Think of your Capability Score as a fitness tracker for your cybersecurity brain. It doesn't care how many rooms you smashed six months ago - it cares about what you can do right now. And just like real fitness, skip too many sessions and it starts to notice.
It's a single number, ranging from 1 to 100, that reflects your current learning capability on TryHackMe. Not what you knew last year. Not what you crammed in a caffeine-fuelled weekend. What you can do today. And yes - it can go down. We'll get to that (cue ominous music).
The Big Picture: Baseline + Adjustments
At its core, the score follows a simple formula:
Your Score = Baseline + Weighted Adjustments
Your Baseline is where most of your score comes from - think of it as the platform's best guess at your experience level, based on the rooms you've completed across different difficulty tiers. The adjustments then nudge you up or down depending on how well-rounded and active you've been.
Let's break that down.
Step 1: Your Baseline (a.k.a. "Where the Algorithm Places You on the Hacker Leaderboard of Life")
The Baseline is a value determined by how many rooms you've completed across various difficulty levels. The system looks at your room completions and checks whether you've hit certain thresholds for each difficulty segment.
So if you've smashed through a healthy mix of intermediate and advanced rooms, you'll land in a much higher bracket than someone still living exclusively in the beginner content.
The more challenging content you've conquered - and the more of it - the higher your baseline bracket:
Score Range | Level |
0β19 | Security Enthusiast |
20β34 | Security Student |
35β59 | Junior Security Professional |
60β90 | Mid-level Security Professional |
90+ | Senior Security Professional |
A Security Enthusiast is someone just getting started in cyber security. A Senior Security Professional has deep expertise and can operate across domains - the kind of person who leads engagements and designs solutions at a systems level. Most active learners will find themselves somewhere in between, and the score is designed to nudge you upward as you push into harder rooms and broaden your skills.
Only active, public rooms count toward your score - so retired content won't carry you forever. As new rooms are released and old ones are removed, keeping your baseline means staying current.
Step 2: The Four Pillars
On top of your baseline, the score looks at a few key signals to nudge your number up or down. Here's what matters:
Consistency - Show up and stack progress daily. This tracks how regularly you engage with the platform. Steady, weekly learning habits push this up. Long gaps or binge-and-ghost patterns drag it down. Think of it as your learning heartbeat - the more regular, the healthier your score.
Relevance - Skills that match real-world security. The threat landscape doesn't stand still, and neither should your learning. This component measures whether you're keeping up with fresh threats, emerging attack techniques, and state-of-the-art concepts. Completing content that reflects what's actually happening in the industry right now carries more weight than sticking exclusively to legacy material.
Versatility - Strength across multiple security roles. The best security professionals rarely operate in a single lane - a pentester who understands defensive monitoring is more dangerous, and a SOC analyst who thinks like an attacker spots threats faster. Real-world incidents don't respect neat role boundaries, so this component rewards you for building skills across domains like Penetration Testing, Security Operations, and Security Engineering. Stick to just one and it stalls. Branch out and you become not just a better learner, but a more employable professional.
Depth - Your strongest area of expertise. While Versatility rewards breadth, Depth rewards focus. This component reflects how far you've gone in your best specialism - how much advanced content you've completed in the role where you're strongest. It's the difference between knowing a bit of everything and being genuinely formidable at something.
Each component has its own visible trend, so you'll always know exactly what's going up, what's going down, and what to do about it.
Decay (The Score's Way of Saying "We Miss You")
Here's the part nobody wants to hear: your score can go down.
Decay happens in two ways:
Activity decay: Stop logging in and your Consistency component starts slipping. Every day you're not making progress on the platform chips away at your score over a rolling 365-day window. Think of it as your score gently tapping you on the shoulder going, "Hey, remember me?"
Baseline decay: This is the slower, heavier hit. If older rooms get retired and you haven't been completing new content at your difficulty level, you might actually drop down an experience bracket -taking your baseline with it. This is the score equivalent of a career wake-up call.
The good news? Decay isn't designed to be punishing. It kicks in after a few days of inactivity (not immediately - this isn't Streak v2), and returning to the platform with meaningful activity starts reversing the trend straight away.
When Does Your Score Update?
Your score doesn't recalculate on every single action. Instead, it updates:
When you complete a room and your score hasn't been recalculated in the last few days (or you don't have a score yet)
Automatically every few days to keep things fresh - picking up both progress and any decay without reacting to every single session
This keeps things accurate without making every room completion feel like a math exam.
TL;DR
Your Capability Score is a living, breathing number that reflects your real, current cybersecurity capability - not just a trophy shelf of past achievements. It rewards you for tackling hard problems, staying consistent, keeping up with the latest threats, and building a broad skill set. And it gently nudges you when you've been away too long.
One number for orientation. Four components for understanding. Zero excuses for not logging in this week.
Now go complete a room. Your score is watching.
TryHackMe