Open Security Benchmark
Find the gaps in your Salesforce security posture in 20 minutes.
Answer a structured questionnaire mapped to the open Security Benchmark for Salesforce. Get back a graded report — by control, by risk tier, with concrete findings you can hand to your auditor or remediation team.
- Open-source scoring engine
- No credit card
- Self-paced, save and resume
How it works
Three steps, twenty minutes
Everything is self-paced. You can stop and resume any time.
- 1
Answer 42 questions
Yes / No / I don't know across user access, authentication, data protection, integrations, and configuration. No CLI required, no Salesforce sign-in.
- 2
Get a graded report
A letter grade overall, scorecards by category, and per-control findings — each tagged Critical / High / Moderate, with the OWASP and SOC 2 / HIPAA / ISO 27001 mappings.
- 3
Remediate or talk it through
The report includes recommended next steps. If you want a deeper review or hands-on remediation, book 30 minutes with us — no obligation.
What you get
A report you can actually use
Mapped to the controls auditors and security teams already speak.
Letter grade A — F
A weighted overall score across nine SBS categories, with a critical-fail cap so one major gap can't hide behind smaller passes.
Per-control findings
42 controls each with a pass / fail / inconclusive verdict, the rationale, and concrete remediation steps. No vague "improve security" advice.
Risk-tier breakdown
Critical / High / Moderate rollup so you can sequence remediation by impact instead of guessing.
Compliance crosswalks
Each control tagged with relevant OWASP, SOC 2, ISO 27001, HIPAA, GDPR, and CCPA mappings — copy-paste evidence for your auditor.
Show me
See a real report before you start
Three sample reports across the grade range. Each is a fully-rendered output of the same engine you'll get.
- Grade B
Brightline Plumbing — SMB
Small business with a tidy baseline. A few inconclusive controls, no critical fails. The kind of grade most healthy SMB orgs land on.
Open the report → - Grade C
Northwind Health — HIPAA prep
Mid-market healthcare org preparing for a HIPAA audit. Some real gaps in encryption + access policy, but a clear remediation path.
Open the report → - Grade D
Atlas Cloud — enterprise crisis
Enterprise org carrying years of permission sprawl and unmanaged connected apps. A worked example of what a hard report looks like.
Open the report →
Honestly
What this is not
Not a penetration test
No exploit attempts, no real-time scanning. This is a posture review against a published benchmark, not adversarial testing.
Not a SOC 2 attestation
A SOC 2 audit is months of evidence collection by a licensed auditor. This is a 20-minute self-assessment to find the gaps before the auditor does.
Not connected to your org
The questionnaire flow doesn't touch your Salesforce instance. The CLI scan flow (for consultants) reads metadata only — no records, no PII, no writes.
Not a substitute for an admin
The report tells you what to fix. It doesn't fix it. If you need hands-on remediation, that's a separate conversation.
Built by HelloMavens
We built this to give Salesforce teams the same clarity a real security review delivers — without the six-figure invoice. The benchmark is open, the engine is open-source, and the report is honest about what it could and couldn't evaluate.