I have been running through the same mental checklist on every environment I look at.

LLMNR still on. No LAPS. Kerberoastable service accounts with weak passwords. Unconstrained delegation nobody remembers setting up. Legacy auth still alive in Entra because nobody wanted to break anything.

The same gaps show up over and over, across organisations of every size. Not because the admins are incompetent. Because there is no single place that tells you clearly what to check, what the risk actually is, and what to fix first.

So I built one.

25 checks across five categories, each one weighted by real-world exploitability:

Network hardening covers the protocols attackers abuse from day one of any internal engagement. LLMNR, NBT-NS, mDNS, RDP certificate configuration, SMB signing.

Privilege hardening covers the access control gaps that turn a standard user compromise into domain admin. No LAPS, service accounts with DA rights, AdminSDHolder ACLs nobody has looked at.

Kerberos hardening covers the attack paths that show up in every BloodHound run. Kerberoastable SPNs, AS-REP roasting, unconstrained delegation, RC4 still enabled.

Entra ID and hybrid covers the gaps that matter if you have any cloud footprint at all. Legacy auth, PIM, the Entra Connect sync account that has more on-prem rights than it should.

Auditing and detection covers whether you would actually know if any of this was being exploited right now.

Each check is rated critical, high, or medium based on how frequently it shows up in real attacks, not theoretical severity scores.

Critical items are weighted highest. You can have 20 of 25 boxes ticked and still score badly if the critical ones are open. That is intentional. A well-hardened environment does not just have quantity, it has the right things covered.

The grades:

Most environments I have seen land somewhere between 40 and 65 on the first pass. The gaps are almost always in the same places.

You are probably already thinking about two or three of these you have not checked recently.

Run the checklist free right now. No login required to start. Takes 3 minutes.

After you go through it you will have a score, a grade, and a clear picture of where your biggest exposure is. The critical items at the top of each section are where most real attacks start. If those are open, everything else is secondary.

A few things worth knowing before you start:

Some of these checks require you to actually verify rather than assume. "LAPS deployed" does not mean LAPS installed. It means local admin passwords are actually rotating on the machines that matter. "Legacy auth blocked" does not mean the policy exists. It means it is enforced and you have confirmed nothing is breaking it silently.

The checks that feel uncomfortable to tick are usually the ones that matter most.

Score your environment now. Free. No login required to start.

If your score comes out below 65, the next three issues of The Hardening Brief will give you the exact fix for the most common gaps, one per week, copy-paste ready.