The MSAT User Guide contains the following introduction:
"This Microsoft® Security Assessment Tool (MSAT) is designed to help you identify and address security risks in your computing environment. The tool employs a holistic approach to measuring security strategy by covering topics that encompass people, processes, and technology. Findings are coupled with recommended mitigation efforts, including links to more information for additional guidance if needed. These resources can help you learn more about the specific tools and methods that can help increase the security of your environment.
The assessment is made up of 172 questions, broken down into three categories:
• Company Information (not identifiable): 6
• Business Risk Profile: 53
• Defense-in-Depth Assessment: 113
Based on how you answer some questions in the Business Risk Profile and the Defense-in-Depth Assessment, other questions may not appear. This is intentional and part of the methodology required to provide you with the most accurate assessment."