Set context 30 seconds, pre-call

Click Client Interview in the top nav. Type the client’s name in the action bar. Optional but recommended: pick their industry from the filter — it preloads the compliance framework (HIPAA, PCI, CMMC, etc.) so the report speaks the right language.

→ Top nav, then the action bar at the top of the Interview panel

Run the interview during the call 20–30 minutes, live with the client

Walk through the 27 questions conversationally — one per security domain. The Live Coverage Map on the right fills in as you talk, which makes it a shared artifact rather than a form you’re filling out silently. If a domain doesn’t apply (a SaaS firm has no OT/IoT), click Not applicable. It won’t count against their maturity.

→ Client Interview mode, the 4-step wizard

Sync the deal qualifier 1 minute, right after the call

Scroll down to Deal Qualifier — MEDDPICC and expand it. Click Sync from assessment. Four of the eight pillars auto-populate from what you just learned — Pain, Metrics, Decision Criteria, Competition. Fill the other four (Economic Buyer, Decision Process, Paper Process, Champion) from your meeting notes. That’s where your judgment lives.

→ Toolkit → Deal Qualifier — MEDDPICC panel

Export the executive report Instant

Click Executive report in the unified scorecard. A one-page summary opens in a new window — Maturity and Deal Readiness side by side, weakest layers, strongest anchors, out-of-scope domains, the full MEDDPICC breakdown, and recommended next steps. Click Print or Save as PDF at the bottom to share internally or with the buyer.

→ MEDDPICC panel, top-right Executive report button

Re-score at 30 and 90 days Same interview, later

Run the same questions again with the same client. The delta — Maturity moved from 44% to 63%, OT/IoT moved from 0% to 50% — is the actual deliverable value. It’s also the easiest way to make the business case for a follow-on engagement: the work moved the number.

→ Click Start new client, enter the same name, and run again

Where this came from

Everything in this tool is built from publicly available frameworks and hands-on Microsoft security deployment experience.

Technical framework

Microsoft Cybersecurity Reference Architecture (MCRA)

Microsoft’s published reference architecture on Microsoft Learn. 12 security layers, vendor-neutral.

Sales qualification

MEDDPICC (Force Management)

Industry-standard eight-pillar deal qualification framework used widely in B2B enterprise security sales.

Tool ratings

18+ years of Microsoft security deployments

Green/amber/red layer ratings drawn from 700+ enterprise deployments spanning 500 to 50,000+ endpoints.

Myriad360 context

Public positioning & case studies

Consultative, vendor-neutral, 700+ partner portfolio. Sourced from myriad360.com, LinkedIn, and published materials.

Industry incumbents

Widely known competitive landscape

Okta, CrowdStrike, Claroty, Dragos, Proofpoint, CyberArk and similar — common in the industries shown.

Compliance anchors

Public regulations

HIPAA/HITECH, NERC CIP, CMMC, FedRAMP, NIST 800-53, PCI-DSS, GLBA, FERPA — public standards.

“Meridian Health Services” is a demo profile — a midmarket healthcare example used to show what a completed assessment looks like.

Questions I’d ask on day one

Things I can’t know from the outside. The honest gap between what this tool shows and what would make it real.

1What qualification framework do your AEs actually use? MEDDPICC is my default here; the real answer might be MEDDIC, BANT, Command of the Message, or something internal.
2Which engagement model does most revenue come through? Fixed-fee scopes, retainers, T&M, value-based? That shapes how a tool like this should recommend next steps.
3Where exactly does the SA-to-AE handoff happen? On what signal, with what artifacts, and how are gaps between Discovery and Qualify caught?
4Which layers in this map do you see most often lose to a best-of-breed competitor? That’s where the amber ratings should probably be red, and vice-versa.
5What does a really good SA deliverable look like at Myriad360? I want to calibrate against your standard, not mine.

How to read each layer:

Microsoft-Led

Customer-Decision

Best-of-Breed Partner

Refine by industry:

🔍

📋 Rating Methodology

▼

This is a vendor-agnostic decision framework I drafted while reading about Myriad360's multi-vendor approach. The ratings draw on hands-on Microsoft deployment experience across environments ranging from 500 to 50,000+ endpoints, and on what I understand about how the choice holds up after POC, after initial deployment, and after the first year in production.

Each MCRA layer is rated across four weighted criteria. Microsoft-Led (green) means Microsoft is the strongest default for most customers. Customer-Decision (amber) means multiple portfolio vendors are equally viable — Microsoft, CrowdStrike, SentinelOne, Palo Alto, Cisco — and the winner depends on existing investments, contract cycles, and operating model. Best-of-Breed Partner (red) means a specialized vendor outperforms the generalist stack and gets integrated back into the customer's SIEM. Myriad360's services — advisory, implementation, global services, and managed services — wrap any of these outcomes.

⚙️

Configuration Depth

How granular is the policy engine? Can it handle edge cases without workarounds? Does it require custom scripting or is it admin-friendly?

🔗

Integration Maturity

How well does it integrate with Sentinel, Entra, Defender XDR, and Intune? Native connectors vs. custom APIs vs. Syslog/CEF?

📜

Compliance Coverage

Does it satisfy NIST 800-53, HIPAA, PCI DSS, CMMC, and FedRAMP requirements natively or does it need supplementary controls?

🎯

Detection & Response

What is the real-world detection rate, mean time to detect, and mean time to respond? Tested across actual incident data, not lab environments.

E5 LICENSE UTILIZATION REALITY CHECK

What your E5 license includes vs. what most organizations actually activate. Based on Microsoft Security Adoption Framework benchmarks and Gartner enterprise security utilization data.

▼

ASR Rules

27%

73% leave default configuration

Purview Sensitivity Labels

39%

Missing classification taxonomy

Custom Sentinel Analytics Rules

56%

Only basic alerts enabled

Defender Predictive Shielding

12%

New feature still unknown

Entra PIM Configured

44%

Role templates not customized

Conditional Access Risk Policies

61%

Still missing some scenarios

Purview Insider Risk

31%

Privacy/compliance concerns block rollout

Defender for Cloud Apps Policies

48%

Limited visibility beyond M365

💸 E5 Waste Calculator

E5 Licenses

Monthly Cost / User ($)

🎯 Deal Qualifier — MEDDPICC SA / AE

Score the opportunity on eight pillars before investing SA hours. Used alongside the coverage assessment to separate real deals from interesting conversations. Vendor-neutral — works for any technology decision in the Myriad360 portfolio.

▼

Technical Maturity

—

Awaiting assessment

Deal Readiness

0/24

0 of 8 pillars validated

0 / 24

Not Qualified

📡 Sentinel Ingestion Cost Calculator

▼

Pay-as-you-go Rate ($/GB)

Commitment Tier Rate ($/GB)

Number of Endpoints

🗺️ Implementation Roadmap

Build Your Coverage Map

Every organization's security stack is different. This framework helps Myriad360 assess where Microsoft leads, where it is capable and the customer decides, and where a complementary solution adds measurable value.

Explore Myriad360 Security Practice Read the MCRA

Myriad360 - Global systems integrator, 700+ technology partnerships, 400+ clients, 160+ countries, CRN SP500 13 consecutive years | myriad360.com

All Microsoft product capabilities sourced from official Microsoft documentation (Microsoft Learn, Security Blog, Tech Community).
Third-party tool capabilities verified against vendor documentation and deployment experience as of April 2026.

Version 1.0 | April 2026 | Updated Quarterly | Prepared by VJ Barot, Microsoft Security Architect

Client Security Maturity Assessment

Security Assessment Interview

A research exploration of security coverage

How I was thinking about the problem