Automated assurance is harder than the tooling admits. Where the green tick lies, and what real evidence actually takes.
Draft outline · Assurance / honesty lensASD's own assessment guidance stresses that maturity is about implementation effectiveness, not tool output. Several E8 controls (macro configuration, application control, user hardening) are routinely reported as compliant by tools while not actually being enforced. The gap between a green dashboard and real assurance is the subject.
Government guidance on how E8 is actually assessed, and why tool output is not evidence.
Local reporting on real assessment findings and where organisations over-report maturity.
The anti-marketing piece, and one of the most trust-building we can publish. It says out loud what vendors hide, which lands hard with a sceptical, burned reader. No re-title needed beyond sharpening; the honesty is the differentiator.