The user who scored 12 out of 100

How someone gets there

I want to be clear about something. A score of 12 doesn't happen overnight. It's not one bad decision or one compromised app. It's usually a combination of older decisions stacked on top of newer exposures, plus the simple fact that most people don't think about device security until something feels wrong.

This user had inherited a phone from a family member, never reset it properly, installed apps without reading permissions, and reused passwords across multiple accounts. One of those accounts had been in a breach she didn't know about. Another app she'd downloaded was flagged by our stalkerware detector.

When she first opened ARK, she saw that score. 12 out of 100. Red. The breakdown showed her exactly why: her password had been exposed in a known breach; her permissions were too generous; her device had traces of monitoring software. She didn't email us angry. She asked a straightforward question: "Can you help me fix this?"

The one-tap promise we weren't keeping

ARK has always been built around one core idea: show you what's wrong, then let you fix it in one tap. We call them remediation deep-links. Tap the issue, the app opens to the exact screen where you can change a permission or update a password or revoke access.

The problem was that when someone had a score of 12, one tap wasn't enough. The cascading issues meant they needed to understand what to do in sequence. Changing app permissions without understanding breach exposure felt useless. Revoking data access without knowing what data was already exposed felt hollow.

We watched this user go through the motions. She tapped through our suggestions. Some worked immediately. Others required her to navigate settings screens we couldn't deep-link to. She got frustrated. The score moved from 12 to 28, then stalled.

That's when we realised our feature was incomplete.

Building the action breakdown

Over the next two months, we rethought how ARK presents security issues to someone in crisis mode.

Instead of treating each issue as independent, we grouped them by impact and urgency. Breach exposure at the top. Active device threats second. Permissions and privacy leaks third. We wrote clearer explanations for each category, not jargon, but actual English explaining what the risk meant and why it mattered.

But the real change was something simpler: we added a prioritised action list. Not "fix these ten things in any order," but "do these three things first, then these others." For the Glasgow user, that meant addressing the breach exposure before she bothered with permissions. It meant checking for stalkerware before she worried about Wi-Fi security.

When we sent her the update, she came back within a week. Her score had moved to 67. Not perfect, but comprehensible. The actions were clear. She understood the sequence.

Why 12 matters more than 95

Here's what we learned: users who score 95 out of 100 don't need much from us. They're already security-conscious. Users who score 12 are the ones who need the most help, and they're also the ones most likely to give up if the path forward isn't obvious.

That's why we added the Shield tier. For users like the one in Glasgow, the free version showed her what was wrong. Shield showed her how to fix it across the whole picture. Dark-web monitoring meant she could track whether her exposed data was being used. The phishing scanner protected her from follow-up attacks. The password health check ensured her new credentials were actually strong.

We also built the Fortress tier with people like her in mind later. GDPR Autopilot, for instance, lets someone automatically request deletion from data brokers. She didn't have to understand GDPR regulations or write letters to companies. One button, and the system worked for her.

The stalkerware detector, though. That one stayed free for everyone. That feature alone has probably mattered more to certain users than everything else combined.

What a 12 taught us about design

We used to think about ARK in terms of informed users making deliberate choices. Tap a recommendation, understand the trade-off, decide. But a score of 12 suggests someone who's overwhelmed and needs direction, not options.

It also taught us that privacy and security are not abstract concepts. They're attached to real moments. That user's device held her photos, her banking app, her work email, her kids' school app. The breach check wasn't about a statistic; it was about whether her passwords were compromised. The stalkerware detector wasn't paranoia; something genuinely concerning had been found.

So when we design new features, we ask ourselves: would this help someone recover from a crisis? Or just reinforce good habits for someone already doing well? Both matter, but the former matters more.

Where that user is now

She's on Fortress now. Her score is 78. She runs the dark-web monitor regularly. She's updated her passwords using advice from the health check. The monitoring has caught two phishing attempts already, both flagged before she clicked.

She also started using ARK to check her family's devices. Her kids' permissions are audited quarterly. Her partner's breach history is monitored. That's not something we designed for originally, but it's how the app is being used now.

One message came through last month: "Thank you for making something I could actually understand." That's the metric we care about most.