Know Your Machine
Identity Posture
The [cyphers] Score is a composite security rating (0–100) that measures how well your infrastructure enforces machine identity. Four dimensions. One number. Complete visibility.
What the Score Measures
Each dimension is independently scored and weighted. Together they give you a single, actionable number that reflects your real security posture.
TLS Policy Enforcement
Are your services enforcing modern transport security? This dimension checks that TLS 1.3 is required, legacy protocols are blocked, and cipher suites meet current standards.
- TLS 1.3 enforcement (no fallback)
- Deprecated cipher suite rejection
- Protocol downgrade protection
- HSTS and certificate transparency
Certificate Strength
How strong are the certificates in use across your fleet? This measures key lengths, signature algorithms, chain validity, and whether certificates are properly scoped.
- RSA 2048+ or ECDSA P-256+ keys
- SHA-256 or stronger signatures
- Valid certificate chains
- Properly scoped SANs
Revocation Configuration
Can you revoke a compromised certificate immediately? This checks that OCSP stapling, CRL distribution, and revocation workflows are configured and functional — for both client and server certs.
- OCSP stapling enabled
- CRL distribution points configured
- Revocation latency under threshold
- Client cert revocation paths verified
Lifecycle Hygiene
Is your certificate lifecycle automated and healthy? This measures rotation frequency, time-to-expiry margins, issuance automation, and whether any certs are overdue or orphaned.
- Automated rotation enabled
- No certs within expiry danger zone
- Issuance via automated pipeline
- No orphaned or unused certificates
One Number.
Four Dimensions.
Real-Time Updates.
The [cyphers] Score is calculated continuously by the Cyphers Hub control plane. It scans every connected endpoint, evaluates all four dimensions, and produces a weighted composite score.
The score updates in real time as you deploy TLSMCP, rotate certificates, or change policies — so you always know exactly where you stand.
-
90–100
Excellent
Fully hardened. Modern TLS, automated lifecycle, complete revocation coverage.
-
70–89
Good
Strong posture with minor gaps. Typically missing automation on some endpoints.
-
40–69
Needs Attention
Significant gaps in enforcement, expiring certificates, or missing revocation paths.
-
0–39
Critical
Minimal machine identity enforcement. Legacy TLS, manual processes, no visibility.
Before and After TLSMCP
A typical infrastructure before and after deploying TLSMCP and connecting to Cyphers Hub.
Manual processes, expiring certs, no mTLS, no visibility.
- TLS 1.2 allowed on 60% of endpoints
- 3 certs expired in the last 30 days
- No client certificate enforcement
- No revocation mechanism configured
- Renewal tracked in spreadsheets
Automated lifecycle, enforced mTLS, real-time visibility via Cyphers Hub.
- TLS 1.3 enforced on 100% of endpoints
- All certs auto-rotating before expiry
- mTLS enforced on every connection
- Instant revocation for client & server certs
- Real-time posture monitoring in Cyphers Hub
What Moves the Needle
Every action you take with TLSMCP directly impacts your [cyphers] Score. Here's what makes the biggest difference.
Enable mTLS
Enforce mutual authentication on every endpoint. Biggest single-action score improvement.
Shorten Cert Lifetime
Move from 90-day to 24-hour certs. Shorter lifetimes reduce blast radius and improve hygiene.
Block TLS 1.2
Enforce TLS 1.3 only. Every endpoint still allowing legacy negotiation drags the score down.
Configure Revocation
Enable OCSP stapling and CRL for both client and server certs. Close the revocation gap.
Automate Rotation
Replace manual renewal with automated lifecycle. Eliminates the #1 cause of cert-related outages.
Cover All Services
Expand TLSMCP to every endpoint. Unenforced services create score blind spots.
Check Your [cyphers] Score
See how your infrastructure measures up across all four dimensions. Free, instant, and no installation required.