Resource · Sample Security Score report

What the free Security Score actually delivers.

Most "free scans" are sales funnels with a TLS check bolted on. Ours isn't. You get an executive summary, every finding documented with the underlying evidence, and a remediation list ranked by what to fix first. Here is the actual report we send back, anonymized.

Step 1

Enter your domain

One field. No password. No login. The scan starts inside your browser and queries only public data sources.

Step 2

Receive the report

A composed report lands in your inbox: executive summary, findings by severity, evidence, and the recommended next step per finding.

Step 3

Decide

Fix in-house, hand to your existing IT vendor, or book a 30-minute call to map findings to a service tier. No sales pressure either way.

What the scan actually checks.

Every check is a passive query against public records — DNS, certificate transparency logs, mail-authentication TXT records, HTTP response headers, published reputation feeds. We never log into anything you own and we never run intrusive tests.

DNS & domain hygiene

DNSSEC enabled
WHOIS / registrar lock
Authoritative nameserver health
Suspicious lookalike domains in our typosquat watchlist

Email authentication

SPF (presence, syntax, ~all/-all hardness)
DKIM (signing on the primary mail vendor)
DMARC (policy, alignment, percent rollout, reporting URIs)
BIMI + MTA-STS + TLS-RPT support

Web TLS / certificate hygiene

Certificate validity, chain, OCSP / stapling
Supported TLS versions (TLS 1.2 + 1.3 only)
Cipher suite hardness
HSTS + preload status

HTTP security headers

Content-Security-Policy
Strict-Transport-Security
X-Frame-Options / frame-ancestors
Referrer-Policy, Permissions-Policy, X-Content-Type-Options

Cookie posture

Secure flag
HttpOnly flag
SameSite attribute
Cross-site request behaviour

Surface enumeration

Subdomain discovery (passive sources only)
Certificate-transparency cross-reference
Open ports on canonical hosts
Common admin endpoints exposed to the public internet

Reputation

Domain on public threat intelligence blocklists
IP-range reputation
Known phishing campaigns referencing the domain
Open-source breach corpora hits

Sample findings from a real scan.

These four findings are representative — anonymized from a real mid-market engagement. Every finding in the live report includes the underlying evidence (DNS record, header value, certificate fingerprint) so your team can verify.

CRITICAL

DMARC policy is `p=none`

Your domain advertises DMARC monitoring but does not reject failures. External attackers can spoof your domain in phishing attacks against your customers and partners. Recommended next action: move to `p=quarantine` after a 30-day reporting window, then to `p=reject`.

HIGH

Web TLS allows TLS 1.0 / 1.1

Legacy TLS versions are deprecated and break PCI-DSS / SOC 2 evidence. Recommended next action: update server / CDN configuration to TLS 1.2 minimum, ideally TLS 1.3. PCI-DSS requires this; most cyber-insurance questionnaires now ask for it.

MEDIUM

Missing Content-Security-Policy header

Your primary domain serves no CSP header. This means in-page script-injection attacks have no browser-level mitigation. Recommended next action: add a `Content-Security-Policy` header in report-only mode, observe for two weeks, then enforce.

LOW

Subdomain enumeration found 14 candidates

Public certificate transparency logs reveal 14 hostnames under your domain. None are flagged as actively vulnerable in this scan, but a quarterly review of which subdomains are still in service is recommended.

What the scan does NOT do.

✗No password required. No login required. No agent installed.
✗No internal network access. No inbound connections to your environment.
✗No active or intrusive testing. No exploitation of any vulnerability.
✗No persistent tracking. We do not enroll the scanned domain in any drip campaign.
✓Read-only external public-data checks only.

Scan my domain

Free · 60 seconds · Read-only public DNS, mail, and TLS data. We never touch your network.

MCP · agent ready