EFROS

Methodology · Public · Read-only

How the Security Score works.

The EFROS Free Security Score is a passive external assessment of your domain's public risk posture. It runs against publicly resolvable signals — DNS, email authentication, HTTPS configuration, brand exposure, infrastructure reputation, and compliance readiness. No authentication. No agents. No network access into your environment. About sixty seconds end-to-end.

Mode
Passive · Read-only · External
Authorization
Public signals only · No login required
Duration
~60 seconds · Email-gated full report

What the scan checks.

Domain & DNS

  • Domain registrar and registration metadata (public RDAP/WHOIS)
  • Authoritative nameserver configuration
  • DNSSEC presence and chain integrity
  • Certification Authority Authorization (CAA) records
  • DNS record hygiene (CNAME loops, dangling references)

Email Authentication

  • Sender Policy Framework (SPF) — record syntax, lookup count, policy alignment
  • DomainKeys Identified Mail (DKIM) — selector presence and key strength
  • Domain-based Message Authentication (DMARC) — policy strictness and reporting alignment
  • MTA Strict Transport Security (MTA-STS) — TXT and policy file presence
  • SMTP TLS Reporting (TLS-RPT) — reporting endpoint configuration
  • BIMI record presence (signal of email-program maturity)
  • DANE TLSA records for inbound SMTP (where present)

Web & HTTPS

  • HTTP Strict Transport Security (HSTS) — max-age, includeSubDomains, preload
  • Content Security Policy (CSP) — directive coverage and unsafe-inline use
  • X-Frame-Options / frame-ancestors — clickjacking protection
  • X-Content-Type-Options — MIME-sniffing protection
  • Referrer-Policy — referrer leakage control
  • Permissions-Policy — sensitive feature gating
  • Cookie flag hygiene (Secure, HttpOnly, SameSite) where observable
  • TLS version, cipher suite, certificate chain, OCSP stapling
  • Server / X-Powered-By header tech-stack disclosure

Brand & Domain Exposure

  • Typosquat and homoglyph candidate variants (dnstwist algorithm)
  • Subdomain enumeration from passive sources (Certificate Transparency)
  • BIMI logo presence as a brand-trust indicator
  • Public Certificate Transparency log volume and issuance pattern

Infrastructure Reputation

  • DNS-based blocklist (DNSBL) status across major reputation feeds
  • Content Delivery Network and Web Application Firewall fingerprinting
  • Hosting provider identification (autonomous system / ASN)
  • Mail server reputation signals

Compliance Readiness Signals

  • /.well-known/security.txt presence and policy compliance (RFC 9116)
  • Privacy policy, cookie policy, and terms of service reachability
  • Cookie consent platform fingerprint (where present)
  • GDPR / CCPA contact and process signals

What the scan does not check.

Anything that requires authentication, an agent, or internal network access is out of scope for the free passive assessment. These items are covered by the paid Cybersecurity Assessment or the ongoing managed engagement:

  • Microsoft 365 tenant configuration (requires authenticated access)
  • Conditional Access policies and Identity Protection state
  • Endpoint security posture, EDR coverage, patch level
  • Active Directory / Entra ID configuration
  • Internal network architecture, firewall rules, segmentation
  • Backup configuration, immutability, restore validation
  • User mailbox contents, calendar items, OneDrive / SharePoint data
  • Workstation / server / mobile device inventory and configuration
  • File systems, shared drives, application databases
  • Stored passwords, secrets, API keys, certificates
  • Cloud accounts (AWS, Azure, GCP) and their IAM posture
  • Custom application code, source repositories, CI/CD pipelines
  • Vulnerability exploitation, penetration testing, or any active probing

How scoring works.

Each category is scored on a 0–100 scale. Per-category scores are weighted and combined into an overall score and letter grade. Severity-weighted findings within a category drive its individual score. The weighting reflects how attackers actually prioritize reconnaissance against operational businesses.

GradeScoreMeaning
A+95–100Strong external posture. Most public-signal hygiene controls implemented correctly.
A85–94Solid posture with minor gaps. Common configuration weaknesses present but no fundamental misconfigurations.
B70–84Moderate posture. Several visible weaknesses. Useful exposure surface for an attacker doing reconnaissance.
C55–69Below baseline. Material misconfigurations across multiple categories.
D40–54Weak posture. Critical signals missing or misconfigured. Visible to opportunistic attackers.
F0–39Severe baseline issues across categories. Immediate remediation work indicated.

Finding severity levels.

Critical
An exploitable condition or absence of a fundamental control that a casual attacker can leverage. Examples: open SMTP relay, expired TLS certificate, DMARC absent on a domain that sends invoices.
High
A material misconfiguration that meaningfully expands the attack surface. Examples: SPF -all → ~all, HSTS missing on a production hostname, world-readable .git directory exposed.
Medium
Defensive weakness that does not directly enable compromise but reduces visibility or hardens an attacker's job harder when fixed. Examples: missing X-Content-Type-Options, BIMI absent.
Low
Cosmetic or version-disclosure issues. Examples: Server header reveals exact version, missing nofollow on a public form.
Informational
Observable facts about the environment that do not represent a risk on their own — context for the reader. Examples: hosting provider identified, CDN present.

FAQ.

How long does the free scan take?

Approximately sixty seconds. The scan runs from EFROS infrastructure against public DNS, mail, and TLS endpoints. There is no agent install, no network connection from your environment, and no authentication.

What data does EFROS collect?

The domain you submit, the email address you provide on claim, and the technical results of the public-signal queries (DNS records, HTTP headers, TLS metadata). Nothing is queried that is not already publicly resolvable.

Is this a penetration test?

No. The Security Score is a passive external assessment based on read-only public signals. It is not a penetration test, compliance audit, vulnerability scan against your network, or guarantee of security.

Why do I need to provide an email to see the full report?

The high-level grade is visible immediately. The detailed findings register, executive summary, and remediation roadmap are emailed to you so the report has a verified recipient. This also lets EFROS reach out if a critical issue is observed.

Will this trigger alerts in my SIEM?

It should not. The scan does not connect to any host inside your network, does not authenticate, and does not probe ports beyond standard public DNS and HTTPS over the documented IP range. If you would like to whitelist the source, contact us before running the scan.

Can I run the scan against a domain I don't own?

Authorization is the responsibility of the submitter. The scan is read-only against public data, so the legal exposure is low, but if a domain is not yours we will not provide the detailed report to a non-domain-controlled email.

Disclaimer

The Security Score is an external read-only risk assessment based on publicly observable signals. It is not a penetration test, compliance audit, vulnerability scan against your internal network, or guarantee of security. Cybersecurity outcomes depend on scope, client authorization, tooling, environment maturity, and response procedures. Cost savings, detection times, remediation speed, and risk reduction vary by environment and cannot be guaranteed.

Run the Free Security Score →View a Sample Report