custom internal [benchmarks](https://turbot.com/guardrails/docs/prevention/objectives/benchmarks). Turbot Guardrails comes with out-of-the-box objectives aligned to CIS Foundations Benchmarks, NIST 800-53, and other security and compliance frameworks.

CIS AWS Foundations Benchmark v6.0.0 showing sections with prevention scores

See your prevention coverage against CIS AWS Foundations Benchmark

The benchmark view shows your prevention score for each section of a particular framework, helping you track progress toward increasing your preventive posture. Many objectives appear in multiple benchmarks, so implementing one prevention can improve multiple framework scores simultaneously. Drill into **CIS AWS Foundations Benchmark v6.0.0** and you see sections with their prevention scores - where you have strong coverage and where gaps exist. Section 6 covers compute-related requirements. Within that, **Section 6.7: Ensure that the EC2 Metadata Service only allows IMDSv2** shows both safeguard and enforce approaches.

Section 6.7 showing safeguard and enforce objectives for IMDSv2

Safeguard protects configurations from being changed, enforce prevents non-compliant creation

**Safeguard** protects EC2 account-level instance metadata service defaults from modification, ensuring that account-level defaults requiring IMDSv2 cannot be weakened. **Enforce** blocks creation of new instances that don't require IMDSv2, preventing Server-Side Request Forgery attacks. Both approaches provide full coverage around preventing changes to your required configurations, and applying multiple preventive policies across layers provides a defense in depth coverage. In this case, Section 6.7 shows a score of 0.0 - no active preventive measures in place for IMDSv2 enforcement. When you click further into the objective, you can assess how to improve the score. ## Recommendations for Improvement Guardrails analyzes your environment and generates [recommendations](https://turbot.com/guardrails/docs/prevention/objectives/recommendations) on what to deploy next. The recommendations consider your current coverage gaps, account structure, risk reduction potential, implementation complexity, and defense in depth opportunities. For the IMDSv2 objective, recommendations show the preventive controls that would improve your posture across different layers. Each recommendation includes the expected impact - which objective gap it closes, how it improves your benchmark scores, and what security risk it reduces.

Recommendation detail showing SCP policy for IMDSv2 enforcement

See the exact policy and deployment guidance

The recommendation provides everything needed to implement the control: the exact policy JSON, where to deploy it (organizational root or specific OUs), and the expected impact on your prevention score and benchmark alignment. Instance Metadata Service v1 is vulnerable to SSRF attacks allowing credential theft. IMDSv2 adds session-based authentication preventing this attack vector. ## Measuring the Impact Straight from the recommendation screen, you can quickly simulate and test the policy in Turbot. Or copy the policy to embed into a new or existing org policy. After you apply the updated org policy, Guardrails immediately discovers it, adds it as a prevention rule, and updates the IMDSv2 objective score.

Account scores improving after SCP deployment

Prevention scores increase across accounts covered by the policy

Accounts covered by the policy show improved prevention coverage. The objective score increases from 0.0 to 0.95, reflecting strong access-layer prevention now in place.

CIS benchmark score increasing after control deployment

CIS AWS Foundations Benchmark score improves

The benchmark view updates to reflect improved posture. You closed a gap, raised the bar, and have evidence to show executives and auditors. The preventive control blocks IMDSv1 usage going forward, reducing risk and preventing future alerts. ## See it in action Watch this demo to see how Turbot Guardrails scores your preventive posture and generates recommendations.

## From Assessment to Improvement Turbot Guardrails scores your preventive posture across benchmarks, objectives, accounts, layers, and categories - showing where gaps exist and what to deploy next. Benchmarks contextualize objectives against industry frameworks, while recommendations prioritize controls for maximum risk reduction. This systematic approach replaces guesswork with data-driven prevention. Security teams identify gaps, executives track progress, and auditors receive evidence of systematic risk reduction. Interested in running this in your environment? [Connect with us](https://turbot.com/start) to get your free preventive security posture assessment and start improving your organization's prevention score.

Benchmark, assess and understand gaps in your preventions