Reporting & KPIs
Reports
Read-only examples over sample projects, so you can see how SDOT reports look before you run them on your own. Every figure carries an explainer. Exporting, scheduling, and running over your own systems are Enterprise features.
Read-only exampleNHS Patient Portal
Health & Social Care · assessment opened 14 Apr 2026 · 11 weeks in
+ includesThe 49 canonical security outcomes, each counted once at its latest status.
− excludesEarlier-phase prep (discovery, journey) — it feeds the outcomes but is not counted here; N/A outcomes can be marked out.
benefitTells you in one figure how much of the security picture has actually been reached.
+ includesEvery item answered 'Get Help' that is still unresolved.
− excludesResolved Get-Helps (now answered) and items never opened.
benefitSurfaces the known-unknowns waiting on a person, so they get chased — not lost.
+ includesSeven evidenced dimensions — completeness, depth, timeliness, accountability, evidence, engagement, remediation.
− excludesThe portfolio-only 'coverage across systems' dimension (meaningless for one system) and any system with no activity.
benefitCaptures the quality of the work, not just whether boxes were ticked.
+ includesTracked deadlines and committed actions now past their date.
− excludesDeadlines renegotiated before they passed, and items with no deadline set.
benefitThe earliest signal that delivery is slipping — before it hardens into a gap.
+ includesClaims with no confirmed accountable owner.
− excludesItems referred onward (an owner is being found) and confirmed-owned items.
benefitPinpoints exactly where accountability is missing — the unmanaged risk.
What A single 0–100 score of how much of the security picture is still open or unowned (higher = worse).
How A weight-normalised blend of six gaps: coverage, open questions, maturity shortfall, residual risk, overdue actions and unowned items.
Why One number a board can track period on period — and drill into the systems driving it.
Good Trending down. Under 25 is strong; the breakdown tells you where to push next.
+ Includes Every component that has data — coverage, open questions, maturity, residual risk, overdue actions, unowned items.
− Excludes Any component with no data yet — excluded from the score (never scored zero), shown as 'not enough data'.
Benefit One number to govern by that always shows what it is built from — defensible to a board and a regulator.
Maturity matrix
What Outcome-based maturity across seven dimensions, 1–5, each backed by evidence.
How Existing captured data mapped to a 1–5 band per dimension, then averaged.
Why Shows where the system is strong versus thin, not just a single percentage.
Good Rising over time; 4+ across the board.
Gap Index over time
What Whether the portfolio's open gaps are being closed faster than new ones open.
How Gap Index at each period close, charted across the year.
Why The clearest single picture of whether the programme is winning.
Good A downward burndown — gaps closing faster than they appear.
Response time to delegated questions
Strengths & weaknesses by phase
Strengths
+ All special-category data classified with named risk owners
+ UK GDPR + Art-9 conditions recorded at declaration
Weaknesses
− Children's-data handling declared but its owner is unconfirmed
Benefit Confirm the children's-data owner and Phase 0 is airtight — every downstream ask then routes correctly.
Strengths
+ 13 of 14 areas confirmed by a named SME
+ Evidence attached to every access-control claim
Weaknesses
− Logging area left as Get-Help, now past its find-out-by date
Benefit Close the logging Get-Help and detection coverage becomes evidenced rather than assumed.
Strengths
+ Backup / restore tested and evidenced
Weaknesses
− No accountable owner for 3 operational areas
− Mean 6.2 days to respond — the project bottleneck
Benefit Staff the 3 operational areas and the project's biggest bottleneck clears — response velocity roughly doubles.
Strengths
+ Identity & Access raised 2 → 3 after access reviews
+ Monitoring outcomes assessed with evidence
Weaknesses
− 2 outcomes Get-Help with no find-out-by date
− Resilience outcome not yet assessed
Benefit Set deadlines on the 2 open outcomes and assess resilience to lift maturity from 3.1 toward 4.
Strengths
+ Accepted risks documented with rationale and a named approver
Weaknesses
− 1 accepted risk sits on a heavily-depended-on system — wide blast radius
Benefit Re-examine the high-blast accepted risk and the residual component — the largest single driver — drops fastest.
Scope — what this report counts and what it leaves out
+ Counts
+ All 49 canonical outcomes and every recorded response (latest per item)
+ Evidence, delegations and decisions attached to this system
+ Confirmed owners and the full accountability funnel
− Leaves out
− Archived systems and superseded answers (only the latest counts)
− Outcomes marked Not-applicable
− Components with no data yet — shown as 'not enough data', never scored 0
Flow
What Where work stalls, and how fast it is moving overall.
How Mean response time per phase (slowest = bottleneck) and items completed per week.
Why Tells you where to add people or chase, not just that things are slow.
Good No single phase dominating; steady velocity.
What How much of the system has a confirmed accountable owner.
How Confirmed-owner claims ÷ total, from the accountability funnel.
Why Coverage gaps here are exactly where accountability is missing.
Good 95%+; anything unowned is flagged for assignment.
Evidence trail
Enterprise
These examples are read-only. Book a demo to run reporting on your own data.