July 9, 2025

Introducing Vanta Trust Maturity Report: Benchmark your security maturity against 11,000+ programs

Written by

Jess Munday

Sr. Content Marketing Manager

Sammi Reinstein

Senior Product Marketing Manager

Reviewed by

Accelerating security solutions for small businesses
‍

Tagore offers strategic services to small businesses.

A partnership that can scale
‍

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors
‍

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

Security is no longer just part of running a business—it’s the backbone of building customer trust. But there’s no one-size-fits-all approach to building a reliable and scalable security program. Every organization—regardless of size, industry, or region—faces unique challenges that shape its security needs and investments.

‍

Customers often tell us they want more tools to benchmark their programs against industry peers and best practices. Many teams are unsure where to start, what to prioritize, or how to measure progress. They need a way to better understand their current maturity, a roadmap to guide their next steps and advance customer trust as they develop their security programs, and a model for team-wide trust.

‍

Vanta has seen program maturities across the spectrum, and today we’re excited to announce the release of our first-ever Vanta Trust Maturity Report. Backed by the NIST CSF maturity tiers, this report analyzes aggregated, anonymized first-party data from our more than 11,000 Vanta customers to help organizations understand where they stand and confidently advance their security maturity. The NIST CSF breaks these tiers down by partial, risk-informed, repeatable, and adaptive security maturity.

‍

The insights in this report will help organizations make data-informed decisions about where to invest in their security programs based on the needs of their organizations today and as they evolve their programs toward a more secure, more trustworthy, and scalable future.

‍

Security maturity starts with strategic risk management

An early indicator of security maturity is the integration of risk practices into the core of an organization’s security program. Practices like continuous monitoring, incident readiness, and operational rigor mark a clear shift from reactive problem-solving to strategic risk reduction and long-term business resilience.

‍

One of the clearest markers of maturity that divided early-stage programs from the other more advanced tiers was risk assessments. Our research found that only 43% of partial organizations conduct risk assessments while 100% of risk-informed businesses have conducted at least one formal risk assessment. This shows how external factors like compliance requirements and customer needs are often the biggest drivers of early-stage security programs.

‍

We see another leap between partial and risk-informed organizations when it comes to test pass rates. Vanta tests automatically collect audit evidence and monitor controls continuously to help organizations stay compliant. We found that the median control test pass rate at the partial tier was 60%, and jumps to 92% for risk-informed organizations, showing greater alignment with control expectations as organizations move up the maturity curve.

‍

Incident readiness was also a clear marker for maturity. We found that 92% of those at the advanced tiers monitor threats continuously with alerts. Here are some additional data points that reflect that across maturity levels:

56% of partial organizations have a basic incident response plan that’s not tested, while 12% have no plan at all
48% of risk-informed organizations have a basic recovery plan and 42% run regular incident response drills
And at the advanced maturity stages, 100% have business continuity plans, with 78% testing them regularly and 85% running regular incident response drills

‍

Maturing teams leverage AI to force-multiply their output

Leading organizations adopt AI at a much higher rate, alongside robust frameworks like ISO 42001. These businesses are embedding governance that supports agility without sacrificing control, resulting in less rework, faster decision making, and security that scales with the business.

‍

The data shows that the most mature security programs—organizations at the adaptive tier—have a better grasp on the way data flows across their organization, what its used for, where it adds value and who needs access to it. Because of this understanding, they’re able to better utilize AI in their workflows. This is why we see AI adoption reach 71% for adaptive-stage companies, since they know how to integrate it in ways that add value.

‍

We also see AI governance emerging among more mature security programs—with advanced frameworks like ISO 42001 emerging at the adaptive tier at 38%.

‍

Trust-first teams drive maturity

Team-wide trust isn’t just a byproduct of mature security programs, it’s what powers them forward. Mature organizations embed trust into the core of the culture, building leadership buy-in, integrating risk into top-level conversations, and accelerating feedback loops.

‍

Our customers at the earliest stages reported that customer expectations and compliance were the top drivers for security investments. As companies get more mature, this broadens to include a wider variety of considerations. For adaptive organizations the top drivers are responding to customer/vendor demands (95%), reducing security risks (93%), meeting compliance requirements (90%), scaling security operations (75%), differentiating through security maturity (70%), and managing multiple frameworks (35%).

‍

We also found that at the adaptive tier, much of the value organizations gain from their security program is driven by building a security culture. In response to a question regarding advice, one adaptive-level customer said: “Get more buy-in from colleagues. The bigger the group responsible for the security maturity, the better.” Mature organizations integrate trust at all stages and invest in building a trust-centric culture that factors in security from the start of any new initiative.

‍

Budget remains a universal challenge—but obstacles broaden with maturity

While resource constraints persist across all tiers, mature organizations increasingly face challenges like implementing automation at scale, cross-team alignment, and keeping pace with evolving threats, emphasizing the need for strategic leadership, collaboration, and adaptable infrastructure.

‍

Here is a breakdown of the top challenges facing each group when moving up the maturity curve:

Partial: Limited Budget and resources (48%)
Risk-informed: Budget and resources (66%)
Repeatable: Limited budget and resources (67%), implementing automation or managing frameworks (27%)
Adaptive: Limited budget and resources (35%), implementing automation at scale (20%), executive buy-in or internal alignment (15%), and keeping up with threats (15%)

‍

This shows that budget and resourcing are a top concern, regardless of maturity stage, but that these challenges become much more people- and risk-centric as maturity progresses.

‍

How does your security program stack up?

Download the Vanta Trust Maturity Report for more insights and to benchmark your program against your peers. If you’re ready to start tracking your organization's maturity against the NIST CSF, check out our Cybersecurity Maturity Assessment Template.

‍

If you’re a current Vanta customer who wants to better understand where your organization stands within these maturity tiers based on the controls and policies you have in place today, book a consultation with your Account Manager today.

‍

Access Review Stage	Content / Functionality
Across all stages	Easily create and save a new access review at a point in time View detailed audit evidence of historical access reviews
Setup access review procedures	Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems	Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta. Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS) Upload access files from non-integrated systems View and select systems in-scope for the review
Review, approve, and deny user access	Select the appropriate systems reviewer and due date Get automatic notifications and reminders to systems reviewer of deadlines Automatic flagging of “risky” employee accounts that have been terminated or switched departments Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section Track progress of individual systems access reviews and see accounts that need to be removed or have access modified Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners	Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access	Focused view of accounts flagged for access changes for easy tracking and management Automated evidence of remediation completion displayed for integrated systems Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results	Auditor can log into Vanta to see history of all completed access reviews Internals can see status of reviews in progress and also historical review detail