Security Baselines
Choose the right security baseline for your organization. Each level builds on the previous, adding more controls and stricter enforcement.
Recommended
L1
Recommended Secure
Most organizations. First secure posture.
Advisory baseline for most organizations. Establishes a strong security foundation with low operational risk.
25 controls
7 critical
- Stops common identity attacks
- Aligns with CIS and Microsoft defaults
- Avoids lockouts
- Builds trust in TrueConfig recommendations
CIS MicrosoftMicrosoft Secure
L2
Enhanced Security
Organizations with dedicated security teams.
Active enforcement for security-conscious organizations. Adds PIM requirements and stricter controls.
20 controls
4 critical
- Everything in Level 1
- PIM required for privileged roles
- Phishing-resistant MFA for admins
- Device compliance requirements
CIS MicrosoftMicrosoft Zero
L3
Maximum Security
Regulated industries, government, high-value targets.
Strict enforcement for high-security environments. Zero-tolerance for deviations.
9 controls
6 critical
- Everything in Level 2
- Phishing-resistant MFA for all users
- Hardware security key requirements for admins
- Full just-in-time access for all privileged roles
CIS MicrosoftNIST 800-53
Quick Comparison
| Feature | Level 1 | Level 2 | Level 3 |
|---|---|---|---|
| Enforcement Mode | Advisory | Auto-Remediate | Strict |
| PIM Required | - | ||
| Phishing-Resistant MFA | - | Admins Only | All Users |
| Device Compliance | - | Admins Only | All Access |
| License Required | Free | P1/P2 | P2 |
Not sure which baseline to choose?
Start with Level 1 (Recommended Secure) and let TrueConfig guide you. You can always upgrade to a higher level as your security program matures.