Contents
1. What Is the Benware Standard?
Companies use a patchwork of security standards — NIST, ISO 27001, SOC 2, BitSight, PCI DSS, CMMC. None of them test whether a company can actually be breached.
The Benware Standard is different. It is the first framework that measures real-world security posture across ten domains, assigns a single numeric score from 0 to 100, and tells you exactly what an attacker would find — not what a checklist says you have documented.
The gap in existing tools
Over 80% of companies that score well on existing security rating platforms have critical vulnerabilities those tools did not detect. Compliance documentation and actual security are not the same thing.
10
Domains assessed
0 – 100
Score range
7+
Standards replaced
2. The Ten Domains
Every assessment covers all ten domains. Each domain receives a sub-score that contributes to the overall Benware Score. Click any domain to expand.
3. The Benware Score (0 – 100)
Each domain is scored independently. The overall Benware Score is a weighted aggregate reflecting both severity and breadth of findings. Sub-scores are delivered in the full assessment report.
An attacker with basic tools and publicly available information can likely access your systems today. Immediate remediation required.
A moderately skilled attacker using AI-assisted tools can gain unauthorized access. Significant vulnerabilities exist across multiple domains.
Exploitable issues exist but require meaningful effort or insider knowledge. Targeted attackers pose a real risk. Remediation recommended within 90 days.
No critical or easily exploitable vulnerabilities found during assessment period. Ongoing monitoring and annual re-assessment recommended.
4. How It Compares
Existing standards were designed for compliance, not security. The Benware Standard is designed to answer one question: can you be breached right now?
| Feature | Benware | NIST CSF | ISO 27001 | SOC 2 | BitSight | PCI DSS | CMMC | EU AI Act |
|---|---|---|---|---|---|---|---|---|
| Tests whether you can actually be breached | ✓ | — | — | — | — | — | — | — |
| Covers AI systems and AI governance | ✓ | — | — | — | — | — | — | ✓ |
| Includes dark web and threat intelligence | ✓ | — | — | — | ✓ | — | — | — |
| Physical security assessment | ✓ | ✓ | ✓ | ✓ | — | ✓ | ✓ | — |
| Social engineering / people risk | ✓ | — | — | — | — | — | — | — |
| Software supply chain | ✓ | ✓ | — | — | — | — | ✓ | — |
| Numeric score (0-100) | ✓ | — | — | — | ✓ | — | — | — |
| No vendor or government control | ✓ | — | — | — | — | — | — | — |
5. Assessment Tiers
Benware assessments are structured in two tiers depending on how much access is granted. Both produce a Benware Score; Tier 2 is more comprehensive.
No permission required
Conducted entirely from publicly available information. No credentials, no internal access, no cooperation needed. We see exactly what an attacker sees from the outside.
- —External attack surface mapping
- —DNS and email authentication audit
- —Dark web and breach database scan
- —Public repository secret scan
- —Subdomain and cloud exposure check
- —Digital footprint analysis
Permission required
All of Tier 1 plus internal testing, social engineering simulation, and physical security review. Produces a complete domain-by-domain scorecard.
- —Everything in Tier 1
- —Internal network and application testing
- —Social engineering simulation
- —Physical security walk-through
- —AI systems behavioral audit
- —Vendor and third-party risk review
- —Full remediation roadmap
6. AI Governance Certification
Domain 10 — AI Governance & Safety — is the foundation of the Benware certification tier system. Companies and AI vendors can earn a BW certification independently of the full company assessment. These tiers define minimum requirements for safe, governed, and accountable AI deployment.
Uncertified
No evaluation conducted. System may be used for research or internal tooling.
Requirements: None.
Basic Safety Assurance
Passes Benware behavioral test suite. No systematic deception or authority override under standard conditions.
Requirements: Passes public behavioral test suite (v0.1 baseline).
Governed Deployment
BW-1 plus operator-level rule enforcement, audit log, incident response plan, defined authority structure.
Requirements: BW-1 + audit log + IRP documented + authority structure defined.
Institutional Grade
BW-2 plus hardware-enforced governance, real-time monitoring, third-party audit, no software-only override path.
Requirements: BW-2 + hardware enforcement + third-party audit + automated alerting.
Critical / Defense Grade
BW-3 plus air-gapped capability, multi-party authorization, cryptographic attestation, formal verification, emergency revocation.
Requirements: BW-3 + multi-party auth + cryptographic attestation + formal verification.
The Benware Standard, certification tier framework, and audit architecture are covered by US Provisional Patent No. 63/986,807. Benware Foundation retains all rights. The standard is published publicly for adoption, not commercial replication.
Download the Standard
The full Benware Standard v2.0 is available as a PDF. It includes domain specifications, scoring methodology, certification requirements, and the AI governance framework.
Benware Standard v2.0 · Published March 2026 · Benware Foundation
Benware Standard v2.0. Published March 2026 by Benware Foundation. Founding Trustees: Walker Bauknight, Griffin Bohmfalk. Patent reference: US Provisional Patent No. 63/986,807.