Run a Free External
Security Score.
See what attackers, insurers, and auditors may already see from the outside.
EFROS Security Score checks public, read-only signals such as domain configuration, DNS posture, email authentication, TLS, security headers, and external exposure indicators. A full assessment requires authorization and client approval.
Free · 60 seconds · Read-only external scan · No passwords · No agents · No network access. EFROS does not request passwords or sensitive credentials through public website forms.
Sample dashboard shown. Live scan delivers your actual category scores and a downloadable premium PDF report.
Six categories. One score each.
Every finding is anchored to a specific evidence ID and SHA-256. The reproduction steps in your report can be re-run independently from the recorded artifacts at any time.
Domain security
DNSSEC chain of trust, CAA records, nameserver health, registrar visibility.
Email authentication
SPF, DKIM, DMARC policy strength, MTA-STS enforcement, TLS-RPT reporting, BIMI maturity.
TLS configuration
Certificate validity and chain, HTTPS enforcement, modern cipher posture, certificate-transparency review.
Web security headers
HSTS preload status, Content-Security-Policy strictness, X-Frame-Options, cookie flags across live subdomains.
Public subdomain exposure
Subdomain enumeration via certificate-transparency logs, exposed admin or staging surfaces, dangling CNAMEs.
External reputation
CDN / WAF detection, multi-blocklist reputation (Spamhaus, Barracuda, SpamCop), apex-IP posture.
Brand protection
Lookalike-domain detection across homoglyph, omission, transposition, and TLD-swap families.
Compliance signals
security.txt presence, privacy/cookie/terms reachability, consent-management SDK detection, GDPR/CCPA expectations.
What the free scan does not cover.
Deeper checks require credentialed access, written authorization, and explicit client approval. They are part of a paid engagement and never run as part of the free scan.
Microsoft 365 posture
Conditional Access, Defender XDR alert tuning, audit log retention, DLP, Purview, Intune compliance gating.
Endpoint protection readiness
EDR coverage, ASR rules, Intune posture, real-time isolation runbooks, forensic readiness.
Backup and disaster recovery
3-2-1-1-0 verification, immutable repository configuration, restore-test cadence, RTO/RPO documented per tier.
Dark web exposure review
Credential leak monitoring, breach database correlation against company domains and executive identities.
Compliance readiness
CMMC, SOC 2, HIPAA, PCI, FFIEC mapped against actual controls, evidence pipeline, gap remediation roadmap.
Incident response readiness
IR playbook walkthrough, named contacts, tabletop exercise, retainer scope, regulatory notification clocks.
User access & identity risk
Privileged access governance, MFA coverage, conditional access policy review, dormant admin discovery.
This external scan uses public, read-only signals. A full assessment requires authorized access and client approval.
External posture is read by people you can't see.
Attackers, insurance carriers, procurement reviewers, and auditors all rely on signals visible from the open internet. Where the signals are weak, the cost shows up in incidents, renewal premiums, and lost deals.
Phishing and email spoofing
Weak SPF/DKIM/DMARC lets attackers send mail that looks like yours. Your domain becomes the attack tool.
Domain impersonation
Lookalike domains harvest credentials, redirect payments, and damage brand trust. Detection is half the defence.
Weak TLS posture
Expired certificates, weak ciphers, missing HSTS — entry points for downgrade and man-in-the-middle attacks.
Exposed subdomains
Forgotten staging, admin panels, and dangling DNS records are routine sources of low-effort compromise.
Cyber-insurance readiness
Carriers increasingly require demonstrable controls before binding or renewing. The signals you fail are visible from the outside.
Incident readiness signal
External posture is a proxy for internal discipline. Auditors and procurement reviewers read it that way.
Dual-layer PDF.
Letter format.
Watermarked.
Executive layer designed for five-minute board review. Technical layer with every finding in strict format — evidence hash chain, MITRE ATT&CK mapping where applicable, reproduction steps, references.
Or go straight to the scanner →- Per-category score (0–100) for DNS, email, web, brand, infrastructure, and compliance
- Executive summary written for board-level readers
- Top three remediations ordered by severity and effort
- Findings register with cryptographic evidence hashes
- Dual-layer PDF report (Executive layer + Technical layer)
- 30-day signed access URL — confidential, watermarked to your name
The result is a dashboard, not a marketing PDF.
Six per-category scores, an overall posture grade, and a prioritised remediation example. Sample shown below, drawn from an anonymized engagement.
Recommended: move to p=quarantine within 14 days after a 30-day aggregate-report review, then to p=reject. Owner: IT lead. Effort: 2 hours.
Questions executives ask.
Is the scan safe?
Yes. The scan is external and read-only. EFROS queries public signals only — DNS records, public TLS responses, public well-known files, certificate-transparency logs, public DNSBL reputation. No authenticated systems are touched, no traffic is generated against private endpoints.
Do you need passwords?
No. No passwords are requested at any point. EFROS does not collect credentials through public website forms, and the free scan does not authenticate against any system.
Do you scan inside my network?
No. No agent is installed. No internal network access is performed. No traffic enters your perimeter. The scan operates entirely on public-internet data.
What data do you collect?
The domain you submit, the public signals observed by the scan, and the contact information you choose to provide when you request the PDF report. Submission data is retained per the privacy policy. The premium report is signed for 30 days then expires.
What happens after I submit my domain?
The scan runs in roughly 60 seconds. You see a sample preview immediately. To receive the full premium PDF, you provide your name and work email; the PDF arrives by email with a signed access link.
Is this a vulnerability scan?
No. The Security Score is an external posture assessment — it identifies misconfigurations and weak signals visible to the public internet. A true vulnerability assessment requires authorized internal access and is part of a paid engagement.
What requires authorization?
Microsoft 365 posture, endpoint protection readiness, backup and disaster recovery, dark web exposure review, compliance readiness mapping, incident response readiness, and user-access/identity-risk review. These are part of a full assessment, executed only with written client approval.
Can I share the PDF with my board?
Yes. The report is structured as a dual-layer document — an Executive layer aimed at non-technical decision-makers and a Technical layer for IT, security, audit, and peer-review readers. Each distribution copy is watermarked.
Is there any obligation?
None. The assessment is free and includes no sales follow-up unless you request a 20-minute call.
This assessment is for informational purposes only and does not represent a complete cybersecurity audit. A full audit requires authorized review of systems, configurations, policies, and controls. EFROS does not request passwords or sensitive credentials through public website forms. The absence of a finding is not proof that a vulnerability does not exist. Further validation requires written authorization.
Start with your domain.
Free. 60 seconds. No signup to start.