Credential attacks are the #1 breach vector

Prove you've done the basics

MFA with security keys. Strong password policies. Minimal admin accounts. These are the hardening steps that stop credential-based attacks. PostureProof verifies them via read-only API access and gives you a badge to prove it.

Prove It in 60 Seconds — Free Why This Matters ↓

Starting with Google Workspace. Okta coming soon.

PostureProof

Phishing-Resistant

Feb 2026
← Your shareable badge

The Problem

Credential-based attacks — phishing, social engineering, MFA bypass — are behind the majority of breaches. The fix is known. Most orgs just haven't finished implementing it.

80%+

of breaches involve stolen or weak credentials, per Verizon DBIR.

Known

The top threat actors have a playbook. Security researchers have studied it and published exactly how to stop it.

Binary

MFA configuration is binary — it's on or it's off. Security key enrollment is verifiable. These aren't judgment calls.

Provable

With read-only API access, you can verify and publicly prove that the basics are done. Like TrustMRR, but for security posture.

5 Checks. Derived from How Attackers Actually Get In.

Every check maps to a specific hardening recommendation published by leading threat intelligence teams. We didn't invent these — we verify them.

Admin MFA + Security Keys

Weight: 25%

All admin accounts have 2SV enforced with a security key or passkey registered. Admin compromise = total domain compromise.

Prevents: credential phishing, MFA bypass, admin account takeover

All-User MFA + Security Keys

Weight: 25%

90%+ of all users have 2SV enforced with security keys. Every user without one is an entry point.

Prevents: credential phishing at scale, lateral movement via compromised users

Password Policy Compliance

Weight: 20%

90%+ of users have strong passwords with compliant length. Weak passwords make credential stuffing trivial.

Prevents: credential stuffing, brute-force attacks, password spraying

Super Admin Count ≤3

Weight: 15%

Fewer super admins = fewer targets for social engineering. Every extra super admin can disable MFA org-wide.

Prevents: helpdesk social engineering, blast radius of a single compromised admin

Less Secure Apps Disabled

Weight: 15%

Zero users with password-only auth enabled. Less secure apps bypass all MFA entirely.

Prevents: complete MFA bypass via password-only authentication

60 Seconds to Know

1

Connect

Sign in with your identity provider. One click, read-only access, no config files or domain-wide delegation.

2

Scan

We run 5 checks derived from real threat intelligence: MFA, password policy, admin count, and legacy auth. Results in seconds.

3

Prove It

Get a "Phishing-Resistant Verified" badge. Embed it on your site. Share it with customers who ask about your security.

Currently supports Google Workspace. Okta support coming soon.

Simple Pricing

Find your gaps for free. Share your badge on Pro.

Free

Find your gaps

$0/mo

  • 5 security posture checks
  • Private results dashboard
  • Manual scans
Scan Free
Most Popular

Pro

Prove it publicly

$299/mo

  • Everything in Free
  • Phishing-Resistant badge
  • Shareable verification page
  • Continuous monitoring (weekly)
Get Your Badge

Enterprise

Full platform access

$999/mo

  • Everything in Pro
  • API access
  • Multiple workspaces
  • Team seats
Contact Sales

Can your team survive a credential attack?

Connect your identity provider. 60 seconds. Read-only access. Know for sure.

Find Out Now — Free

Currently supporting Google Workspace. Okta coming soon.