Score your stack.

Select the statement that best describes your current infrastructure for each of the three CRC pillars. Your Minimum Surface Score tells you where you stand against the AI-era threat model.

MSS Score

-- / 12

Select all three pillars

01 Consolidate

How many integration boundaries exist between your regulated workflow applications?

Uninspected

Multiple enterprise applications, integration boundaries unowned and uninventoried. Nobody is formally responsible for what happens at the API layer between systems.

Inventoried

Integration boundaries are documented and ownership is assigned. Data flows are mapped. The gaps are known even if they are not yet defended.

Controlled

Boundaries are owned, monitored, and traffic is logged. All data flows produce observable records. API contracts are enforced and audited.

Consolidated

The majority of regulated workflow runs on a single governed platform. Integration boundaries between external systems are minimized and each is a conscious architectural decision.

Minimal

Single governed platform. Zero unowned boundaries. Every data flow produces an immutable, attributed audit record. There are no integration gaps to chain across.

02 Reduce

What is present in your production execution environment beyond the application itself?

Uninspected

General-purpose OS with full package universe. Shell present and accessible in production. No inventory of running services. Default kernel with all subsystems active.

Inventoried

Running services are documented. Unnecessary services identified and disabled. OS hardening applied per a recognized benchmark (CIS, STIG). Shell access is restricted and logged.

Controlled

Containerized isolation. No package manager in production. Minimal base image. Shell access requires explicit break-glass procedure with full audit trail.

Reduced

Purpose-built OS image. No shell binary present in production. Read-only root filesystem. Signed boot chain. Only the components required to run the application are included.

Minimal

TPM-attested measured boot. Immutable filesystem. Application is the OS -- the execution environment contains exactly the application and nothing else. Kernel surface minimized to required syscalls only.

03 Close

What can reach your production systems from outside the governed boundary?

Uninspected

Public-facing services, unrestricted egress, ports open by default. No formal network inventory. External parties can reach production systems without explicit authorization.

Inventoried

Firewall rules documented. Egress filtered by category. All open ports are intentional and documented. Network topology is mapped and owned.

Controlled

Ingress restricted to known, authenticated sources. Egress allow-listed by specific endpoint. Zero-trust network access enforced. All connections logged.

Closed

Circular topology -- nodes communicate only with other known, authenticated nodes in the governed network. Mutual TLS between all peers. No public-facing service endpoints.

Minimal

Single auditable egress point. Every network crossing is logged as a first-class audit event. Certificate-pinned external endpoints only. There is no surface to fingerprint, probe, or chain across.

Minimum Surface Score

Read the CRC Standard Talk to General Reasoning

General Reasoning, Inc. · Birmingham, Alabama · MIT License · 2026
Enterprise inquiries: inquiries@genreason.com