Anonymized showcase copy. Customer domains, hostnames, IP addresses, MAC addresses, email addresses, certificate names, tokens and organization-specific identifiers have been replaced with neutral example values. Security findings and report layout are preserved.

Scantide Online Report Export

Exported 2026-05-25 13:47:01. This full static export contains the same report content as the browser view. All tabs are expanded below so the file remains readable offline and printable without JavaScript.
Handle with care. Results are evidence and triage signals and should be verified before operational or legal conclusions.
Report sections
OverviewSecurityInfrastructureCommunicationsWeb EvidenceEmailDNSComplianceSummary & Recommendations
The live report uses clickable tabs. The export keeps the same styling but expands every tab as a full section so no content is lost.
2 Critical Issues Require Immediate Action
3 High Risk Items Need Review
Refresh Data (Information incomplete/inaccurate?)

Overall Security Score Click to view

74
Grade: C GOOD
Average across 5 online domains
Review recommended
What this means: The public surface is working, but some security, trust or compliance signals should be reviewed before they become bigger issues.
Online: 5 Critical CVEs: 7 High CVEs: 9 Emerging threat: REVIEW Medium: 0
Next step: Start with the executive report, then work through critical and high findings first.

Executive Summary Click to view

C
CRITICAL RISK
7 Critical CVEs · 7 Critical Items
Total Scan Time
46.41s
Avg per Host
7.74s
5 of 6 hosts scanned
Executive attention needed
What this means: The scan found critical CVE matches for detected server/software versions. These should be reviewed first, because they may represent known exploitable weaknesses in exposed software.
Risk: CRITICAL Score: 74/100 Critical CVEs: 7 High CVEs: 9 Emerging threat: REVIEW
Next step: Open the executive report, assign owners for the highest-risk items and use the detailed tabs as evidence.

Vulnerability Risk Click to view

60
Grade: D
7 Critical CVEs, 9 High Priority
2 Outdated Webservers
Prioritize patch review
What this means: Scantide matched exposed software or versions against known vulnerability data. Counts here are per server/software/version, not broad historical totals for a product family.
Matched CVEs: 21 Critical: 7 High: 9 Outdated webservers: 2
Next step: Review confirmed matches first, then verify whether vendor backports or package patches already mitigate the finding.
Emerging threat exposure: REVIEW · 65/100
What this adds: No zero-day was confirmed. The scan did find exposed technologies or surfaces that should be watched closely when new advisories are released.
High-value products: 2 Admin surfaces: 2 Version uncertainty: 0 Exploit/advisory signals: 0
Next step: Confirm patch levels, reduce exposed admin surfaces and subscribe to vendor advisories for the detected products.
Detected focus areas: WordPress, F5 / BIG-IP

Infrastructure Security Click to view

80
Grade: B
Database ports: 0
Admin interfaces: 1
Domains checked: 5
Blacklisted: 0
Review infrastructure signals
What this means: Some public-facing services, listings or provider signals need ownership and business-purpose review. Not every exposed service is wrong, but every one should be intentional.
Database ports: 0 Admin interfaces: 1 Blacklisted: 0 Advanced review items: 18
Next step: Confirm each exposed service has an owner, business reason, patching process and monitoring.

Communications Security Click to view

73
Grade: C
Headers: 40
TLS: 84
Cookies: 85
Methods: 88
HTTP Version: 92
Perfect Forward Secrecy Enabled: 4/4
Perfect Forward Secrecy Coverage: 100%
Browser protections to improve
What this means: The website works, but some browser and transport protections may be missing, weak or inconsistent. These controls reduce risks such as downgrade, clickjacking, content injection and cookie leakage.
Missing header groups: 8 Cookie flag issues: 1 Weak TLS: 0 PFS: 100%
Next step: Prioritize expired/weak TLS first, then harden HSTS, CSP, cookie flags and dangerous HTTP methods.

DNS Security Click to view

45
Grade: F
DNSSEC:
CAA:
DANE/TLSA:
Name Servers: 9 found
ns.example-customer-04.com
ns.example-customer-05.com
host06.example-customer.com
+6 more...
Port 53 (DNS): Closed
0/6 open
Non-NS: 0/6 0%
BIMI: Not configured
DNS legal / regulatory context
GDPR CLOUD Act / Five Eyes
DNS providers and nameservers are part of the domain trust chain. These badges do not mean the DNS setup is wrong, but they show which legal/supplier contexts should be reviewed together with registrar access, DNSSEC, CAA and provider contracts.
DNS governance and supplier review recommended
What this means: DNS is part of the public trust chain. Nameserver providers, registrar controls, DNSSEC/CAA and DNS provider jurisdiction can affect domain ownership, certificate issuance, supplier risk and legal review.
DNSSEC: enabled CAA: configured Name servers: 9 External DNS domains: 4 US/Five Eyes DNS: 1
Next step: Review DNS provider ownership/jurisdiction, registrar access controls, DNSSEC/CAA adoption and confirm any open DNS service is intentional and not recursive/open to abuse.

Compliance Risk Click to view

85
Grade: B
Cookie consent: 81/100
Consent issues: 8
Needs browser verification: 6 (verify with Scantide Observe)
Pre-consent tracking signals: 2
SPF external sender/legal review: 10 (US-linked)
DNS provider/legal review: 4 (US/Five Eyes)
Missing reject/manage/withdrawal: 0
ePrivacy / PECR
Cookie/tracking consent is assessed with ePrivacy, PECR or equivalent cookie-law context where applicable.
Top Jurisdictions:
🌍 Denmark (2) 🇸🇪 Sweden (2) 🇳🇱 Netherlands (1)
Key Laws:
GDPR (5) ePrivacy / Cookie Law (5) CLOUD Act (1)
Email compliance attention
CLOUD Act / US mail provider: 2 SPF external sender review: 10 US-linked SPF service: 3 GDPR email infrastructure: 3
Mail providers: Microsoft
SPF-authorized senders: External SPF authorization, Microsoft 365 / Exchange Online
SPF include/redirect entries may authorize external processors. Review DPA/SCC terms, subprocessors, selected data region and whether each sender is still intentionally allowed.
Top mail issue: US email provider subject to CLOUD Act - government access possible
DNS compliance & supplier attention
Nameservers: 9 External DNS provider: 4 US/Five Eyes DNS: 1
DNS providers: example-customer-07.com, example-customer-08.com DNS, example-customer-09.com, Cloudflare DNS
DNS regulatory zones: OTHER, GDPR, FVEY
DNS providers control how the domain resolves and can be part of the supplier, jurisdiction and certificate-issuance trust chain. Review DNS provider ownership, contract/DPA terms, registrar controls, DNSSEC and CAA posture.
1 High Risk 1 Violations 1 Conflicts
Compliance action needed
What this means: The scan found privacy, cookie, email sender, DNS provider, jurisdiction or supplier signals that may create legal, contractual or governance obligations.
Cookie consent: 81/100 Consent issues: 8 SPF sender review: 10 High-risk jurisdictions: 1 Conflicts: 1
Next step: Open the Compliance tab and review cookie consent, SPF-authorized senders, DNS providers, mail providers, hosting location and data-transfer assumptions.
Overview
Domain Risk Score Redirect Info SSL Info Critical Findings Compliance Infrastructure
blog.example-customer-10.com
Final URL:
https://blog.example-customer-10.com/
Final IP:
203.0.113.10 (Denmark)
🇩🇰 example-customer-08.com (Web hosting)
72
IP:
203.0.113.10 (Denmark)
HTTP→HTTPS
Same domain redirect
Certificate Validity
Issued:
2026-04-13 08:26
Expires:
2026-07-12 08:26
Duration:
89 days
Issuer:
Let's Encrypt
Subject Alternative Names 2
*.example-customer.se
example-customer-11.com
Web 58 / Scripts 0 / Beacons 0
Critical CVEs
Web evidence findings
GDPR
ePrivacy / PECR
80 443
www.example-customer-12.com
Final URL:
https://www.example-customer-12.com/
Final IP:
203.0.113.11 (Netherlands)
🇳🇱 Microsoft Azure
83
IP:
203.0.113.11 (Netherlands)
HTTP→HTTPS
Same domain redirect
Certificate Validity
Issued:
2026-04-14 04:49
Expires:
2026-07-13 04:49
Duration:
89 days
Issuer:
Let's Encrypt
Subject Alternative Names 4
example-customer-13.com
example-customer-14.com
www.example-customer-12.com
www.example-customer-15.com
Web 41 / Scripts 0 / Beacons 0
Web evidence findings
GDPR
ePrivacy / PECR
CLOUD Act
Conflict Detected
80 443
www.example-customer-16.com
Final URL:
http://www.example-customer-16.com/
Final IP:
203.0.113.12 (Sweden)
🇸🇪 Sweden
56
IP:
203.0.113.12 (Sweden)
Same-domain
Same domain redirect
Certificate Validity
Issued:
2026-02-17 20:29
Expires:
2027-03-21 20:29
Duration:
396 days
Issuer:
GlobalSign nv-sa
Subject Alternative Names 2
*.example-service.se
example-customer-17.com
Web 29 / Scripts 0 / Beacons 0
Critical CVEs
SSH Exposed
GDPR
ePrivacy / PECR
22 80 443
www.example-customer-18.com
Final URL:
http://www.example-customer-18.com/
Final IP:
203.0.113.10 (Denmark)
🇩🇰 example-customer-08.com (Web hosting)
85
IP:
203.0.113.10 (Denmark)
Same-domain
Same domain redirect
No SSL Certificate
No critical issues
GDPR
ePrivacy / PECR
No open ports
www.example-customer-19.com
Final URL:
https://www.example-customer-19.com/
Final IP:
203.0.113.13 (Sweden)
🇸🇪 Sweden
76
IP:
203.0.113.13 (Sweden)
HTTP→HTTPS
Same domain redirect
Certificate Validity
Issued:
2026-05-25 12:45
Expires:
2026-08-23 12:45
Duration:
89 days
Issuer:
Let's Encrypt
Subject Alternative Names 1
www.example-customer-19.com
Web 40 / Scripts 4 / Beacons 0
Web evidence findings
GDPR
ePrivacy / PECR
80 443
www.example-customer-20.com
Final IP:
unknown (Unknown)
🌍 Unknown
N/A
IP:
unknown (Unknown)
Offline
Offline
No major laws
Offline
Security
Recommended reading flow
1. Confirmed vulnerabilitiesStart with CVEs matched to the scanned server, product and detected version.
2. Emerging exposureThen review admin surfaces, high-value products and version uncertainty.
3. Supporting scorecardsUse domain scores and old-banner findings as supporting context, not the main evidence.
How this tab has been simplified: Merged view: confirmed CVEs and emerging-threat exposure are kept together because they describe the same question: what should be patched, restricted or monitored first.

How to read the Security tab

This tab is now ordered by practical remediation value: confirmed CVE matches first, emerging/zero-day exposure second, then the broader security score context.

Critical CVEs: 7 High CVEs: 9 Emerging exposure: REVIEW Matched per server/software/version
Start hereReview confirmed CVEs that match the detected server, software and version.
Then check emerging exposureLook for exposed admin surfaces, high-value products and version uncertainty that matter during fast-moving advisories.
Use the scorecard lastThe score helps compare domains, but the detailed evidence tells you what to fix.

Detailed Vulnerability Review

What this section means: These are matched vulnerability findings for the scanned server and detected product/version. Informational “other versions have CVEs” messages should not be treated as confirmed vulnerable findings.

CVE Vulnerabilities

7 Critical 9 High Avg CVE Score: 60/100
CVE counts below are grouped per scanned server and detected software/version. They are not broad product-family totals. For example, Apache 2.4 on one server is counted separately from another product or version, and duplicate findings from HTTP/HTTPS on the same server are collapsed.
Domain CVE Score Software/Service Highest CVE Latest CVE Matched CVEs
blog.example-customer-10.com 0 PHP (8.5.6) CVE-2026-7261
🔺 Highest Score
9.8 CRITICAL
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, a ... 		CVE-2026-7568
📅 Most Recent
7.5 HIGH
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, a ... 		10
for this server/software/version
www.example-customer-16.com 0 OpenSSH (7.4) CVE-2016-10012
🔺 Highest Score
7.8 HIGH
The shared memory manager (associated with pre-authentication compression) in ss ... 		CVE-2023-35812
📅 Most Recent
5.3 MEDIUM
An issue was discovered in the Amazon Linux packages of OpenSSH 7.4 for Amazon L ... 		6
for this server/software/version
www.example-customer-16.com 0 Apache HTTP Server (2.4.52) CVE-2022-23943
🔺 Highest Score
9.8 CRITICAL
Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an att ... 		CVE-2022-23943
📅 Most Recent
9.8 CRITICAL
Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an att ... 		4
for this server/software/version
www.example-customer-16.com 0 PHP (7.4.26) CVE-2021-21707
🔺 Highest Score
5.3 MEDIUM
In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, c ... 		CVE-2021-21707
📅 Most Recent
5.3 MEDIUM
In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, c ... 		1
for this server/software/version

Emerging / Zero-Day Exposure Review

Why this belongs here: Zero-day exposure is connected to vulnerabilities, but it is not the same thing as a confirmed CVE. This section highlights exposed products, admin surfaces and uncertainty that should be watched when new advisories are released.
REVIEW Exposure 65/100 Exposure Score 2 High-value Products 2 Admin Surfaces 0 Version Uncertain
What this means: No zero-day was confirmed. The scan did find exposed technologies or surfaces that should be watched closely when new advisories are released.

Important: this is not a claim that Scantide found an unknown zero-day. It is an exposure review connected to the vulnerability findings above.

Next step: Confirm patch levels, reduce exposed admin surfaces and subscribe to vendor advisories for the detected products.
High-value products WordPress F5 / BIG-IP
Exposure signals
Known-exploited / active exploit markers 0
High EPSS / exploit-likelihood signals 0
Exposed management/admin surfaces 2
Version uncertainty signals 0
Evidence captured
  • blog.example-customer-10.com: exposed or detected WordPress
  • www.example-customer-19.com: exposed or detected F5 / BIG-IP
  • 2 login/admin surface signal(s) detected in web evidence

Security Score Overview

74
Overall Security Score
Grade: C
60
CVE Security
97
Infrastructure Security
49
Email Security
54
DNS Security
40
Headers Security
88
HTTP Methods Security
85
Cookie Security
81
Cookie Consent
84
TLS Security
85
Compliance

Domain Security Scorecard

Domain Overall Score CVE Score Infrastructure Email DNS Headers Methods Cookies TLS Compliance Risk Level
blog.example-customer-10.com
72
Grade: C
 0 100 63 100 80 50 100 90 100 CRITICAL
www.example-customer-12.com
83
Grade: B
 100 100 43 0 60 100 100 90 75 LOW
www.example-customer-16.com
56
Grade: F
 0 85 17 0 30 100 100 50 60 CRITICAL
www.example-customer-18.com
85
Grade: B
 100 100 63 100 0 100 100 100 85 LOW
www.example-customer-19.com
76
Grade: C
 100 100 57 70 30 100 85 90 85 MEDIUM

Outdated Web Servers (2)

www.example-customer-16.com
Apache 2.4.52 → Update to 2.4.65+
www.example-customer-16.com
Apache 2.4.52 → Update to 2.4.65+
ACTION: Update web servers to latest stable versions to patch known vulnerabilities.
Compliance

How to read the Compliance tab

This tab is a risk and evidence review, not a legal verdict. It helps identify where suppliers, cookies, tracking, email processing, DNS providers, nameservers or hosting location may need policy or legal review.

Cookie/consent issues: 8 SPF external senders: 10 CLOUD Act context: 0 DNS provider review: 4 Review suppliers and data locations
Start with consentCheck whether tracking, cookies or analytics appear before clear consent controls are available.
Then review email/DNS suppliersSPF, MX, nameserver and hosting providers can create data-transfer and supplier-risk questions even when the service is technically healthy.
Use as evidenceGive legal, privacy or procurement teams the detected provider names and jurisdictions, not just a score.
Recommended reading flow
1. Consent and privacy signalsStart with cookie, tracker and consent evidence.
2. Email and supplier dependenciesThen review SPF, MX and provider jurisdiction signs.
3. Data-transfer contextUse cross-border, CLOUD Act and hosting notes for legal/procurement review.
How this tab has been simplified: Merged view: consent, external mail senders, hosting location and cross-border transfer signs are grouped as one supplier/privacy review instead of separate legal fragments.

Cookie & Consent Compliance Analysis

8 Services Checked 8 With Issues 2 Pre-consent Tracking Signals Avg Consent Score: 81/100
What this checks: Passive evidence review of cookie and consent behavior. This check looks for non-essential cookies, analytics scripts, beacons and tracker signals in the initial HTTP response or returned page before any user interaction. It also checks whether the returned page appears to expose consent controls such as Accept, Reject/Necessary-only, Manage choices and a way to change or withdraw consent. GDPR/ePR context is inferred from Scantide's existing compliance signals where available, plus domain/TLD, geo and page wording as supporting indicators.

CMP means Consent Management Platform — the cookie/consent banner system used to collect, store and apply a visitor’s privacy choices. Examples include Cookiebot, OneTrust, Usercentrics, consentmanager, CookieYes, Didomi and similar tools.

Important limitation: this passive scan cannot click the banner or fully verify that Reject, Manage choices or Withdrawal controls actually work. It should be treated as an evidence-based indication of likely consent behavior, not a full legal compliance audit. For live verification, use Scantide Observe in a real browser and test the page before consent, after Reject/Necessary-only, and after changing choices.
CMP detected 0
Needs browser verification 6
GDPR/ePR context 8
Missing reject 0
Missing manage 0
Missing withdrawal 0
Compliance attention: 8 confirmed passive issues, 12 limitations and 2 possible pre-consent tracking signals were found. Some CMP/banner behavior needs browser verification because the controls may be rendered client-side. Verify the live banner behavior with a real browser flow, especially before using analytics, ads, replay or marketing tags. Use Scantide Observe for this live browser verification.
Domain Port Score Status Consent Signals Pre-consent Tracking Issues / Recommendations
www.example-customer-19.com HTTP 80 25 HIGH RISK
No CMP signature detected
Accept
ePrivacy/GDPR applicable context
1 signal(s)
JSESSIONID
• Tracking or analytics cookies are set in the initial response before explicit consent can be verified.
• Accept control was detected, but no equally clear reject/necessary-only control was detected.
• Cookie/consent text was detected, but no manage/preferences control was found.
+1 more issue(s)
Next: Block analytics, advertising, replay and tracking cookies until the visitor actively accepts the relevant category.
www.example-customer-19.com HTTPS 443 25 HIGH RISK
No CMP signature detected
Accept
ePrivacy/GDPR applicable context
1 signal(s)
JSESSIONID
• Tracking or analytics cookies are set in the initial response before explicit consent can be verified.
• Accept control was detected, but no equally clear reject/necessary-only control was detected.
• Cookie/consent text was detected, but no manage/preferences control was found.
+1 more issue(s)
Next: Block analytics, advertising, replay and tracking cookies until the visitor actively accepts the relevant category.
blog.example-customer-10.com HTTP 80 100 VERIFY
No CMP signature detected
No clear controls detected
ePrivacy/GDPR applicable context
 None obvious in initial response
• GDPR/ePrivacy context is likely, but no consent controls were visible in the passive HTML. Missing Reject, Manage choices and Withdrawal controls cannot be confirmed without browser execution.
Next: Use browser verification to confirm whether Reject/Necessary-only, Manage choices and withdrawal controls actually work. Scantide Observe can be used for this live browser verification.
blog.example-customer-10.com HTTPS 443 100 VERIFY
No CMP signature detected
No clear controls detected
ePrivacy/GDPR applicable context
 None obvious in initial response
• GDPR/ePrivacy context is likely, but no consent controls were visible in the passive HTML. Missing Reject, Manage choices and Withdrawal controls cannot be confirmed without browser execution.
Next: Use browser verification to confirm whether Reject/Necessary-only, Manage choices and withdrawal controls actually work. Scantide Observe can be used for this live browser verification.
www.example-customer-12.com HTTP 80 100 VERIFY
No CMP signature detected
No clear controls detected
ePrivacy/GDPR applicable context
 None obvious in initial response
• GDPR/ePrivacy context is likely, but no consent controls were visible in the passive HTML. Missing Reject, Manage choices and Withdrawal controls cannot be confirmed without browser execution.
Next: Use browser verification to confirm whether Reject/Necessary-only, Manage choices and withdrawal controls actually work. Scantide Observe can be used for this live browser verification.
www.example-customer-12.com HTTPS 443 100 VERIFY
No CMP signature detected
No clear controls detected
ePrivacy/GDPR applicable context
 None obvious in initial response
• GDPR/ePrivacy context is likely, but no consent controls were visible in the passive HTML. Missing Reject, Manage choices and Withdrawal controls cannot be confirmed without browser execution.
Next: Use browser verification to confirm whether Reject/Necessary-only, Manage choices and withdrawal controls actually work. Scantide Observe can be used for this live browser verification.
www.example-customer-16.com HTTP 80 100 VERIFY
No CMP signature detected
Manage
ePrivacy/GDPR applicable context
 None obvious in initial response
• Consent controls were detected in the returned page, but no known CMP signature was identified. A passive scan can see the control text but cannot verify whether the controls actually apply consent choices.
• Visible consent controls were detected. This passive scan cannot click Accept, Reject/Necessary-only, Manage choices or Withdrawal controls, so their behavior still requires browser verification.
Next: Use browser verification to confirm whether Reject/Necessary-only, Manage choices and withdrawal controls actually work. Scantide Observe can be used for this live browser verification.
www.example-customer-16.com HTTPS 443 100 VERIFY
No CMP signature detected
Manage
ePrivacy/GDPR applicable context
 None obvious in initial response
• Consent controls were detected in the returned page, but no known CMP signature was identified. A passive scan can see the control text but cannot verify whether the controls actually apply consent choices.
• Visible consent controls were detected. This passive scan cannot click Accept, Reject/Necessary-only, Manage choices or Withdrawal controls, so their behavior still requires browser verification.
Next: Use browser verification to confirm whether Reject/Necessary-only, Manage choices and withdrawal controls actually work. Scantide Observe can be used for this live browser verification.

ePrivacy / Cookie Law Context

8 Domain Context Signals 2 Pre-consent Tracking Signals 6 Browser Verification Needed 8 Consent Issues
Why ePrivacy matters here: ePrivacy / Cookie Law is the more direct framework for cookies, pixels, analytics identifiers, advertising tags, local storage and similar access to a user's device. GDPR still matters when personal data is processed, but ePrivacy is the specific cookie/tracking layer that usually requires prior consent for non-essential technologies.

Scantide interpretation: When ePrivacy/PECR/cookie-law context is applicable, pre-consent tracker cookies or analytics scripts are treated as stronger compliance signals. Missing banner controls are not treated as confirmed failures unless the consent layer was actually captured; otherwise Scantide recommends browser verification.

Detected law context: ePrivacy Directive / Cookie Law (5)

Regulatory Compliance Analysis

Regulatory Compliance Overview

0 Violations 0 Conflicts GDPR: 0 domains CLOUD Act: 0 domains
Domain Server Location Cloud Provider Applicable Laws Risk Score Compliance Status Key Issues
blog.example-customer-10.com 🌍 Denmark
example-customer-08.com (Web hosting)
Denmark (EU)
GDPR (EU)
ePrivacy Directive / Cookie Law
9 (MEDIUM) COMPLIANT No compliance issues
www.example-customer-12.com 🇳🇱 Netherlands
Microsoft Azure
United States (US)
GDPR (EU)
ePrivacy Directive / Cookie Law
US CLOUD Act (Corporate Control)
19 (HIGH) VIOLATIONS
• GDPR + CLOUD Act jurisdictional conflict...
• Cloud provider Microsoft Azure is US-hea...
+2 more issues
www.example-customer-16.com 🇸🇪 Sweden Traditional Hosting
GDPR (EU)
ePrivacy Directive / Cookie Law
9 (MEDIUM) COMPLIANT No compliance issues
www.example-customer-18.com 🌍 Denmark
example-customer-08.com (Web hosting)
Denmark (EU)
GDPR (EU)
ePrivacy Directive / Cookie Law
9 (MEDIUM) COMPLIANT No compliance issues
www.example-customer-19.com 🇸🇪 Sweden Traditional Hosting
GDPR (EU)
ePrivacy Directive / Cookie Law
9 (MEDIUM) COMPLIANT No compliance issues

DNS Provider & Domain Trust Compliance Analysis

4 Domains With NS 9 Nameservers 1 US/Five Eyes DNS 0 Cross-Border DNS 0 Unexpected DNS Services
Why DNS matters for compliance: DNS providers and nameservers are part of the domain trust chain. They influence where domain lookups are handled, who can affect certificate issuance, and which suppliers or jurisdictions may become relevant for governance, contractual review and incident response.

Scantide interpretation: External DNS providers are normal and often safer than self-hosting, but they should be documented like other critical suppliers. Review provider ownership, DPA/SCC terms where applicable, registrar access controls, DNSSEC, CAA and whether any non-nameserver host exposes DNS on port 53.
Top DNS providers
example-customer-07.com, example-customer-08.com DNS, example-customer-09.com, Cloudflare DNS
Regulatory zones
OTHER, GDPR, FVEY
DNS governance controls
DNSSEC: detected · CAA: detected
DNS compliance review notes:
  • US/Five Eyes DNS provider or nameserver jurisdiction requires supplier and data-access review

Email Infrastructure Compliance Analysis

3 GDPR Email Infrastructure 2 US Email Providers 0 Cross-Border Email 0 High-Risk Jurisdictions
Domain Email Server Locations Email Providers Regulatory Frameworks Compliance Risk Key Issues Recommendations
example-customer-17.com
🌍 Ireland
Microsoft
GDPR (EU)
CLOUD Act (US)
CRITICAL
• US email provider subject to CLOUD Act -...
• Review Standard Contractual Clauses
• Consider EU-based email providers
example-customer-13.com
🌍 Ireland
Microsoft
GDPR (EU)
CLOUD Act (US)
CRITICAL
• US email provider subject to CLOUD Act -...
• Review Standard Contractual Clauses
• Consider EU-based email providers
example-customer-21.com
🇸🇪 Sweden
Independent/Unknown
GDPR (EU)
LOW
• Email processing in GDPR jurisdiction re...
• Monitor regulatory changes
Critical Email Compliance Conflict Detected
GDPR + CLOUD Act Jurisdictional Conflict: Your email infrastructure spans EU jurisdictions (GDPR-protected) and US-controlled providers (CLOUD Act subject). This creates potential conflicts where:
  • EU data protection laws may conflict with US government access requirements
  • Data transfers may require additional safeguards (Standard Contractual Clauses)
  • Email content and metadata may be subject to conflicting legal frameworks
Recommended Actions:
  • Implement email encryption with EU-controlled keys
  • Consider EU-based email providers for GDPR-sensitive communications
  • Review and update privacy policies to reflect cross-border email processing
  • Implement data classification for email content

MX Server Geographic Analysis

Domain MX Server Priority IP Address Geographic Location Provider/ISP Regulatory Risk
example-customer-11.com host03.example-customer.com 1 10.20.30.14 Unknown Unknown UNKNOWN
example-customer-17.com host02.example-customer.com 0 203.0.113.15 Dublin, Ireland Microsoft Corporation NORMAL
example-customer-13.com host01.example-customer.com 0 203.0.113.16 Dublin, Ireland Microsoft Corporation NORMAL
example-customer-21.com mx.example-customer-22.com 5 203.0.113.17 Umeå, Sweden ATEA Sverige AB NORMAL

Cross-Border Data Transfer Analysis

1 GDPR Conflicts 1 Cross-Border Transfers Data Transfer Analysis
Domain Data Flow Legal Framework Conflict Risk Recommendations
www.example-customer-12.com
Netherlands (Server)
United States (Microsoft Azure)
GDPR (EU)
ePrivacy Directive / Cookie Law
US CLOUD Act (Corporate Control)
HIGH CONFLICT
• Implement Standard Contractual Clauses
• Consider EU-based alternatives
• Review adequacy decisions

Data Privacy & Handling Assessment

0 Critical 0 High Risk Privacy Assessment
Domain Privacy Risk Risk Factors Data Handling Recommendations
www.example-customer-12.com
Microsoft Azure
MEDIUM
• US cloud provider - FISA/CLOUD Act exposure
Monitor compliance status
www.example-customer-19.com MEDIUM
• Insecure cookies on 2 services
• Implement secure cookie flags
Infrastructure
Recommended reading flow
1. Internet exposureReview public ports, protocols and service banners first.
2. Reputation and locationThen check blacklist, geography and provider evidence.
3. Ownership decisionsConfirm whether each exposed service is expected, owned and monitored.
How this tab has been simplified: Merged view: ports, banners, blacklist status, geography and provider evidence are grouped around one practical question: what is publicly exposed and who owns it?

How to read the Infrastructure tab

This tab answers a simple question: what is reachable from the internet, who appears to host it, and which exposed services need an owner and business reason?

Database ports: 0 Admin interfaces: 1 Unencrypted services: 4 Ports, providers and exposure
Start with unusual portsHTTPS is normal. Databases, admin panels, FTP and remote access services deserve review.
Confirm ownershipEvery visible service should have a responsible owner, patching process and reason to be public.
Remember proxies/CDNsA CDN or WAF can hide the origin, so use this as internet-facing evidence, not a full internal inventory.

Infrastructure Security

0 Database Ports 1 Admin Interfaces 4 Unencrypted
Infrastructure Security Overview:
• Database services should not be exposed to the internet
• Administrative interfaces require additional protection
• Unencrypted services pose data interception risks

Complete Port and Server Analysis

Domain Open Ports & Services Risk Assessment Security Recommendations
blog.example-customer-10.com
80/tcp
OPEN
HTTP
No title found
443/tcp
OPEN
HTTPS
Red Cloud IT - Svenska molntjänster för företag och föreningar - ExampleCloud Office - Svenska molntj� ...
🔒 SSL Certificate: *.example-customer.se
MEDIUM
2 Web
www.example-customer-12.com
80/tcp
OPEN
HTTP
I en föränderlig värld behövs flexibla IT-tjänster och pålitlig IT-drift
443/tcp
OPEN
HTTPS
I en föränderlig värld behövs flexibla IT-tjänster och pålitlig IT-drift
🔒 SSL Certificate: www.example-customer-12.com
MEDIUM
2 Web
www.example-customer-16.com
22/tcp
OPEN
SSH WARNING
SSH-2.0-OpenSSH_7.4
80/tcp
OPEN
HTTP
LIGHTS IN LINE AB – Performance Engineering
443/tcp
OPEN
HTTPS
LIGHTS IN LINE AB – Performance Engineering
🔒 SSL Certificate: *.example-service.se
HIGH
1 Admin
2 Web
HIGH PRIORITY: Restrict admin access, implement VPN and bruteforce prevention
www.example-customer-18.com
No open ports detected
LOW
GOOD: No publicly exposed services detected
www.example-customer-19.com
80/tcp
OPEN
HTTP
Example Municipalitys kommun - example-customer-21.com
443/tcp
OPEN
HTTPS
Example Municipalitys kommun - example-customer-21.com
🔒 SSL Certificate: www.example-customer-19.com
MEDIUM
2 Web

IP Blacklist & Reputation Analysis

Domains Checked
5
Listed/Flagged
0
Clean
5
Critical/High Risk
0
Total Sources Flagged
0

All Domains Clean

5 domain(s) checked - no blacklist entries found

Your IPs maintain good reputation across all checked DNSBL sources
DNSBL Sources Checked (13 total)

Geographic Distribution

Denmark 2
Sweden 2
Netherlands 1

Cloud Provider Analysis

example-customer-08.com (Web hosting) 2 hosts
Microsoft Azure 1 hosts
Communications
Recommended reading flow
1. Browser protectionsStart with headers, cookies, redirect behavior and TLS/certificate trust.
2. Frontend boundariesThen review CORS, CSP, methods and client-side exposure.
3. Move deep evidence as neededDetailed scripts, beacons and trackers live in the evidence tab to avoid clutter.
How this tab has been simplified: Merged view: headers, cookies, redirects, TLS and frontend boundaries are grouped as browser trust. Deep script/beacon evidence remains in its own evidence tab.

How to read the Communications tab

This tab explains what browsers and visitors are exposed to: headers, cookies, redirects, TLS behavior, scripts, beacons and page-level trust boundaries.

Missing headers: 0 Cookie issues: 2 Tracker matches: 0 Headers, cookies, redirects, scripts
Start with browser protectionsMissing HSTS, CSP, frame protection or cookie flags are usually straightforward hardening work.
Then check third partiesScripts, beacons and external hosts can create privacy, integrity and supplier-risk questions.
Separate facts from intentExternal services may be legitimate, but they should be documented and covered by policy.

Web Security & Communications

Plain-language focus: Browser protections reduce common visitor-side risks. Third-party services are not automatically bad, but they should be necessary, documented and covered by policy.

Web Server Analysis

Domain Server Details Response HTTP Methods Cookies HTTP Headers
blog.example-customer-10.com
Port 80
No title found
Apache
Apache
CMS: WordPress
301
4.093s
text/html; char
⚠ Dangerous
PUT, DELETE
Total: 5 methods
0
cookies
Server: Apache
Upgrade: h2c
Location: https://blog.example-customer-10.com/
Cache-Control: max-age=2592000
+8 more headers...
blog.example-customer-10.com
Port 443
Red Cloud IT - Svenska molntj�...
Apache
Apache
CMS: WordPress
200
4.093s
text/html; char
⚠ Dangerous
PUT, DELETE
Total: 5 methods
0
cookies
Server: Apache
X-Powered-By: PHP/8.5.6
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
+25 more headers...
www.example-customer-12.com
Port 80
I en föränderlig värld beh�...
Nginx
nginx
200
0.351s
text/html; char
✓ Safe Methods
Total: 3 methods
0
cookies
Server: nginx
X-Frame-Options: SAMEORIGIN; SAMEORIGIN
X-Content-Type-Options: nosniff; nosniff
Strict-Transport-Security: max-age=15552001; includeSubDomains...
+13 more headers...
www.example-customer-16.com
Port 80
LIGHTS IN LINE AB – Performa...
Apache 2.4.52
Apache/2.4.52 () OpenSSL/1.0.2k-fip...
200
0.049s
text/html; char
✓ Safe Methods
Total: 3 methods
0
cookies
Server: Apache/2.4.52 () OpenSSL/1.0.2k-fip...
X-Powered-By: PHP/7.4.26
Strict-Transport-Security: max-age=31536000
Link: <https://www.example-customer-16.com/wp-jso...
+9 more headers...
www.example-customer-16.com
Port 443
LIGHTS IN LINE AB – Performa...
Apache 2.4.52
Apache/2.4.52 () OpenSSL/1.0.2k-fip...
200
0.059s
text/html; char
✓ Safe Methods
Total: 3 methods
0
cookies
Server: Apache/2.4.52 () OpenSSL/1.0.2k-fip...
X-Powered-By: PHP/7.4.26
Strict-Transport-Security: max-age=31536000
Link: <https://www.example-customer-16.com/wp-jso...
+9 more headers...

Communications Analysis

Avg Headers Score: 40/100 8 Services Analyzed
Domain Port Score Grade Header Description Status Recommendations
blog.example-customer-10.com 80 80 B CSP Defines allowed sources for content to mitigate Cross-Site Scripting (XSS). A critical header to reduce attack surface. ⚠️
  • Add a strict default-src directive
Permissions-Policy Restricts the use of powerful browser features, enhancing security by limiting access to sensitive APIs. ⚠️
  • Use correct structured header format: feature=(self); other-feature=()
Cross-Origin-Opener-Policy Protects against cross-origin attacks by isolating the browsing context from other windows and frames. ⚠️
  • Set Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy Prevents loading resources from cross-origin sites to protect against attacks like Spectre. ⚠️
  • Set Cross-Origin-Embedder-Policy: require-corp
X-XSS-Protection Legacy XSS filter used by older browsers to prevent reflected XSS attacks.
  • Add this header with a secure configuration
Pragma The Pragma header is used to control caching behavior, especially in HTTP/1.0 requests. It is often set to prevent caching of sensitive data.
  • Add Pragma: no-cache
Cache-Control Controls the caching of resources by browsers and CDNs to reduce attack vectors and improve privacy. ⚠️
  • Add Cache-Control: no-store, no-cache, must-revalidate, private
X-Frame-Options Prevents clickjacking attacks by controlling whether a browser can display the content in a frame. No recommendations
X-Content-Type-Options Prevents MIME type sniffing, which can lead to security vulnerabilities like executing malicious content. No recommendations
Referrer-Policy Controls the information sent in the "Referer" header when navigating from your site. Helps with privacy. No recommendations
X-Permitted-Cross-Domain-Policies Controls which cross-domain policies can be loaded by the browser, to prevent loading dangerous content. No recommendations
Cross-Origin-Resource-Policy This is a security header with no specific description in the analysis. No recommendations
blog.example-customer-10.com 443 80 B CSP Defines allowed sources for content to mitigate Cross-Site Scripting (XSS). A critical header to reduce attack surface. ⚠️
  • Add a strict default-src directive
Permissions-Policy Restricts the use of powerful browser features, enhancing security by limiting access to sensitive APIs. ⚠️
  • Use correct structured header format: feature=(self); other-feature=()
Cross-Origin-Opener-Policy Protects against cross-origin attacks by isolating the browsing context from other windows and frames. ⚠️
  • Set Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy Prevents loading resources from cross-origin sites to protect against attacks like Spectre. ⚠️
  • Set Cross-Origin-Embedder-Policy: require-corp
X-XSS-Protection Legacy XSS filter used by older browsers to prevent reflected XSS attacks.
  • Add this header with a secure configuration
Pragma The Pragma header is used to control caching behavior, especially in HTTP/1.0 requests. It is often set to prevent caching of sensitive data.
  • Add Pragma: no-cache
Cache-Control Controls the caching of resources by browsers and CDNs to reduce attack vectors and improve privacy. ⚠️
  • Add Cache-Control: no-store, no-cache, must-revalidate, private
HSTS Enforces HTTPS for future requests, ensuring all traffic is encrypted.
  • Consider adding preload for browser preload list
X-Frame-Options Prevents clickjacking attacks by controlling whether a browser can display the content in a frame. No recommendations
X-Content-Type-Options Prevents MIME type sniffing, which can lead to security vulnerabilities like executing malicious content. No recommendations
Referrer-Policy Controls the information sent in the "Referer" header when navigating from your site. Helps with privacy. No recommendations
X-Permitted-Cross-Domain-Policies Controls which cross-domain policies can be loaded by the browser, to prevent loading dangerous content. No recommendations
Cross-Origin-Resource-Policy This is a security header with no specific description in the analysis. No recommendations
www.example-customer-12.com 80 60 D CSP Defines allowed sources for content to mitigate Cross-Site Scripting (XSS). A critical header to reduce attack surface. ⚠️
  • Remove unsafe-inline and use nonces or hashes
  • Avoid unsafe-eval in script-src
Permissions-Policy Restricts the use of powerful browser features, enhancing security by limiting access to sensitive APIs.
  • Add Permissions-Policy: geolocation=(self); camera=(); microphone=(); fullscreen=()
Cross-Origin-Opener-Policy Protects against cross-origin attacks by isolating the browsing context from other windows and frames.
  • Add Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy Prevents loading resources from cross-origin sites to protect against attacks like Spectre.
  • Add Cross-Origin-Embedder-Policy: require-corp
X-Permitted-Cross-Domain-Policies Controls which cross-domain policies can be loaded by the browser, to prevent loading dangerous content.
  • Add X-Permitted-Cross-Domain-Policies: none
Cache-Control Controls the caching of resources by browsers and CDNs to reduce attack vectors and improve privacy.
  • Add Cache-Control: no-store, no-cache, must-revalidate, private
Pragma The Pragma header is used to control caching behavior, especially in HTTP/1.0 requests. It is often set to prevent caching of sensitive data.
  • Add Pragma: no-cache
Cross-Origin-Resource-Policy This header is used to prevent cross-origin resource sharing, helping to prevent cross-origin information leakage.
  • Add Cross-Origin-Resource-Policy: same-origin
X-Frame-Options Prevents clickjacking attacks by controlling whether a browser can display the content in a frame. No recommendations
X-Content-Type-Options Prevents MIME type sniffing, which can lead to security vulnerabilities like executing malicious content. No recommendations
Referrer-Policy Controls the information sent in the "Referer" header when navigating from your site. Helps with privacy. No recommendations
X-XSS-Protection Legacy XSS filter used by older browsers to prevent reflected XSS attacks. No recommendations
www.example-customer-12.com 443 60 D CSP Defines allowed sources for content to mitigate Cross-Site Scripting (XSS). A critical header to reduce attack surface. ⚠️
  • Remove unsafe-inline and use nonces or hashes
  • Avoid unsafe-eval in script-src
Permissions-Policy Restricts the use of powerful browser features, enhancing security by limiting access to sensitive APIs.
  • Add Permissions-Policy: geolocation=(self); camera=(); microphone=(); fullscreen=()
Cross-Origin-Opener-Policy Protects against cross-origin attacks by isolating the browsing context from other windows and frames.
  • Add Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy Prevents loading resources from cross-origin sites to protect against attacks like Spectre.
  • Add Cross-Origin-Embedder-Policy: require-corp
X-Permitted-Cross-Domain-Policies Controls which cross-domain policies can be loaded by the browser, to prevent loading dangerous content.
  • Add X-Permitted-Cross-Domain-Policies: none
Cache-Control Controls the caching of resources by browsers and CDNs to reduce attack vectors and improve privacy.
  • Add Cache-Control: no-store, no-cache, must-revalidate, private
Pragma The Pragma header is used to control caching behavior, especially in HTTP/1.0 requests. It is often set to prevent caching of sensitive data.
  • Add Pragma: no-cache
Cross-Origin-Resource-Policy This header is used to prevent cross-origin resource sharing, helping to prevent cross-origin information leakage.
  • Add Cross-Origin-Resource-Policy: same-origin
HSTS Enforces HTTPS for future requests, ensuring all traffic is encrypted.
  • Consider adding preload for browser preload list
X-Frame-Options Prevents clickjacking attacks by controlling whether a browser can display the content in a frame. No recommendations
X-Content-Type-Options Prevents MIME type sniffing, which can lead to security vulnerabilities like executing malicious content. No recommendations
Referrer-Policy Controls the information sent in the "Referer" header when navigating from your site. Helps with privacy. No recommendations
X-XSS-Protection Legacy XSS filter used by older browsers to prevent reflected XSS attacks. No recommendations
www.example-customer-16.com 80 30 F CSP Defines allowed sources for content to mitigate Cross-Site Scripting (XSS). A critical header to reduce attack surface.
  • Define a strong Content-Security-Policy (e.g. default-src 'self'; script-src 'self'; object-src 'none')
X-Frame-Options Prevents clickjacking attacks by controlling whether a browser can display the content in a frame.
  • Add X-Frame-Options: DENY or SAMEORIGIN
X-Content-Type-Options Prevents MIME type sniffing, which can lead to security vulnerabilities like executing malicious content.
  • Add X-Content-Type-Options: nosniff
Referrer-Policy Controls the information sent in the "Referer" header when navigating from your site. Helps with privacy.
  • Add Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy Restricts the use of powerful browser features, enhancing security by limiting access to sensitive APIs.
  • Add Permissions-Policy: geolocation=(self); camera=(); microphone=(); fullscreen=()
Cross-Origin-Opener-Policy Protects against cross-origin attacks by isolating the browsing context from other windows and frames.
  • Add Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy Prevents loading resources from cross-origin sites to protect against attacks like Spectre.
  • Add Cross-Origin-Embedder-Policy: require-corp
X-XSS-Protection Legacy XSS filter used by older browsers to prevent reflected XSS attacks.
  • Add this header with a secure configuration
X-Permitted-Cross-Domain-Policies Controls which cross-domain policies can be loaded by the browser, to prevent loading dangerous content.
  • Add X-Permitted-Cross-Domain-Policies: none
Cache-Control Controls the caching of resources by browsers and CDNs to reduce attack vectors and improve privacy.
  • Add Cache-Control: no-store, no-cache, must-revalidate, private
Pragma The Pragma header is used to control caching behavior, especially in HTTP/1.0 requests. It is often set to prevent caching of sensitive data.
  • Add Pragma: no-cache
Cross-Origin-Resource-Policy This header is used to prevent cross-origin resource sharing, helping to prevent cross-origin information leakage.
  • Add Cross-Origin-Resource-Policy: same-origin
www.example-customer-16.com 443 30 F CSP Defines allowed sources for content to mitigate Cross-Site Scripting (XSS). A critical header to reduce attack surface.
  • Define a strong Content-Security-Policy (e.g. default-src 'self'; script-src 'self'; object-src 'none')
X-Frame-Options Prevents clickjacking attacks by controlling whether a browser can display the content in a frame.
  • Add X-Frame-Options: DENY or SAMEORIGIN
X-Content-Type-Options Prevents MIME type sniffing, which can lead to security vulnerabilities like executing malicious content.
  • Add X-Content-Type-Options: nosniff
Referrer-Policy Controls the information sent in the "Referer" header when navigating from your site. Helps with privacy.
  • Add Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy Restricts the use of powerful browser features, enhancing security by limiting access to sensitive APIs.
  • Add Permissions-Policy: geolocation=(self); camera=(); microphone=(); fullscreen=()
Cross-Origin-Opener-Policy Protects against cross-origin attacks by isolating the browsing context from other windows and frames.
  • Add Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy Prevents loading resources from cross-origin sites to protect against attacks like Spectre.
  • Add Cross-Origin-Embedder-Policy: require-corp
X-XSS-Protection Legacy XSS filter used by older browsers to prevent reflected XSS attacks.
  • Add this header with a secure configuration
X-Permitted-Cross-Domain-Policies Controls which cross-domain policies can be loaded by the browser, to prevent loading dangerous content.
  • Add X-Permitted-Cross-Domain-Policies: none
Cache-Control Controls the caching of resources by browsers and CDNs to reduce attack vectors and improve privacy.
  • Add Cache-Control: no-store, no-cache, must-revalidate, private
Pragma The Pragma header is used to control caching behavior, especially in HTTP/1.0 requests. It is often set to prevent caching of sensitive data.
  • Add Pragma: no-cache
Cross-Origin-Resource-Policy This header is used to prevent cross-origin resource sharing, helping to prevent cross-origin information leakage.
  • Add Cross-Origin-Resource-Policy: same-origin
HSTS Enforces HTTPS for future requests, ensuring all traffic is encrypted. ⚠️
  • Add includeSubDomains for full protection
  • Consider adding preload for browser preload list
www.example-customer-19.com 80 30 F CSP Defines allowed sources for content to mitigate Cross-Site Scripting (XSS). A critical header to reduce attack surface.
  • Define a strong Content-Security-Policy (e.g. default-src 'self'; script-src 'self'; object-src 'none')
X-Content-Type-Options Prevents MIME type sniffing, which can lead to security vulnerabilities like executing malicious content.
  • Add X-Content-Type-Options: nosniff
Referrer-Policy Controls the information sent in the "Referer" header when navigating from your site. Helps with privacy.
  • Add Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy Restricts the use of powerful browser features, enhancing security by limiting access to sensitive APIs.
  • Add Permissions-Policy: geolocation=(self); camera=(); microphone=(); fullscreen=()
Cross-Origin-Opener-Policy Protects against cross-origin attacks by isolating the browsing context from other windows and frames.
  • Add Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy Prevents loading resources from cross-origin sites to protect against attacks like Spectre.
  • Add Cross-Origin-Embedder-Policy: require-corp
X-XSS-Protection Legacy XSS filter used by older browsers to prevent reflected XSS attacks.
  • Add this header with a secure configuration
X-Permitted-Cross-Domain-Policies Controls which cross-domain policies can be loaded by the browser, to prevent loading dangerous content.
  • Add X-Permitted-Cross-Domain-Policies: none
Cross-Origin-Resource-Policy This header is used to prevent cross-origin resource sharing, helping to prevent cross-origin information leakage.
  • Add Cross-Origin-Resource-Policy: same-origin
X-Frame-Options Prevents clickjacking attacks by controlling whether a browser can display the content in a frame. No recommendations
Cache-Control Controls the caching of resources by browsers and CDNs to reduce attack vectors and improve privacy. No recommendations
Pragma This is a security header with no specific description in the analysis. No recommendations
www.example-customer-19.com 443 30 F HSTS Enforces HTTPS for future requests, ensuring all traffic is encrypted.
  • Add Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
CSP Defines allowed sources for content to mitigate Cross-Site Scripting (XSS). A critical header to reduce attack surface.
  • Define a strong Content-Security-Policy (e.g. default-src 'self'; script-src 'self'; object-src 'none')
X-Content-Type-Options Prevents MIME type sniffing, which can lead to security vulnerabilities like executing malicious content.
  • Add X-Content-Type-Options: nosniff
Referrer-Policy Controls the information sent in the "Referer" header when navigating from your site. Helps with privacy.
  • Add Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy Restricts the use of powerful browser features, enhancing security by limiting access to sensitive APIs.
  • Add Permissions-Policy: geolocation=(self); camera=(); microphone=(); fullscreen=()
Cross-Origin-Opener-Policy Protects against cross-origin attacks by isolating the browsing context from other windows and frames.
  • Add Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy Prevents loading resources from cross-origin sites to protect against attacks like Spectre.
  • Add Cross-Origin-Embedder-Policy: require-corp
X-XSS-Protection Legacy XSS filter used by older browsers to prevent reflected XSS attacks.
  • Add this header with a secure configuration
X-Permitted-Cross-Domain-Policies Controls which cross-domain policies can be loaded by the browser, to prevent loading dangerous content.
  • Add X-Permitted-Cross-Domain-Policies: none
Cross-Origin-Resource-Policy This header is used to prevent cross-origin resource sharing, helping to prevent cross-origin information leakage.
  • Add Cross-Origin-Resource-Policy: same-origin
X-Frame-Options Prevents clickjacking attacks by controlling whether a browser can display the content in a frame. No recommendations
Cache-Control Controls the caching of resources by browsers and CDNs to reduce attack vectors and improve privacy. No recommendations
Pragma This is a security header with no specific description in the analysis. No recommendations

Web Methods Security Analysis

2 Dangerous Methods 8 Services Tested
Domain Port Security Risk Allowed Methods Dangerous Methods Recommendations
blog.example-customer-10.com 80 HIGH GET, POST, HEAD, PUT, DELETE
PUT, DELETE
Disable unused HTTP methods
blog.example-customer-10.com 443 HIGH GET, POST, HEAD, PUT, DELETE
PUT, DELETE
Disable unused HTTP methods
www.example-customer-12.com 80 LOW GET, POST, HEAD None detected
Good security configuration
www.example-customer-12.com 443 LOW GET, POST, HEAD None detected
Good security configuration
www.example-customer-16.com 80 LOW GET, POST, HEAD None detected
Good security configuration
www.example-customer-16.com 443 LOW GET, POST, HEAD None detected
Good security configuration
www.example-customer-19.com 80 LOW GET, POST, HEAD, OPTIONS None detected
Good security configuration
www.example-customer-19.com 443 LOW GET, POST, HEAD, OPTIONS None detected
Good security configuration
Dangerous HTTP Methods Detected
  • PUT: Allows uploading files to the web server
  • DELETE: Can remove files from the web server
  • PATCH: Allows partial resource modifications
  • TRACE: Can be used for XSS attacks (Cross-Site Tracing)
Recommendation: Configure your web server to only allow GET, POST, and HEAD methods for production sites.

Cookie Security Analysis

5 Total Cookies 2 Insecure Services Avg Cookie Score: 85/100
Domain Port Cookie Score Count Cookie Names Security Issues Status
www.example-customer-19.com 80 48 3 SiteVisionLTM, JSESSIONID, SiteVisionLTM
• Cookie 'SiteVisionLTM' missing Secure fl...
• Cookie 'SiteVisionLTM' missing SameSite ...
• Cookie 'JSESSIONID': Low entropy (43/100...
+1 more issues
 INSECURE
www.example-customer-19.com 443 87 2 JSESSIONID, SiteVisionLTM
• Cookie 'JSESSIONID': Low entropy (47/100...
INSECURE

Cookie & Consent Compliance Signals

8 Services Checked 8 With Issues 2 Pre-consent Tracking Signals Avg Consent Score: 81/100
What this checks: Passive evidence review of cookie and consent behavior. This check looks for non-essential cookies, analytics scripts, beacons and tracker signals in the initial HTTP response or returned page before any user interaction. It also checks whether the returned page appears to expose consent controls such as Accept, Reject/Necessary-only, Manage choices and a way to change or withdraw consent. GDPR/ePR context is inferred from Scantide's existing compliance signals where available, plus domain/TLD, geo and page wording as supporting indicators.

CMP means Consent Management Platform — the cookie/consent banner system used to collect, store and apply a visitor’s privacy choices. Examples include Cookiebot, OneTrust, Usercentrics, consentmanager, CookieYes, Didomi and similar tools.

Important limitation: this passive scan cannot click the banner or fully verify that Reject, Manage choices or Withdrawal controls actually work. It should be treated as an evidence-based indication of likely consent behavior, not a full legal compliance audit. For live verification, use Scantide Observe in a real browser and test the page before consent, after Reject/Necessary-only, and after changing choices.
This is primarily a compliance finding. It is also shown here because the underlying evidence comes from browser-visible communications: cookies, scripts, beacons and tracker endpoints.
CMP detected 0
Needs browser verification 6
GDPR/ePR context 8
Missing reject 0
Missing manage 0
Missing withdrawal 0
Compliance attention: 8 confirmed passive issues, 12 limitations and 2 possible pre-consent tracking signals were found. Some CMP/banner behavior needs browser verification because the controls may be rendered client-side. Verify the live banner behavior with a real browser flow, especially before using analytics, ads, replay or marketing tags. Use Scantide Observe for this live browser verification.
Domain Port Score Status Consent Signals Pre-consent Tracking Issues / Recommendations
www.example-customer-19.com HTTP 80 25 HIGH RISK
No CMP signature detected
Accept
ePrivacy/GDPR applicable context
1 signal(s)
JSESSIONID
• Tracking or analytics cookies are set in the initial response before explicit consent can be verified.
• Accept control was detected, but no equally clear reject/necessary-only control was detected.
• Cookie/consent text was detected, but no manage/preferences control was found.
+1 more issue(s)
Next: Block analytics, advertising, replay and tracking cookies until the visitor actively accepts the relevant category.
www.example-customer-19.com HTTPS 443 25 HIGH RISK
No CMP signature detected
Accept
ePrivacy/GDPR applicable context
1 signal(s)
JSESSIONID
• Tracking or analytics cookies are set in the initial response before explicit consent can be verified.
• Accept control was detected, but no equally clear reject/necessary-only control was detected.
• Cookie/consent text was detected, but no manage/preferences control was found.
+1 more issue(s)
Next: Block analytics, advertising, replay and tracking cookies until the visitor actively accepts the relevant category.
blog.example-customer-10.com HTTP 80 100 VERIFY
No CMP signature detected
No clear controls detected
ePrivacy/GDPR applicable context
 None obvious in initial response
• GDPR/ePrivacy context is likely, but no consent controls were visible in the passive HTML. Missing Reject, Manage choices and Withdrawal controls cannot be confirmed without browser execution.
Next: Use browser verification to confirm whether Reject/Necessary-only, Manage choices and withdrawal controls actually work. Scantide Observe can be used for this live browser verification.
blog.example-customer-10.com HTTPS 443 100 VERIFY
No CMP signature detected
No clear controls detected
ePrivacy/GDPR applicable context
 None obvious in initial response
• GDPR/ePrivacy context is likely, but no consent controls were visible in the passive HTML. Missing Reject, Manage choices and Withdrawal controls cannot be confirmed without browser execution.
Next: Use browser verification to confirm whether Reject/Necessary-only, Manage choices and withdrawal controls actually work. Scantide Observe can be used for this live browser verification.
www.example-customer-12.com HTTP 80 100 VERIFY
No CMP signature detected
No clear controls detected
ePrivacy/GDPR applicable context
 None obvious in initial response
• GDPR/ePrivacy context is likely, but no consent controls were visible in the passive HTML. Missing Reject, Manage choices and Withdrawal controls cannot be confirmed without browser execution.
Next: Use browser verification to confirm whether Reject/Necessary-only, Manage choices and withdrawal controls actually work. Scantide Observe can be used for this live browser verification.
www.example-customer-12.com HTTPS 443 100 VERIFY
No CMP signature detected
No clear controls detected
ePrivacy/GDPR applicable context
 None obvious in initial response
• GDPR/ePrivacy context is likely, but no consent controls were visible in the passive HTML. Missing Reject, Manage choices and Withdrawal controls cannot be confirmed without browser execution.
Next: Use browser verification to confirm whether Reject/Necessary-only, Manage choices and withdrawal controls actually work. Scantide Observe can be used for this live browser verification.
www.example-customer-16.com HTTP 80 100 VERIFY
No CMP signature detected
Manage
ePrivacy/GDPR applicable context
 None obvious in initial response
• Consent controls were detected in the returned page, but no known CMP signature was identified. A passive scan can see the control text but cannot verify whether the controls actually apply consent choices.
• Visible consent controls were detected. This passive scan cannot click Accept, Reject/Necessary-only, Manage choices or Withdrawal controls, so their behavior still requires browser verification.
Next: Use browser verification to confirm whether Reject/Necessary-only, Manage choices and withdrawal controls actually work. Scantide Observe can be used for this live browser verification.
www.example-customer-16.com HTTPS 443 100 VERIFY
No CMP signature detected
Manage
ePrivacy/GDPR applicable context
 None obvious in initial response
• Consent controls were detected in the returned page, but no known CMP signature was identified. A passive scan can see the control text but cannot verify whether the controls actually apply consent choices.
• Visible consent controls were detected. This passive scan cannot click Accept, Reject/Necessary-only, Manage choices or Withdrawal controls, so their behavior still requires browser verification.
Next: Use browser verification to confirm whether Reject/Necessary-only, Manage choices and withdrawal controls actually work. Scantide Observe can be used for this live browser verification.

HTTP Redirect Analysis

Total Redirects Found: 8
Security Impact: Positive
Domain Port Type Hops Original → Final Response IP Change Security
blog.example-customer-10.com 80 HTTP→HTTPS 1
FROM:
http://blog.example-customer-10.com
TO:
https://blog.example-customer-10.com/
301
4.093s
No ✓ Secure
blog.example-customer-10.com 443 Same-domain 1
FROM:
https://blog.example-customer-10.com
TO:
https://blog.example-customer-10.com/
200
4.093s
No ✓ Normal
www.example-customer-12.com 80 HTTP→HTTPS 1
FROM:
http://www.example-customer-12.com
TO:
https://www.example-customer-12.com/
200
0.351s
No ✓ Secure
www.example-customer-12.com 443 Same-domain 1
FROM:
https://www.example-customer-12.com
TO:
https://www.example-customer-12.com/
200
0.190s
No ✓ Normal
www.example-customer-16.com 80 Same-domain 1
FROM:
http://www.example-customer-16.com
TO:
http://www.example-customer-16.com/
200
0.049s
No ✓ Normal
www.example-customer-16.com 443 Same-domain 1
FROM:
https://www.example-customer-16.com
TO:
https://www.example-customer-16.com/
200
0.059s
No ✓ Normal
www.example-customer-19.com 80 HTTP→HTTPS 1
FROM:
http://www.example-customer-19.com
TO:
https://www.example-customer-19.com/
200
0.346s
No ✓ Secure
www.example-customer-19.com 443 Same-domain 1
FROM:
https://www.example-customer-19.com
TO:
https://www.example-customer-19.com/
200
1.113s
No ✓ Normal

SSL Certificate Analysis

Domain Port Grade Certificate Details Expiration Security Features
blog.example-customer-10.com
🌟 Wildcard
 443 B
CN: *.example-customer.se
*.example-customer.se example-customer-11.com
Issuer: Let's Encrypt
2026-07-12
48 days
Valid
✓ Perfect Forward Secrecy
www.example-customer-12.com 443 B
CN: www.example-customer-12.com
example-customer-13.com example-customer-14.com www.example-customer-12.com www.example-customer-15.com
Issuer: Let's Encrypt
2026-07-13
49 days
Valid
✓ Perfect Forward Secrecy
www.example-customer-19.com 443 B
CN: www.example-customer-19.com
www.example-customer-19.com
Issuer: Let's Encrypt
2026-08-23
90 days
Valid
✓ Perfect Forward Secrecy
www.example-customer-16.com
🌟 Wildcard
 443 B
CN: *.example-service.se
*.example-service.se example-customer-17.com
Issuer: GlobalSign nv-sa
2027-03-21
301 days
Valid
✓ Perfect Forward Secrecy

TLS Configuration Analysis

Avg TLS Score: 84/100 4 TLS Services Analyzed
Domain Port TLS Score Security Score Supported Versions Vulnerable Versions Status
blog.example-customer-10.com 443 90 90/100 TLSv1.2, TLSv1.3 ✅ None SECURE
www.example-customer-12.com 443 90 90/100 TLSv1.2, TLSv1.3 ✅ None SECURE
www.example-customer-16.com 443 50 50/100 TLSv1.2 ✅ None SECURE
www.example-customer-19.com 443 90 90/100 TLSv1.2, TLSv1.3 ✅ None SECURE

CORS & CSP Browser Trust Boundaries

CORS and CSP are HTTP/browser communication controls. This section shows the policy findings here, while the Web Evidence tab keeps the underlying scripts, styles, assets, and page-context evidence used for CSP-vs-assets validation.

1 CORS Issues 16 CSP/Asset Issues Web Evidence Score 65
Domain Port CORS Findings CSP / Asset Findings Recommendations
blog.example-customer-10.com HTTPS 443
CORS allows broad or sensitive request headers: Content-Type, Authorization
CSP missing object-src directiveCSP missing base-uri directiveCSP missing frame-ancestors directiveObserved stylesheet host may not be covered by style-src: fonts.googleapis.comObserved stylesheet host may not be covered by style-src: maxcdn.bootstrapcdn.comInline scripts exist but CSP does not show unsafe-inline, nonce, or hash support
Only allow the request headers required by the application.
www.example-customer-12.com HTTP 80 No CORS issue listed
CSP missing frame-ancestors directiveCSP allows unsafe-inlineCSP allows unsafe-eval
 No recommendation listed
www.example-customer-12.com HTTPS 443 No CORS issue listed
CSP missing frame-ancestors directiveCSP allows unsafe-inlineCSP allows unsafe-eval
 No recommendation listed
www.example-customer-19.com HTTP 80 No CORS issue listed
No enforced CSP was available to compare against page assets
 No recommendation listed
www.example-customer-19.com HTTPS 443 No CORS issue listed
No enforced CSP was available to compare against page assets
 No recommendation listed
www.example-customer-16.com HTTP 80 No CORS issue listed
No enforced CSP was available to compare against page assets
 No recommendation listed
www.example-customer-16.com HTTPS 443 No CORS issue listed
No enforced CSP was available to compare against page assets
 No recommendation listed

Frontend Exposure & Build Artifact Findings

These findings originate from returned page evidence, but they belong in Security Analysis because they can expose secrets, source structure, debug information, or JavaScript patterns that deserve manual review. Web Evidence keeps the raw page context.

0 Domains/Ports with Signals 0 Secret-like Strings 0 Source Maps 0 Debug Comments 0 DOM Sink Signals
No secret-like strings, source maps, debug comments, or DOM sink review signals were captured.
Web Evidence

How to read the Scripts, Beacons & Evidence tab

This tab is the detailed evidence layer for front-end behavior. It helps explain which external hosts, trackers, forms, iframes, public files or debug artifacts were captured.

External hosts: 16 Beacons: 0 Public metadata: 4 Evidence for privacy and security tabs
Start with unknown third partiesReview hosts and scripts that are not clearly required for the website.
Check sensitive evidenceForms, source maps, public files and debug artifacts can expose more than expected.
Use as proofThis tab gives concrete hostnames and artifacts behind summary-card claims.
Recommended reading flow
1. Evidence snapshotUse the counters to see which domains have the most third-party or runtime signals.
2. Per-domain evidenceOpen the per-domain sections when you need exact hosts, scripts or beacons.
3. Feed other tabsTreat this tab as supporting evidence for privacy, compliance and frontend risk.
How this tab has been simplified: Merged view: this tab is the raw evidence layer. Use the top counters for quick triage and expand per-domain sections only when you need exact hosts, scripts, beacons or forms.

Web Evidence: Scripts, Beacons, Trackers & Runtime Signals

This section shows the raw webpage evidence captured during HTTP/HTTPS analysis: scripts, third-party assets, beacon endpoints, tracking signatures, sensitive forms, iframes, mixed-content resources, storage use and runtime indicators. CORS/CSP policy findings are also surfaced in Communications, while secrets/source maps/debug/DOM-review signals are also surfaced in Security Analysis. These findings are server-side HTML evidence; browser-only runtime requests may still require Scantide Observe for full live instrumentation.

Domains with Web Evidence

4
Online domains where page evidence was captured

External / Third-party Scripts

4 / 0
External scripts / third-party scripts

Beacons & Tracker Matches

0 / 0
Beacon endpoints / tracker signatures

Highest Web Risk

58
MEDIUM

Missing SRI

0
Third-party scripts without Subresource Integrity

Sensitive / Off-domain Forms

0 / 0
Sensitive forms / forms posting away from the site

Iframe Risks

0
Unsandboxed third-party iframes

Fingerprinting / Mixed Content

0 / 0
Fingerprinting signals / mixed-content resources

CORS / CSP Issues

1 / 16
CORS findings / CSP-vs-assets findings

Secrets / Source Maps

0 / 0
Secret-like exposures / source-map references

Storage / DOM Sinks

0 / 0
Browser storage / XSS-review sink patterns

Assets / Service Workers

12 / 0
Third-party assets / service-worker signals

Advanced Passive Evidence

4 security.txt 18 well-known/public files 2 client library signals 0 payment signals 2 login/admin hints 7 weak CSP quality
What this adds: passive checks for security.txt, public metadata files, client-side libraries, payment/checkout hints, login/admin surface clues, cache/privacy headers, CSP quality, confirmed CDN/WAF edge evidence, weak CDN/static references and certificate name exposure.
Important: findings are listed as evidence. CDN/WAF is only counted as confirmed when provider-specific main-response edge headers are present. Weak CDN/static references are shown separately and are not proof that the site itself is behind that CDN/WAF.
Domain Port Public metadata evidence Client/payment/login evidence CSP/cache/CDN evidence Certificate surface
blog.example-customer-10.com HTTPS 443
security.txt not found
Found public files:
/robots.txt robots.txt · HTTP 200 · text/plain; charset=utf-8
/sitemap.xml sitemap.xml · HTTP 200 · text/xml; charset=UTF-8
Client libraries:
Font Awesome 4.7.0 — <!DOCTYPE html> <!--[if IE 7]> <html class="ie ie7 no-js" lang="sv-SE"> <![endif]--> <
WordPress asset path detected — wp-content
CSP: WEAK (52/100)
• Missing default-src
• Missing script-src
• Missing object-src
• Missing base-uri
• Missing frame-ancestors
CSP strengths: upgrade-insecure-requests present
No confirmed CDN/WAF edge evidence from provider-specific main-response headers.
Evidence notes:
• Passive server-side evidence: confirmed from response headers, DNS/TLS/HTML/source where available; interactive browser behavior still needs Scantide Observe or browser verification.
 No HTTPS certificate evidence captured
www.example-customer-12.com HTTP 80
security.txt found
Contact: mailto:contact1@example-customer-23.com
Found public files:
/.well-known/security.txt security.txt · HTTP 200 · text/plain
/robots.txt robots.txt · HTTP 200 · text/plain
• security.txt exists but has no Expires field
No client library/version evidence detected.
CSP: WEAK (51/100)
• Missing frame-ancestors
• Missing form-action
• Allows 'unsafe-inline'
• Allows 'unsafe-eval'
CSP strengths: default-src set, script-src set, object-src set
No confirmed CDN/WAF edge evidence from provider-specific main-response headers.
Evidence notes:
• Passive server-side evidence: confirmed from response headers, DNS/TLS/HTML/source where available; interactive browser behavior still needs Scantide Observe or browser verification.
 No HTTPS certificate evidence captured
www.example-customer-12.com HTTPS 443
security.txt found
Contact: mailto:contact1@example-customer-23.com
Found public files:
/.well-known/security.txt security.txt · HTTP 200 · text/plain
/robots.txt robots.txt · HTTP 200 · text/plain
• security.txt exists but has no Expires field
No client library/version evidence detected.
CSP: WEAK (51/100)
• Missing frame-ancestors
• Missing form-action
• Allows 'unsafe-inline'
• Allows 'unsafe-eval'
CSP strengths: default-src set, script-src set, object-src set
No confirmed CDN/WAF edge evidence from provider-specific main-response headers.
Evidence notes:
• Passive server-side evidence: confirmed from response headers, DNS/TLS/HTML/source where available; interactive browser behavior still needs Scantide Observe or browser verification.
 No HTTPS certificate evidence captured
www.example-customer-16.com HTTP 80
security.txt not found
Found public files:
/robots.txt robots.txt · HTTP 200 · text/plain; charset=utf-8
/sitemap.xml sitemap.xml · HTTP 200 · application/xml; charset=UTF-8
robots.txt path hints:
  • /wp-admin/
• robots.txt exposes admin/staging/private-looking path hints
No client library/version evidence detected.
Login/admin evidence:
• robots.txt path hint: /wp-admin/
CSP: MISSING (0/100)
• No enforced CSP was observed
No confirmed CDN/WAF edge evidence from provider-specific main-response headers.
Evidence notes:
• Passive server-side evidence: confirmed from response headers, DNS/TLS/HTML/source where available; interactive browser behavior still needs Scantide Observe or browser verification.
 No HTTPS certificate evidence captured
www.example-customer-16.com HTTPS 443
security.txt not found
Found public files:
/robots.txt robots.txt · HTTP 200 · text/plain; charset=utf-8
/sitemap.xml sitemap.xml · HTTP 200 · application/xml; charset=UTF-8
robots.txt path hints:
  • /wp-admin/
• robots.txt exposes admin/staging/private-looking path hints
No client library/version evidence detected.
Login/admin evidence:
• robots.txt path hint: /wp-admin/
CSP: MISSING (0/100)
• No enforced CSP was observed
No confirmed CDN/WAF edge evidence from provider-specific main-response headers.
Evidence notes:
• Passive server-side evidence: confirmed from response headers, DNS/TLS/HTML/source where available; interactive browser behavior still needs Scantide Observe or browser verification.
 No HTTPS certificate evidence captured
www.example-customer-19.com HTTP 80
security.txt found
Contact: mailto:contact2@example-customer-23.com
Expires: 2026-06-25T13:37:00.000Z
Found public files:
/.well-known/security.txt security.txt · HTTP 200 · text/plain
/security.txt security.txt legacy · HTTP 200 · text/plain
/robots.txt robots.txt · HTTP 200 · text/plain;charset=UTF-8
/sitemap.xml sitemap.xml · HTTP 200 · application/xml;charset=UTF-8
Manifest reference(s):
  • https://www.example-customer-19.com/webdav/files/system/ico/manifest.json
No client library/version evidence detected.
CSP: MISSING (0/100)
• No enforced CSP was observed
No confirmed CDN/WAF edge evidence from provider-specific main-response headers.
Evidence notes:
• Passive server-side evidence: confirmed from response headers, DNS/TLS/HTML/source where available; interactive browser behavior still needs Scantide Observe or browser verification.
 No HTTPS certificate evidence captured
www.example-customer-19.com HTTPS 443
security.txt found
Contact: mailto:contact2@example-customer-23.com
Expires: 2026-06-25T13:37:00.000Z
Found public files:
/.well-known/security.txt security.txt · HTTP 200 · text/plain
/security.txt security.txt legacy · HTTP 200 · text/plain
/robots.txt robots.txt · HTTP 200 · text/plain;charset=UTF-8
/sitemap.xml sitemap.xml · HTTP 200 · application/xml;charset=UTF-8
Manifest reference(s):
  • https://www.example-customer-19.com/webdav/files/system/ico/manifest.json
No client library/version evidence detected.
CSP: MISSING (0/100)
• No enforced CSP was observed
No confirmed CDN/WAF edge evidence from provider-specific main-response headers.
Evidence notes:
• Passive server-side evidence: confirmed from response headers, DNS/TLS/HTML/source where available; interactive browser behavior still needs Scantide Observe or browser verification.
 No HTTPS certificate evidence captured

Per-domain Web Evidence

blog.example-customer-10.com

Evidence ports: 2 · External hosts: 4 · Issues: 10
Web risk 58 · MEDIUM
Scripts
External: 0
Third-party: 0
Inline: 2
Missing SRI: 0
Beacons & Trackers
Beacon endpoints: 0
Tracker matches: 0
Dynamic script indicators: 0
Forms & Frames
Forms: 0
Sensitive forms: 0
Off-domain forms: 0
Unsandboxed third-party iframes: 0
Content Risks
Mixed-content resources: 0
Fingerprinting signals: 0
External hosts: 4
CORS & CSP
CORS issues: 1
CSP/asset issues: 6
Exposure Signals
Secret-like strings: 0
Source maps: 0
Debug comments: 0
Runtime Review
Storage signals: 0
DOM sinks: 0
Service workers: 0
Asset Supply Chain
Third-party assets: 4
CSS missing SRI: 2
Referrer leak links: 0
Tracker names
No named trackers captured
External hosts
blog.example-customer-10.comfonts.googleapis.comgmpg.orgmaxcdn.bootstrapcdn.com
HTTP 80 raw evidence · risk 0
Scripts captured
[][][]
Beacon endpoints
No beacons captured
Issues
No HTML body was available for script/beacon analysis
Recommendations
If the site uses heavy JavaScript rendering, compare this server-side scan with Scantide Observe browser evidence.
CORS / CSP
No CORS/CSP issues listed
Secrets / Source maps
No exposure signals captured
Storage / DOM sinks
No storage/DOM sink signals captured
Third-party assets
No third-party asset inventory captured
HTTPS 443 raw evidence · risk 58
Scripts captured
[][{"index":1,"length":102,"uses":[],"endpoint_count":0,"snippet":"(function(html){html.className = html.className.replace(\/\\bno-js\\b\/,'js')})(document.documentElement);"},{"index":2,"length":2112,"uses":[],"endpoint_count":0,"snippet":"{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"CollectionPage\",\"@id\":\"https:\\\/\\\/blog.example-customer-10.com\\\/\",\"url\":\"https:\\\/\\\/blog.example-customer-10.com\\\/\",\"name\":\"Red Cloud IT - Svenska moln"}][]
Beacon endpoints
No beacons captured
Issues
CORS allows broad or sensitive request headers: Content-Type, AuthorizationCSP missing object-src directiveCSP missing base-uri directiveCSP missing frame-ancestors directiveObserved stylesheet host may not be covered by style-src: fonts.googleapis.comObserved stylesheet host may not be covered by style-src: maxcdn.bootstrapcdn.comInline scripts exist but CSP does not show unsafe-inline, nonce, or hash supportCSP quality is weak or incompleteThird-party stylesheets without Subresource Integrity (SRI) were found
Recommendations
Only allow the request headers required by the application.Align CSP directives with observed scripts/styles, remove unsafe directives, and add object-src/base-uri/frame-ancestors.Consider publishing /.well-known/security.txt with a monitored vulnerability-reporting contact.Use SRI for stable third-party CSS, or self-host trusted stylesheet dependencies where practical.
CORS / CSP
CORS allows broad or sensitive request headers: Content-Type, AuthorizationCSP missing object-src directiveCSP missing base-uri directiveCSP missing frame-ancestors directiveObserved stylesheet host may not be covered by style-src: fonts.googleapis.comObserved stylesheet host may not be covered by style-src: maxcdn.bootstrapcdn.comInline scripts exist but CSP does not show unsafe-inline, nonce, or hash support
Secrets / Source maps
No exposure signals captured
Storage / DOM sinks
No storage/DOM sink signals captured
Third-party assets
https://fonts.googleapis.com/css?family=Fjalla+One:400%7CCantarell:400https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css?ver=ANONYMIZEDIDhttps://fonts.googleapis.comhttps://maxcdn.bootstrapcdn.com

www.example-customer-12.com

Evidence ports: 2 · External hosts: 2 · Issues: 10
Web risk 41 · MEDIUM
Scripts
External: 0
Third-party: 0
Inline: 2
Missing SRI: 0
Beacons & Trackers
Beacon endpoints: 0
Tracker matches: 0
Dynamic script indicators: 0
Forms & Frames
Forms: 0
Sensitive forms: 0
Off-domain forms: 0
Unsandboxed third-party iframes: 0
Content Risks
Mixed-content resources: 0
Fingerprinting signals: 0
External hosts: 2
CORS & CSP
CORS issues: 0
CSP/asset issues: 6
Exposure Signals
Secret-like strings: 0
Source maps: 0
Debug comments: 0
Runtime Review
Storage signals: 0
DOM sinks: 0
Service workers: 0
Asset Supply Chain
Third-party assets: 0
CSS missing SRI: 0
Referrer leak links: 0
Tracker names
No named trackers captured
External hosts
www.example-customer-12.com
HTTP 80 raw evidence · risk 41
Scripts captured
[][{"index":1,"length":2167,"uses":[],"endpoint_count":0,"snippet":"\/* \"function\"==typeof InitializeEditor,callIfLoaded:function(o){return!(!gform.domLoaded||!gform.scriptsLoaded||!gform.themeScriptsLoaded&&!gform.isFormEditor()||(gform.isFormEdito"}][]
Beacon endpoints
No beacons captured
Issues
CSP missing frame-ancestors directiveCSP allows unsafe-inlineCSP allows unsafe-evalsecurity.txt exists but has no Expires fieldCSP quality is weak or incomplete
Recommendations
Align CSP directives with observed scripts/styles, remove unsafe directives, and add object-src/base-uri/frame-ancestors.
CORS / CSP
CSP missing frame-ancestors directiveCSP allows unsafe-inlineCSP allows unsafe-eval
Secrets / Source maps
No exposure signals captured
Storage / DOM sinks
No storage/DOM sink signals captured
Third-party assets
No third-party asset inventory captured
HTTPS 443 raw evidence · risk 41
Scripts captured
[][{"index":1,"length":2167,"uses":[],"endpoint_count":0,"snippet":"\/* \"function\"==typeof InitializeEditor,callIfLoaded:function(o){return!(!gform.domLoaded||!gform.scriptsLoaded||!gform.themeScriptsLoaded&&!gform.isFormEditor()||(gform.isFormEdito"}][]
Beacon endpoints
No beacons captured
Issues
CSP missing frame-ancestors directiveCSP allows unsafe-inlineCSP allows unsafe-evalsecurity.txt exists but has no Expires fieldCSP quality is weak or incomplete
Recommendations
Align CSP directives with observed scripts/styles, remove unsafe directives, and add object-src/base-uri/frame-ancestors.
CORS / CSP
CSP missing frame-ancestors directiveCSP allows unsafe-inlineCSP allows unsafe-eval
Secrets / Source maps
No exposure signals captured
Storage / DOM sinks
No storage/DOM sink signals captured
Third-party assets
No third-party asset inventory captured

www.example-customer-16.com

Evidence ports: 2 · External hosts: 8 · Issues: 8
Web risk 29 · LOW
Scripts
External: 0
Third-party: 0
Inline: 2
Missing SRI: 0
Beacons & Trackers
Beacon endpoints: 0
Tracker matches: 0
Dynamic script indicators: 0
Forms & Frames
Forms: 0
Sensitive forms: 0
Off-domain forms: 0
Unsandboxed third-party iframes: 0
Content Risks
Mixed-content resources: 0
Fingerprinting signals: 0
External hosts: 8
CORS & CSP
CORS issues: 0
CSP/asset issues: 2
Exposure Signals
Secret-like strings: 0
Source maps: 0
Debug comments: 0
Runtime Review
Storage signals: 0
DOM sinks: 0
Service workers: 0
Asset Supply Chain
Third-party assets: 8
CSS missing SRI: 2
Referrer leak links: 0
Tracker names
No named trackers captured
External hosts
host24.example-customer.comhost25.example-customer.comhost26.example-customer.comwww.example-customer-16.com
HTTP 80 raw evidence · risk 29
Scripts captured
[][{"index":1,"length":2195,"uses":[],"endpoint_count":0,"snippet":"window._wpemojiSettings = {\"baseUrl\":\"https:\\\/\\\/s.w.org\\\/images\\\/core\\\/emoji\\\/14.0.0\\\/72x72\\\/\",\"ext\":\".png\",\"svgUrl\":\"https:\\\/\\\/s.w.org\\\/images\\\/core\\\/emoji\\\/14.0.0\\\/svg\\\/\",\"svgExt"}]["createElement(\"script\")"]
Beacon endpoints
No beacons captured
Issues
robots.txt exposes admin/staging/private-looking path hintsCSP quality is weak or incompleteThird-party stylesheets without Subresource Integrity (SRI) were foundDynamic script execution/injection indicators were found: createElement("script")
Recommendations
Review robots.txt for path disclosure. Do not rely on robots.txt to hide sensitive locations.Consider publishing /.well-known/security.txt with a monitored vulnerability-reporting contact.Review linked login/admin surfaces for MFA, rate limiting, SSO policy and exposure expectations.Use SRI for stable third-party CSS, or self-host trusted stylesheet dependencies where practical.Review dynamic script loading, eval/new Function use, and CSP compatibility.
CORS / CSP
No enforced CSP was available to compare against page assets
Secrets / Source maps
No exposure signals captured
Storage / DOM sinks
No storage/DOM sink signals captured
Third-party assets
https://host24.example-customer.com/c/6.2.9/wp-includes/blocks/navigation/style.min.csshttp://host26.example-customer.comhttp://host25.example-customer.comhttp://host24.example-customer.com
HTTPS 443 raw evidence · risk 29
Scripts captured
[][{"index":1,"length":2195,"uses":[],"endpoint_count":0,"snippet":"window._wpemojiSettings = {\"baseUrl\":\"https:\\\/\\\/s.w.org\\\/images\\\/core\\\/emoji\\\/14.0.0\\\/72x72\\\/\",\"ext\":\".png\",\"svgUrl\":\"https:\\\/\\\/s.w.org\\\/images\\\/core\\\/emoji\\\/14.0.0\\\/svg\\\/\",\"svgExt"}]["createElement(\"script\")"]
Beacon endpoints
No beacons captured
Issues
robots.txt exposes admin/staging/private-looking path hintsCSP quality is weak or incompleteThird-party stylesheets without Subresource Integrity (SRI) were foundDynamic script execution/injection indicators were found: createElement("script")
Recommendations
Review robots.txt for path disclosure. Do not rely on robots.txt to hide sensitive locations.Consider publishing /.well-known/security.txt with a monitored vulnerability-reporting contact.Review linked login/admin surfaces for MFA, rate limiting, SSO policy and exposure expectations.Use SRI for stable third-party CSS, or self-host trusted stylesheet dependencies where practical.Review dynamic script loading, eval/new Function use, and CSP compatibility.
CORS / CSP
No enforced CSP was available to compare against page assets
Secrets / Source maps
No exposure signals captured
Storage / DOM sinks
No storage/DOM sink signals captured
Third-party assets
https://host24.example-customer.com/c/6.2.9/wp-includes/blocks/navigation/style.min.csshttps://host26.example-customer.comhttps://host25.example-customer.comhttps://host24.example-customer.com

www.example-customer-19.com

Evidence ports: 2 · External hosts: 2 · Issues: 14
Web risk 40 · MEDIUM
Scripts
External: 4
Third-party: 0
Inline: 12
Missing SRI: 0
Beacons & Trackers
Beacon endpoints: 0
Tracker matches: 0
Dynamic script indicators: 0
Forms & Frames
Forms: 0
Sensitive forms: 0
Off-domain forms: 0
Unsandboxed third-party iframes: 0
Content Risks
Mixed-content resources: 0
Fingerprinting signals: 0
External hosts: 2
CORS & CSP
CORS issues: 0
CSP/asset issues: 2
Exposure Signals
Secret-like strings: 0
Source maps: 0
Debug comments: 0
Runtime Review
Storage signals: 0
DOM sinks: 0
Service workers: 0
Asset Supply Chain
Third-party assets: 0
CSS missing SRI: 0
Referrer leak links: 0
Tracker names
No named trackers captured
External hosts
www.example-customer-19.com
HTTP 80 raw evidence · risk 40
Scripts captured
[{"src":"https:\/\/www.example-customer-19.com\/example-cms\/system-resource\/ANONYMIZEDID\/js\/jquery.js","host":"www.example-customer-19.com","third_party":false,"has_sri":false,"async":false,"defer":false,"tracker_matches":[]},{"src":"https:\/\/www.example-customer-19.com\/download\/18.ANONYMIZEDID\/1598865178090\/jquery.flexslider-min.2.7.2.js","host":"www.example-customer-19.com","third_party":false,"has_sri":false,"async":false,"defer":false,"tracker_matches":[]}][{"index":1,"length":87,"uses":[],"endpoint_count":0,"snippet":"(function(c){c.add('sv-js');c.remove('sv-no-js');})(document.documentElement.classList)"},{"index":2,"length":683,"uses":[],"endpoint_count":0,"snippet":"!function(t,e){t=t||\"docReady\",e=e||window;var n=[],o=!1,c=!1;function d(){if(!o){o=!0;for(var t=0;t"},{"index":5,"length":54,"uses":[],"endpoint_count":0,"snippet":""},{"index":6,"length":71,"uses":[],"endpoint_count":0,"snippet":"(function(html){html.className += ' lp-js'})(document.documentElement);"},{"index":7,"length":880,"uses":[],"endpoint_count":0,"snippet":"\/\/ When window has finished loading window.addEventListener(\"load\", function () { \/\/ This is the \"accept all\" cookie button var vizzitAcceptAll = document.querySelector(\"#cc-b-acce"},{"index":8,"length":431,"uses":[],"endpoint_count":0,"snippet":"window.sv = window.sv || {}; sv.UNSAFE_MAY_CHANGE_AT_ANY_GIVEN_TIME_webAppExternals = {}; sv.PageContext = { pageId: '4.ANONYMIZEDID', siteId: '2.ANONYMIZEDID"}][]
Beacon endpoints
No beacons captured
Issues
Tracking or analytics cookies are set in the initial response before explicit consent can be verified.Accept control was detected, but no equally clear reject/necessary-only control was detected.Cookie/consent text was detected, but no manage/preferences control was found.No clear withdrawal/change-consent control was detected in the returned page.CSP quality is weak or incompleteHTTP mixed-content references were found on an HTTPS pageService worker or PWA capability signals were found
Recommendations
Block analytics, advertising, replay and tracking cookies until the visitor actively accepts the relevant category.Add a Reject all / Necessary only option on the first banner layer.Expose a Manage choices / Cookie settings control.Add a persistent Cookie settings or Privacy settings link in the footer or privacy area.Move all active/passive resources to HTTPS.Review service-worker scope, cache behavior, update strategy, push permissions, and sensitive data caching.
CORS / CSP
No enforced CSP was available to compare against page assets
Secrets / Source maps
No exposure signals captured
Storage / DOM sinks
No storage/DOM sink signals captured
Third-party assets
No third-party asset inventory captured
HTTPS 443 raw evidence · risk 40
Scripts captured
[{"src":"https:\/\/www.example-customer-19.com\/example-cms\/system-resource\/ANONYMIZEDID\/js\/jquery.js","host":"www.example-customer-19.com","third_party":false,"has_sri":false,"async":false,"defer":false,"tracker_matches":[]},{"src":"https:\/\/www.example-customer-19.com\/download\/18.ANONYMIZEDID\/1598865178090\/jquery.flexslider-min.2.7.2.js","host":"www.example-customer-19.com","third_party":false,"has_sri":false,"async":false,"defer":false,"tracker_matches":[]}][{"index":1,"length":87,"uses":[],"endpoint_count":0,"snippet":"(function(c){c.add('sv-js');c.remove('sv-no-js');})(document.documentElement.classList)"},{"index":2,"length":683,"uses":[],"endpoint_count":0,"snippet":"!function(t,e){t=t||\"docReady\",e=e||window;var n=[],o=!1,c=!1;function d(){if(!o){o=!0;for(var t=0;t"},{"index":5,"length":54,"uses":[],"endpoint_count":0,"snippet":""},{"index":6,"length":71,"uses":[],"endpoint_count":0,"snippet":"(function(html){html.className += ' lp-js'})(document.documentElement);"},{"index":7,"length":880,"uses":[],"endpoint_count":0,"snippet":"\/\/ When window has finished loading window.addEventListener(\"load\", function () { \/\/ This is the \"accept all\" cookie button var vizzitAcceptAll = document.querySelector(\"#cc-b-acce"},{"index":8,"length":431,"uses":[],"endpoint_count":0,"snippet":"window.sv = window.sv || {}; sv.UNSAFE_MAY_CHANGE_AT_ANY_GIVEN_TIME_webAppExternals = {}; sv.PageContext = { pageId: '4.ANONYMIZEDID', siteId: '2.ANONYMIZEDID"}][]
Beacon endpoints
No beacons captured
Issues
Tracking or analytics cookies are set in the initial response before explicit consent can be verified.Accept control was detected, but no equally clear reject/necessary-only control was detected.Cookie/consent text was detected, but no manage/preferences control was found.No clear withdrawal/change-consent control was detected in the returned page.CSP quality is weak or incompleteHTTP mixed-content references were found on an HTTPS pageService worker or PWA capability signals were found
Recommendations
Block analytics, advertising, replay and tracking cookies until the visitor actively accepts the relevant category.Add a Reject all / Necessary only option on the first banner layer.Expose a Manage choices / Cookie settings control.Add a persistent Cookie settings or Privacy settings link in the footer or privacy area.Move all active/passive resources to HTTPS.Review service-worker scope, cache behavior, update strategy, push permissions, and sensitive data caching.
CORS / CSP
No enforced CSP was available to compare against page assets
Secrets / Source maps
No exposure signals captured
Storage / DOM sinks
No storage/DOM sink signals captured
Third-party assets
No third-party asset inventory captured
Email
Recommended reading flow
1. Spoofing protectionStart with SPF, DKIM and DMARC status.
2. Authorized sendersReview third-party SPF services and unused senders.
3. Advanced standardsUse MTA-STS, TLS-RPT and BIMI as maturity improvements after basics are stable.
How this tab has been simplified: Merged view: SPF, DKIM, DMARC and external SPF senders are treated as one email trust story. Advanced standards are shown after the basics.

How to read the Email Security tab

This tab focuses on domain impersonation and trusted senders: SPF, DKIM, DMARC, mail providers and external services authorized to send mail for the domain.

SPF records: 4 DMARC records: 3 DMARC enforced: 3 External SPF senders: 10
Start with DMARCA missing or weak DMARC policy makes phishing and spoofing harder to control.
Review SPF sendersEvery include/redirect should still be needed and owned by the organization.
Then verify DKIMDKIM helps prove messages were authorized, but selector discovery can be incomplete without provider details.

Email Security Records Analysis

4 SPF Records 3 DMARC Records 2 DKIM Records 2 Fully Protected 10 SPF External Senders

SPF External Sender / Legal Review Note

4 Domains With External SPF 10 External Senders 3 US-linked Services 7 Unknown Jurisdiction
Why this matters: SPF include/redirect entries can authorize external mail platforms to send on behalf of the domain. That is normal for services such as Microsoft 365, Google Workspace, SendGrid, Mailgun, Mailchimp, Amazon SES, HubSpot and support systems, but it can also create legal and data-transfer review points.

Scantide interpretation: This is not automatically a technical failure. It is an evidence note that the SPF record may point to external processors, including US-based services that can raise CLOUD Act/FISA and GDPR transfer-safeguard questions. Confirm DPA/SCC terms, subprocessors, selected data region and whether the service is still intentionally authorized.

Top detected providers: External SPF authorization (7) Microsoft 365 / Exchange Online (3)
Domain SPF Status SPF Policy DKIM Status DKIM Selectors DMARC Status DMARC Policy Email Protection
example-customer-11.com PRESENT STRICT (-all)
2 external senders / legal review
PRESENT (1)
s1
 PRESENT REJECT
2 external senders / legal review
EXCELLENT
example-customer-17.com PRESENT STRICT (-all)
1 external sender / legal review
MISSING N/A MISSING N/A
1 external sender / legal review
MINIMAL
example-customer-13.com PRESENT STRICT (-all)
4 external senders / legal review
MISSING N/A PRESENT REJECT
4 external senders / legal review
BASIC
example-customer-21.com PRESENT STRICT (-all)
3 external senders / legal review
PRESENT (1)
selector1
 PRESENT REJECT
3 external senders / legal review
EXCELLENT

Detailed Email Security Records

Advanced Email Security Standards

MTA-STS
0 domain(s) configured
Enforces TLS for SMTP connections
TLS-RPT
0 domain(s) configured
Reports TLS delivery failures
BIMI
1 domain(s) configured
Brand logo authentication
DANE/TLSA
0 domain(s) configured
Certificate pinning via DNS

Domain Details

Domain Record Type Raw Record Analysis Issues Recommendations
example-customer-11.com SPF v=spf1 ip4:203.0.113.18 ip4:203.0.113.19 include:example-customer-27.com include:_custspf.one.com -all
Policy: Fail (-all) - Strict policy
Mechanisms: 5
External SPF: 2 authorized senders
External SPF authorization (Unknown) via example-customer-27.com
External SPF authorization (Unknown) via _custspf.one.com
• SPF authorizes external mail sender(s); review legal/data-transfer implications.
• External SPF authorization via include:example-customer-27.com — SPF authorizes a third-party sender. Review legal role, DPA, subprocessors and data-transfer terms.
• External SPF authorization via include:_custspf.one.com — SPF authorizes a third-party sender. Review legal role, DPA, subprocessors and data-transfer terms.
• Verify each SPF include/redirect against current contracts, DPA/SCC terms, subprocessors and selected processing region.
example-customer-11.com DMARC v=DMARC1; p=reject; rua=mailto:contact3@example-customer-23.com;
Policy: REJECT
Percentage: 100%
Reports: Enabled
• No subdomain policy (sp) specified
DMARC configuration is optimal
example-customer-11.com DKIM
Selector: s1
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlqIBsKuvpeCqSoNq3q ...
Key Type: rsa
Key Length: 2048 bits
Version: DKIM1
 No issues detected
DKIM configuration looks good
example-customer-17.com SPF v=spf1 include:host28.example-customer.com a:mta.example-customer-29.com a:mail.example-customer-30.com a:orion.starse ...
Policy: Fail (-all) - Strict policy
Mechanisms: 8
External SPF: 1 authorized sender
Microsoft 365 / Exchange Online (US) via host28.example-customer.com
• SPF authorizes external mail sender(s); review legal/data-transfer implications.
• Microsoft 365 / Exchange Online via include:host28.example-customer.com — US provider; CLOUD Act/FISA exposure may be relevant for EU/EEA data-transfer reviews.
• Verify each SPF include/redirect against current contracts, DPA/SCC terms, subprocessors and selected processing region.
example-customer-17.com DMARC Record not found Missing DMARC policy No email authentication enforcement Add DMARC record with appropriate policy
example-customer-13.com SPF v=spf1 ip4:203.0.113.20 ip4:203.0.113.21 include:_spf.ungapped.io include:_spf.marketing.example-providero ...
Policy: Fail (-all) - Strict policy
Mechanisms: 7
External SPF: 4 authorized senders
External SPF authorization (Unknown) via _spf.ungapped.io
External SPF authorization (Unknown) via _spf.marketing.example-provideronline.se
External SPF authorization (Unknown) via _spf.example-tech.net
• SPF authorizes external mail sender(s); review legal/data-transfer implications.
• External SPF authorization via include:_spf.ungapped.io — SPF authorizes a third-party sender. Review legal role, DPA, subprocessors and data-transfer terms.
• External SPF authorization via include:_spf.marketing.example-provideronline.se — SPF authorizes a third-party sender. Review legal role, DPA, subprocessors and data-transfer terms.
• External SPF authorization via include:_spf.example-tech.net — SPF authorizes a third-party sender. Review legal role, DPA, subprocessors and data-transfer terms.
• Verify each SPF include/redirect against current contracts, DPA/SCC terms, subprocessors and selected processing region.
example-customer-13.com DMARC v=DMARC1; p=reject; sp=none; rua=mailto:contact4@example-customer-23.com,mailto:contact5@example-customer-23.com; ruf=ma ...
Policy: REJECT
Percentage: 100%
Reports: Enabled
 No issues detected
DMARC configuration is optimal
example-customer-21.com SPF v=spf1 a:mail.example-customer-31.com a:webmail.example-customer-32.com include:host28.example-customer.com include: ...
Policy: Fail (-all) - Strict policy
Mechanisms: 21
External SPF: 3 authorized senders
Microsoft 365 / Exchange Online (US) via host28.example-customer.com
External SPF authorization (Unknown) via mail.example-customer-33.com
External SPF authorization (Unknown) via host34.example-customer.com
• SPF authorizes external mail sender(s); review legal/data-transfer implications.
• Microsoft 365 / Exchange Online via include:host28.example-customer.com — US provider; CLOUD Act/FISA exposure may be relevant for EU/EEA data-transfer reviews.
• External SPF authorization via include:mail.example-customer-33.com — SPF authorizes a third-party sender. Review legal role, DPA, subprocessors and data-transfer terms.
• External SPF authorization via include:host34.example-customer.com — SPF authorizes a third-party sender. Review legal role, DPA, subprocessors and data-transfer terms.
• Verify each SPF include/redirect against current contracts, DPA/SCC terms, subprocessors and selected processing region.
example-customer-21.com DMARC v=DMARC1; p=reject;
Policy: REJECT
Percentage: 100%
• No subdomain policy (sp) specified
DMARC configuration is optimal
example-customer-21.com DKIM
Selector: selector1
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDnjSO0sjgZGxX5WXnLupkQ6 ...
Key Type: rsa
Key Length: 1024 bits
Version: DKIM1
• RSA valid but short: 1024 bits
Consider upgrading to 2048+ bit key
Domain SPF DKIM DMARC MTA-STS TLS-RPT BIMI DANE DNSSEC CAA Score
example-customer-11.com - - - 115
BIMI:
Logo: https://example-customer-11.com/wp-content/uploads/Example CustomerIT.svg
example-customer-17.com - - - - 25
example-customer-13.com - - - - 50
example-customer-21.com - - - - 95
DNS
Recommended reading flow
1. Domain governanceStart with WHOIS, nameservers and registration warnings.
2. DNS protectionReview DNSSEC, CAA and record-level security.
3. Service discoveryUse SRV/CNAME records to find dependencies and unexpected exposure.
How this tab has been simplified: Merged view: DNS governance, DNS security records and service discovery are grouped together. Email-specific interpretation is kept in the Email Security tab.

How to read the DNS Security tab

This tab reviews domain-control signals: DNSSEC, CAA, nameservers, DNS service exposure and mail-related DNS records. It is about governance as much as technical configuration.

DNSSEC: enabled CAA: configured Unexpected DNS services: 0 Domain ownership and guardrails
Start with DNSSEC and CAAThese help protect domain integrity and restrict which CAs may issue certificates.
Review nameserversNameserver providers are part of the trust chain and should match ownership expectations.
Check unexpected DNS exposurePort 53 on non-nameserver hosts can indicate misconfiguration or an unintended service.

DNS Security & Domain Analysis

Domain Details

Domain SPF DKIM DMARC MTA-STS TLS-RPT BIMI DANE DNSSEC CAA
example-customer-11.com - - -
BIMI:
Logo: https://example-customer-11.com/wp-content/uploads/Example CustomerIT.svg
example-customer-17.com - - - -
example-customer-13.com - - - -
example-customer-21.com - - - -

Domain Registration & WHOIS Analysis

0 Expired 0 Critical 0 Expiring 0 New 0 Protected Avg Age: 20y
Lookup Results: 4 successful, 0 failed out of 4 total domains
Domain Registrar Domain Age Status Days Until Expiry Privacy Registration Details
example-customer-11.com example-customer-08.com 17y HEALTHY
active
361 days PUBLIC
Expires: May 22, 2027
Created: May 22, 2009
Updated: May 20, 2026
Age: 18 years
Last updated: 5 days ago
example-customer-17.com Loopia AB 20.5y HEALTHY
active
169 days PUBLIC
Expires: Nov 11, 2026
Created: Nov 11, 2005
Updated: Oct 1, 2025
Age: 21 years
Last updated: 236 days ago
example-customer-13.com NMU Group 11.2y HEALTHY
active
282 days PUBLIC
Expires: Mar 4, 2027
Created: Mar 4, 2015
Updated: Mar 4, 2026
Age: 12 years
Last updated: 82 days ago
example-customer-21.com Loopia AB 31.2y HEALTHY
active
219 days PUBLIC
Expires: Dec 31, 2026
Created: Feb 23, 1995
Updated: Dec 2, 2025
Age: 31.9 years
Last updated: 174 days ago

Nameserver Geographic Analysis

9 Total NS Records 0 Unique ASNs 0 Countries 0 Regulatory Zones 0 Port 53 Open Coverage: 4/4
Domain Nameserver ASN / ISP Provider Type Port 53 Status Geographic Location Regulatory Zone Risk Assessment
example-customer-21.com host35.example-customer.com Not checked during render
Unknown 		TRUSTED
NOT CHECKED
Unknown
Unknown 		Unknown
LOW RISK
2 NS
example-customer-21.com host36.example-customer.com Not checked during render
Unknown 		TRUSTED
NOT CHECKED
Unknown
Unknown 		Unknown
LOW RISK
2 NS
example-customer-13.com host06.example-customer.com Not checked during render
Unknown 		CUSTOM
NOT CHECKED
Unknown
Unknown 		Unknown
REVIEW
Custom provider, 3 NS
example-customer-13.com host37.example-customer.com Not checked during render
Unknown 		CUSTOM
NOT CHECKED
Unknown
Unknown 		Unknown
REVIEW
Custom provider, 3 NS
example-customer-13.com host38.example-customer.com Not checked during render
Unknown 		CUSTOM
NOT CHECKED
Unknown
Unknown 		Unknown
REVIEW
Custom provider, 3 NS
example-customer-17.com ns.example-customer-39.com Not checked during render
Unknown 		CUSTOM
NOT CHECKED
Unknown
Unknown 		Unknown
STANDARD
Custom provider, 2 NS
example-customer-17.com ns.example-customer-40.com Not checked during render
Unknown 		CUSTOM
NOT CHECKED
Unknown
Unknown 		Unknown
STANDARD
Custom provider, 2 NS
example-customer-11.com ns.example-customer-04.com Not checked during render
Unknown 		CUSTOM
NOT CHECKED
Unknown
Unknown 		Unknown
STANDARD
Custom provider, 2 NS
example-customer-11.com ns.example-customer-05.com Not checked during render
Unknown 		CUSTOM
NOT CHECKED
Unknown
Unknown 		Unknown
STANDARD
Custom provider, 2 NS
Nameserver Analysis Notes:
  • 9 nameserver(s) could not be resolved to an IP address
  • More custom nameservers (7) than trusted providers (2) detected

DNSSEC and CAA Analysis

2 Valid 0 Invalid 2 Disabled 1 CAA Records DNSSEC & CAA Analysis
Domain DNSSEC Status Algorithm Key Tag Validation Records Found CAA Status
example-customer-11.com ENABLED ECDSAP256SHA256 45820 VALID
2 external senders / legal review
DS: 1, DNSKEY: 2, RRSIG: 0 PRESENT (2)
example-customer-17.com DISABLED N/A N/A N/A
1 external sender / legal review
DS: 0, DNSKEY: 0, RRSIG: 0 MISSING
example-customer-13.com DISABLED N/A N/A N/A
4 external senders / legal review
DS: 0, DNSKEY: 0, RRSIG: 0 MISSING
example-customer-21.com ENABLED ECDSAP256SHA256 2371 VALID
3 external senders / legal review
DS: 1, DNSKEY: 2, RRSIG: 0 MISSING

Email Security Records Analysis

4 SPF Records 3 DMARC Records 2 DKIM Records 2 Fully Protected 10 SPF External Senders
Domain SPF Status SPF Policy DKIM Status DKIM Selectors DMARC Status DMARC Policy MTA-STS TLS-RPT Email Protection
example-customer-11.com PRESENT STRICT (-all)
2 external senders / legal review
PRESENT (1)
s1
 PRESENT REJECT
2 external senders / legal review
MISSING MISSING EXCELLENT
example-customer-17.com PRESENT STRICT (-all)
1 external sender / legal review
MISSING N/A MISSING N/A
1 external sender / legal review
MISSING MISSING MINIMAL
example-customer-13.com PRESENT STRICT (-all)
4 external senders / legal review
MISSING N/A PRESENT REJECT
4 external senders / legal review
MISSING MISSING BASIC
example-customer-21.com PRESENT STRICT (-all)
3 external senders / legal review
PRESENT (1)
selector1
 PRESENT REJECT
3 external senders / legal review
MISSING MISSING EXCELLENT

Missing DNS Security Records & Recommendations

1 Critical Issues 4 High Priority 3 Medium Priority 15 Low Priority 4 Domains Affected
Domain Record Type Severity Issue Security Impact Recommendation
example-customer-11.com MTA-STS LOW No MTA-STS policy configured No TLS enforcement for email delivery - potential for downgrade attacks on SMTP connections
Optional Enhancement:
Add MTA-STS DNS record at _mta-sts.example-customer.se and publish policy file at https://mta.example-customer-41.com/.well-known/mta-sts.txt
example-customer-11.com TLS-RPT LOW No TLS-RPT record configured No visibility into TLS connection failures - cannot monitor email delivery security issues
Optional Enhancement:
Add TLS-RPT record: "v=TLSRPTv1; rua=mailto:contact6@example-customer-23.com" for TLS failure monitoring
example-customer-11.com DANE LOW No DANE/TLSA records configured No certificate pinning for email servers - cannot prevent certificate-based MITM attacks on email delivery
Optional Enhancement:
Add TLSA records for each MX host (e.g., _25._tcp.mail.example-customer.se). Requires valid DNSSEC to be effective.
example-customer-17.com DMARC CRITICAL No DMARC record found No email authentication policy enforcement - cannot protect against domain spoofing
Action Required:
Add DMARC record: "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com" (start with p=none for monitoring)
example-customer-17.com DKIM HIGH No DKIM records found Emails lack cryptographic signatures - reduced deliverability and trust
Action Required:
Configure DKIM with your email provider and publish public key DNS records (typically at selector._domainkey.yourdomain.com)
example-customer-17.com DNSSEC HIGH DNSSEC not enabled DNS cache poisoning vulnerability - attackers can redirect users to malicious sites
Action Required:
Enable DNSSEC at your domain registrar and add DS records to parent zone
example-customer-17.com CAA MEDIUM No CAA records found No certificate authority restrictions - any CA can issue certificates for your domain
Action Required:
Add CAA records to specify authorized CAs: "0 issue letsencrypt.org" or "0 issue pki.goog"
example-customer-17.com MTA-STS LOW No MTA-STS policy configured No TLS enforcement for email delivery - potential for downgrade attacks on SMTP connections
Optional Enhancement:
Add MTA-STS DNS record at _mta-sts.example-service.se and publish policy file at https://mta.example-customer-42.com/.well-known/mta-sts.txt
example-customer-17.com TLS-RPT LOW No TLS-RPT record configured No visibility into TLS connection failures - cannot monitor email delivery security issues
Optional Enhancement:
Add TLS-RPT record: "v=TLSRPTv1; rua=mailto:contact7@example-customer-23.com" for TLS failure monitoring
example-customer-17.com BIMI LOW No BIMI record configured Brand logo not displayed in email clients - reduced brand recognition and trust signals
Optional Enhancement:
Add BIMI record at default._bimi.example-service.se with logo URL and optionally VMC. Requires DMARC policy of quarantine or reject.
example-customer-17.com DANE LOW No DANE/TLSA records configured No certificate pinning for email servers - cannot prevent certificate-based MITM attacks on email delivery
Optional Enhancement:
Add TLSA records for each MX host (e.g., _25._tcp.mail.example-service.se). Requires valid DNSSEC to be effective.
example-customer-13.com DKIM HIGH No DKIM records found Emails lack cryptographic signatures - reduced deliverability and trust
Action Required:
Configure DKIM with your email provider and publish public key DNS records (typically at selector._domainkey.yourdomain.com)
example-customer-13.com DNSSEC HIGH DNSSEC not enabled DNS cache poisoning vulnerability - attackers can redirect users to malicious sites
Action Required:
Enable DNSSEC at your domain registrar and add DS records to parent zone
example-customer-13.com CAA MEDIUM No CAA records found No certificate authority restrictions - any CA can issue certificates for your domain
Action Required:
Add CAA records to specify authorized CAs: "0 issue letsencrypt.org" or "0 issue pki.goog"
example-customer-13.com MTA-STS LOW No MTA-STS policy configured No TLS enforcement for email delivery - potential for downgrade attacks on SMTP connections
Optional Enhancement:
Add MTA-STS DNS record at _mta-sts.example-provider.se and publish policy file at https://mta.example-customer-43.com/.well-known/mta-sts.txt
example-customer-13.com TLS-RPT LOW No TLS-RPT record configured No visibility into TLS connection failures - cannot monitor email delivery security issues
Optional Enhancement:
Add TLS-RPT record: "v=TLSRPTv1; rua=mailto:contact8@example-customer-23.com" for TLS failure monitoring
example-customer-13.com BIMI LOW No BIMI record configured Brand logo not displayed in email clients - reduced brand recognition and trust signals
Optional Enhancement:
Add BIMI record at default._bimi.example-provider.se with logo URL and optionally VMC. Requires DMARC policy of quarantine or reject.
example-customer-13.com DANE LOW No DANE/TLSA records configured No certificate pinning for email servers - cannot prevent certificate-based MITM attacks on email delivery
Optional Enhancement:
Add TLSA records for each MX host (e.g., _25._tcp.mail.example-provider.se). Requires valid DNSSEC to be effective.
example-customer-21.com CAA MEDIUM No CAA records found No certificate authority restrictions - any CA can issue certificates for your domain
Action Required:
Add CAA records to specify authorized CAs: "0 issue letsencrypt.org" or "0 issue pki.goog"
example-customer-21.com MTA-STS LOW No MTA-STS policy configured No TLS enforcement for email delivery - potential for downgrade attacks on SMTP connections
Optional Enhancement:
Add MTA-STS DNS record at _mta-sts.example-municipality.se and publish policy file at https://mta.example-customer-44.com/.well-known/mta-sts.txt
example-customer-21.com TLS-RPT LOW No TLS-RPT record configured No visibility into TLS connection failures - cannot monitor email delivery security issues
Optional Enhancement:
Add TLS-RPT record: "v=TLSRPTv1; rua=mailto:contact9@example-customer-23.com" for TLS failure monitoring
example-customer-21.com BIMI LOW No BIMI record configured Brand logo not displayed in email clients - reduced brand recognition and trust signals
Optional Enhancement:
Add BIMI record at default._bimi.example-municipality.se with logo URL and optionally VMC. Requires DMARC policy of quarantine or reject.
example-customer-21.com DANE LOW No DANE/TLSA records configured No certificate pinning for email servers - cannot prevent certificate-based MITM attacks on email delivery
Optional Enhancement:
Add TLSA records for each MX host (e.g., _25._tcp.mail.example-municipality.se). Requires valid DNSSEC to be effective.

Detailed DNS Records & Configuration Analysis

14 Total Records 11 Optimal 2 Needs Improvement 1 Critical Issues
Domain Type Raw Record Data Status Analysis & Recommendations
example-customer-11.com SPF
v=spf1 ip4:203.0.113.18 ip4:203.0.113.19 include:example-customer-27.com include:_custspf.one.com -all
OPTIMAL
  • SPF configuration looks good
example-customer-11.com DMARC
v=DMARC1; p=reject; rua=mailto:contact3@example-customer-23.com;
OPTIMAL
  • Consider adding ruf= for forensic failure reports
  • Consider specifying SPF alignment mode (aspf=r for relaxed or aspf=s for strict)
  • Consider specifying DKIM alignment mode (adkim=r for relaxed or adkim=s for strict)
  • Consider adding sp= to specify policy for subdomains
example-customer-11.com DKIM
s1._domainkey: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlqIBsKuvpeCqSoNq3qUodolBdrOtcCzirohlsD...
OPTIMAL
  • DKIM configuration looks good
example-customer-11.com DNSSEC
Algorithm: ECDSAP256SHA256, DS Records: 1, DNSKEY Records: 2
OPTIMAL
  • Consider adding multiple DS records with different algorithms for redundancy
example-customer-11.com CAA
0 iodef "mailto:contact10@example-customer-23.com"
OPTIMAL
  • CAA record is properly configured
example-customer-11.com CAA
0 issuewild "letsencrypt.org"
OPTIMAL
  • CAA record is properly configured
example-customer-11.com BIMI
v=BIMI1;l=https://example-customer-11.com/wp-content/uploads/Example CustomerIT.svg
REVIEW
  • No VMC (Verified Mark Certificate) specified - logo may not display in all email clients without trademark verification
example-customer-17.com SPF
v=spf1 include:host28.example-customer.com a:mta.example-customer-29.com a:mail.example-customer-30.com a:host45.example-customer.com a:smtp.example-customer-46.com a:smtp.example-customer-47.com a:host48.example-customer.com -all
OPTIMAL
  • SPF configuration looks good
example-customer-13.com SPF
v=spf1 ip4:203.0.113.20 ip4:203.0.113.21 include:_spf.ungapped.io include:_spf.marketing.example-provideronline.se include:_spf.example-tech.net include:host28.example-customer.com -all
OPTIMAL
  • SPF configuration looks good
example-customer-13.com DMARC
v=DMARC1; p=reject; sp=none; rua=mailto:contact4@example-customer-23.com,mailto:contact5@example-customer-23.com; ruf=mailto:contact5@example-customer-23.com; pct=100; fo=1
CRITICAL
  • Invalid email address in rua: contact4@example-customer-23.com,mailto:contact5@example-customer-23.com
  • Currently in monitoring mode (p=none) - consider upgrading to p=quarantine or p=reject after reviewing reports
  • Consider specifying SPF alignment mode (aspf=r for relaxed or aspf=s for strict)
  • Consider specifying DKIM alignment mode (adkim=r for relaxed or adkim=s for strict)
example-customer-21.com SPF
v=spf1 a:mail.example-customer-31.com a:webmail.example-customer-32.com include:host28.example-customer.com include:mail.example-customer-33.com include:host34.example-customer.com ip4:203.0.113.22 ip4:203.0.113.17 ip4:203.0.113.23 ip4:203.0.113.24/26 ip4:203.0.113.25 ip4:203.0.113.26 ip4:203.0.113.27 ip4:203.0.113.28/26 ip4:203.0.113.29/25 ip4:203.0.113.30/25 ip4:203.0.113.31/21 ip4:203.0.113.32/22 ip4:203.0.113.33/22 ip4:203.0.113.34 ip4:203.0.113.35/22 -all
OPTIMAL
  • SPF configuration looks good
example-customer-21.com DMARC
v=DMARC1; p=reject;
OPTIMAL
  • Add rua= to receive aggregate reports for monitoring
  • Consider adding ruf= for forensic failure reports
  • Consider specifying SPF alignment mode (aspf=r for relaxed or aspf=s for strict)
  • Consider specifying DKIM alignment mode (adkim=r for relaxed or adkim=s for strict)
  • Consider adding sp= to specify policy for subdomains
example-customer-21.com DKIM
selector1._domainkey: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDnjSO0sjgZGxX5WXnLupkQ6Z3RZNPNjA8pUKa3b0aN7...
REVIEW
  • WARNING: Key length 1024 bits is weak - upgrade to 2048+ bits recommended
example-customer-21.com DNSSEC
Algorithm: ECDSAP256SHA256, DS Records: 1, DNSKEY Records: 2
OPTIMAL
  • Consider adding multiple DS records with different algorithms for redundancy
DNS Security Records Quick Reference Guide
SPF (Sender Policy Framework)
Prevents email spoofing by specifying which mail servers can send email for your domain.
DMARC (Domain-based Message Authentication)
Enforces email authentication policies and provides reporting on email abuse.
DKIM (DomainKeys Identified Mail)
Adds cryptographic signatures to emails to verify sender authenticity.
DNSSEC (DNS Security Extensions)
Protects against DNS cache poisoning and man-in-the-middle attacks.
CAA (Certification Authority Authorization)
Restricts which certificate authorities can issue SSL/TLS certificates for your domain.
MTA-STS (Mail Transfer Agent Strict Transport Security)
Enforces TLS encryption for email delivery and prevents downgrade attacks.
TLS-RPT (TLS Reporting)
Provides reporting on TLS connection failures for monitoring email security issues.
BIMI (Brand Indicators for Message Identification)
Displays your brand logo in email clients to increase trust and brand recognition.
DANE (DNS-based Authentication of Named Entities)
Uses DNSSEC to bind TLS certificates to domain names, providing certificate pinning for email servers.

SRV Records Analysis

CNAME Resolution Chain Analysis

0 CNAME Chains 6 Direct Resolution Longest Chain: 0
All domains resolve directly to IP addresses (no CNAME chains)
Summary & Recommendations
Recommended reading flow
1. Decide priorityUse the action plan to decide what must be fixed first.
2. Assign ownersTurn findings into owners, deadlines and follow-up checks.
3. Expand beyond the scanUse the Beyond This Scan section for internal, identity and process risks.
How this tab has been simplified: Merged view: this section is organized as plan, owners, follow-up and limits. Technical detail remains in the detailed tabs.

How to read the Executive report

This tab turns the technical findings into a management action plan. It should be readable by non-specialists while still pointing technical teams toward the evidence tabs.

Critical items: 2 High priority: 1 Overall score: 74/100 Use for planning and ownership
Start with the plain summaryUse it for managers, customers or stakeholders who do not need raw scan details.
Then assign ownersCritical CVEs, public exposure, email trust and compliance items should each have a responsible owner.
Use detailed tabs for proofThe executive report tells what to do; the other tabs show why.

Security Action Plan

Generated May 25, 2026 at 1:46 PM • 6 domains analyzed

74
Overall Security Score
2
Critical Issues
1
High Priority
13
Medium Priority
5
Domains Online
Simplified Executive Summary — Immediate attention needed
Scantide found issues that could lead to service disruption, data exposure or easier compromise if they are left unresolved. This simplified view translates the technical scan into business impact: service trust, exposure, privacy/legal review and what to do next.
74
Overall score
Grade C
5/6 domains online during scan
2 critical action items
1 high-priority items
18 privacy/legal review signals

Website trust and availability

0 certificate/TLS review items

No major certificate or encryption trust problem stands out in the summary view.

Known vulnerability exposure

4 CVE review items

At least one detected product or service may need patching or verification against known vulnerabilities.

Emerging / zero-day exposure

65/100 emerging exposure score

No unknown zero-day is confirmed, but the scan found exposed products, admin surfaces or uncertainty signals that deserve attention during fast-moving advisories.

Exposed services

0 high-risk exposed services

No high-risk exposed database/admin service was promoted into the simplified summary.

Privacy, cookies and third parties

9 privacy/tracking signals

The site uses or references tracking, consent, external scripts or privacy-related controls that should be checked from a user and compliance perspective.

Email and legal sender review

10 external SPF senders

The SPF record allows external services to send email for the domain. That can be normal, but it should be checked against contracts, subprocessors and data-transfer requirements.

Email sender note: SPF authorizes external sender services, including US-linked services. Detected providers: External SPF authorization, Microsoft 365 / Exchange Online. This is not automatically wrong, but it should be reviewed as part of vendor, legal and data-transfer governance.

Other areas to review

These cards are not automatically critical failures. They are the business, supplier and governance areas that deserve a human check because the scan found supporting evidence.

Email & sender trust

Found: The domain authorizes external services to send email on its behalf.

Why it matters: This is common for Microsoft 365, ticketing, marketing and CRM systems, but forgotten SPF senders can increase spoofing, supplier and data-transfer exposure.

Review: Confirm that each authorized sender is still used, contractually covered and configured with the right data region and subprocessor terms.

Evidence: 10 external SPF senders 3 US-linked senders External SPF authorization Microsoft 365 / Exchange Online
Privacy & third-party services

Found: The website contacts or references external services during page load.

Why it matters: External scripts, beacons, analytics and embedded services can create privacy, tracking, consent and cross-border processing obligations.

Review: Review which third parties are necessary, whether consent is required before loading them, and whether the privacy notice lists them correctly.

Evidence: 16 external hosts 4 external/script signals 0 tracker/beacon/fingerprinting signals 8 consent issues
Infrastructure & hosting location

Found: Parts of the website, email or supporting infrastructure may depend on external providers or locations.

Why it matters: Provider location and corporate jurisdiction can matter for GDPR, CLOUD Act, customer requirements, public-sector procurement and supplier governance.

Review: Check hosting, CDN, DNS, MX and external service providers against the organization’s data-residency and supplier-risk policy.

Evidence: 1 compliance/jurisdiction item 16 external web host references 3 US-linked SPF senders
Public exposure

Found: The scan found services, login surfaces or public metadata that are visible from the internet.

Why it matters: Not all exposure is bad, but every visible service or management surface should have a clear owner, purpose and protection level.

Review: Confirm whether each exposed service should be public, restrict admin surfaces, and remove public metadata that reveals unnecessary information.

Evidence: 0 high-risk exposed services 24 public/admin/metadata signals
Certificates & browser trust

Found: Some browser trust, encryption or web hardening signals deserve review.

Why it matters: Certificates, TLS settings, security headers and cookie flags affect user trust and how well browsers can defend visitors.

Review: Fix expired or weak TLS first, then improve headers and cookie settings during normal web hardening work.

Evidence: 0 certificate/TLS items 8 missing header items 1 cookie setting item

What to do next

  1. Handle critical items first: exposed databases, expired certificates and critical CVEs should not wait.
  2. Verify affected software versions and patch or isolate vulnerable services.
  3. Treat exposed high-value products and admin surfaces as emerging-threat focus areas: confirm patch level, restrict access and monitor vendor advisories.
  4. Improve browser-side protections such as security headers and safe cookie settings.
  5. Review privacy, consent and third-party tracking behavior in a real browser before treating it as compliant.
  6. Review SPF-authorized email providers, especially US-linked services, for DPA/SCC, subprocessors and selected data region.
This simplified section is meant for non-technical decision makers. The detailed sections below still contain the evidence needed by administrators and security teams.

CRITICAL - Fix Within 24 Hours

2 Issues

Critical CVE Vulnerabilities (2)

RISK: Active exploitation likely. These vulnerabilities can lead to complete system compromise, data breaches, or ransomware attacks.
blog.example-customer-10.com CVE-2026-7261 CVSS: 9.8
Affected: PHP 8.5.6 Latest CVE for this service
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer i...
ACTION: Apply security patch for PHP immediately. If patch unavailable, isolate affected system from network.
www.example-customer-16.com CVE-2022-23943 CVSS: 9.8
Affected: Apache HTTP Server 2.4.52 Latest CVE for this service
Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with poss...
ACTION: Apply security patch for Apache HTTP Server immediately. If patch unavailable, isolate affected system from network.
Assigned To:
System Administrator, DevOps Lead
Deadline:
2026-05-26 13:46
Escalate To:
CTO if not resolved in 4 hours

HIGH PRIORITY - Fix Within 1 Week

1 Issues

High Severity CVEs (1)

www.example-customer-16.com CVE-2016-10012 7.8
OpenSSH - The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure...
ACTION: Apply security patches during next maintenance window. Schedule within 3-7 days.
Assigned To:
DevOps Team, Development Team
Deadline:
2026-06-01

MEDIUM PRIORITY - Fix Within 1 Month

13 Issues

Medium Severity CVEs (1)

www.example-customer-16.com CVE-2021-21707 5.3
PHP
ACTION: Schedule patching during regular maintenance cycle within next month.

Dangerous HTTP Methods Enabled (2)

RISK: Methods like PUT, DELETE, TRACE can be exploited to modify or delete content, or expose sensitive information.
blog.example-customer-10.com Port 80
Enabled: PUT, DELETE
blog.example-customer-10.com Port 443
Enabled: PUT, DELETE
ACTION: Disable unnecessary HTTP methods (PUT, DELETE, TRACE, PATCH) in web server configuration. Only allow GET, POST, HEAD, OPTIONS if needed. NOTE: This is easily overseen and mixed up with the server header settings for Cross Origin Request (CORS) such as "Access-Control-Allow-Methods: GET,POST"

Insecure Cookie Configurations (1)

RISK: Missing security flags expose cookies to XSS attacks, session hijacking, and CSRF vulnerabilities.
www.example-customer-19.com Port 80 1 cookie affected
• SiteVisionLTM: No Secure flag, No SameSite attribute
ACTION: Update cookie settings to include: Secure flag (HTTPS only), HttpOnly flag (prevent XSS), SameSite=Strict or Lax (prevent CSRF).

Missing Security Headers (8)

blog.example-customer-10.com Port 80
Missing: X-Frame-Options, X-Content-Type-Options
blog.example-customer-10.com Port 443
Missing: X-Frame-Options, X-Content-Type-Options, HSTS
www.example-customer-12.com Port 80
Missing: X-Frame-Options, X-Content-Type-Options
www.example-customer-12.com Port 443
Missing: X-Frame-Options, X-Content-Type-Options, HSTS
www.example-customer-16.com Port 80
Missing: X-Frame-Options, X-Content-Type-Options
www.example-customer-16.com Port 443
Missing: X-Frame-Options, X-Content-Type-Options, HSTS
www.example-customer-19.com Port 80
Missing: X-Frame-Options, X-Content-Type-Options
www.example-customer-19.com Port 443
Missing: X-Frame-Options, X-Content-Type-Options, HSTS
ACTION: Add security headers in web server config: X-Frame-Options, X-Content-Type-Options, HSTS, CSP.

Compliance Issues (1)

www.example-customer-12.com
GDPR + CLOUD Act jurisdictional conflict - EU data subject to US government access without adequate safeguards
ACTION: Review data processing activities and implement required privacy controls. Consult legal team.

Outdated Web Servers (2)

www.example-customer-16.com
Apache 2.4.52 → Update to 2.4.65+
www.example-customer-16.com
Apache 2.4.52 → Update to 2.4.65+
ACTION: Update web servers to latest stable versions to patch known vulnerabilities.
Assigned To:
Development Team, Security Team
Deadline:
2026-06-25

Additional Passive Evidence Recommendations

18 Evidence Items
What this means: These are passive evidence and triage findings from security.txt, public metadata files, client libraries, payment/checkout hints, login/admin surface clues, cache/privacy headers, CSP quality, confirmed CDN/WAF edge evidence, weak CDN/static references and certificate name exposure. They are useful for hardening and review, but should be verified before being treated as confirmed vulnerabilities.

High review priority (4)

www.example-customer-16.com HTTP 80 CSP quality
Content Security Policy quality is weak or missing (MISSING, 0/100).
Recommended action: Define a practical CSP with default-src, script-src, object-src, base-uri, frame-ancestors and form-action. Avoid unsafe-inline/unsafe-eval where possible and use nonces or hashes for trusted inline code.
Evidence: No enforced CSP was observed
www.example-customer-16.com HTTPS 443 CSP quality
Content Security Policy quality is weak or missing (MISSING, 0/100).
Recommended action: Define a practical CSP with default-src, script-src, object-src, base-uri, frame-ancestors and form-action. Avoid unsafe-inline/unsafe-eval where possible and use nonces or hashes for trusted inline code.
Evidence: No enforced CSP was observed
www.example-customer-19.com HTTP 80 CSP quality
Content Security Policy quality is weak or missing (MISSING, 0/100).
Recommended action: Define a practical CSP with default-src, script-src, object-src, base-uri, frame-ancestors and form-action. Avoid unsafe-inline/unsafe-eval where possible and use nonces or hashes for trusted inline code.
Evidence: No enforced CSP was observed
www.example-customer-19.com HTTPS 443 CSP quality
Content Security Policy quality is weak or missing (MISSING, 0/100).
Recommended action: Define a practical CSP with default-src, script-src, object-src, base-uri, frame-ancestors and form-action. Avoid unsafe-inline/unsafe-eval where possible and use nonces or hashes for trusted inline code.
Evidence: No enforced CSP was observed

Normal review priority (11)

blog.example-customer-10.com HTTPS 443 CSP quality
Content Security Policy quality is weak or missing (WEAK, 52/100).
Recommended action: Define a practical CSP with default-src, script-src, object-src, base-uri, frame-ancestors and form-action. Avoid unsafe-inline/unsafe-eval where possible and use nonces or hashes for trusted inline code.
Evidence: Missing default-src Missing script-src Missing object-src Missing base-uri Missing frame-ancestors +1 more
www.example-customer-12.com HTTP 80 Public metadata exposure
security.txt exists but has no Expires field
Recommended action: Review public metadata files such as robots.txt, sitemap.xml, manifest.json, assetlinks.json and app association files. Keep useful public metadata, but avoid exposing admin, staging, backup or internal paths unnecessarily.
www.example-customer-12.com HTTP 80 CSP quality
Content Security Policy quality is weak or missing (WEAK, 51/100).
Recommended action: Define a practical CSP with default-src, script-src, object-src, base-uri, frame-ancestors and form-action. Avoid unsafe-inline/unsafe-eval where possible and use nonces or hashes for trusted inline code.
Evidence: Missing frame-ancestors Missing form-action Allows 'unsafe-inline' Allows 'unsafe-eval'
www.example-customer-12.com HTTPS 443 Public metadata exposure
security.txt exists but has no Expires field
Recommended action: Review public metadata files such as robots.txt, sitemap.xml, manifest.json, assetlinks.json and app association files. Keep useful public metadata, but avoid exposing admin, staging, backup or internal paths unnecessarily.
www.example-customer-12.com HTTPS 443 CSP quality
Content Security Policy quality is weak or missing (WEAK, 51/100).
Recommended action: Define a practical CSP with default-src, script-src, object-src, base-uri, frame-ancestors and form-action. Avoid unsafe-inline/unsafe-eval where possible and use nonces or hashes for trusted inline code.
Evidence: Missing frame-ancestors Missing form-action Allows 'unsafe-inline' Allows 'unsafe-eval'
www.example-customer-16.com HTTP 80 Public metadata exposure
robots.txt exposes admin/staging/private-looking path hints
Recommended action: Review public metadata files such as robots.txt, sitemap.xml, manifest.json, assetlinks.json and app association files. Keep useful public metadata, but avoid exposing admin, staging, backup or internal paths unnecessarily.
www.example-customer-16.com HTTP 80 robots.txt path hint
robots.txt references sensitive-looking path: /wp-admin/
Recommended action: Review whether this path should be publicly discoverable. robots.txt is public and should not be used to hide sensitive areas.
Evidence: /wp-admin/
www.example-customer-16.com HTTP 80 Login/admin surface
Login, admin, SSO, OAuth/SAML or password-reset surface hints were detected.
Recommended action: Verify that authentication surfaces are expected, protected by MFA/rate limiting where appropriate, and not unintentionally exposed through public links, robots.txt or sitemap data.
Evidence: robots.txt path hint: /wp-admin/
www.example-customer-16.com HTTPS 443 Public metadata exposure
robots.txt exposes admin/staging/private-looking path hints
Recommended action: Review public metadata files such as robots.txt, sitemap.xml, manifest.json, assetlinks.json and app association files. Keep useful public metadata, but avoid exposing admin, staging, backup or internal paths unnecessarily.
www.example-customer-16.com HTTPS 443 robots.txt path hint
robots.txt references sensitive-looking path: /wp-admin/
Recommended action: Review whether this path should be publicly discoverable. robots.txt is public and should not be used to hide sensitive areas.
Evidence: /wp-admin/
www.example-customer-16.com HTTPS 443 Login/admin surface
Login, admin, SSO, OAuth/SAML or password-reset surface hints were detected.
Recommended action: Verify that authentication surfaces are expected, protected by MFA/rate limiting where appropriate, and not unintentionally exposed through public links, robots.txt or sitemap data.
Evidence: robots.txt path hint: /wp-admin/

Informational / verify context (3)

blog.example-customer-10.com HTTPS 443 Responsible disclosure
security.txt was not found in the checked public locations.
Recommended action: Consider publishing /.well-known/security.txt with Contact, Expires, Policy and Encryption fields so researchers and users know where to report security issues.
Evidence: /.well-known/security.txt /security.txt
www.example-customer-16.com HTTP 80 Responsible disclosure
security.txt was not found in the checked public locations.
Recommended action: Consider publishing /.well-known/security.txt with Contact, Expires, Policy and Encryption fields so researchers and users know where to report security issues.
Evidence: /.well-known/security.txt /security.txt
www.example-customer-16.com HTTPS 443 Responsible disclosure
security.txt was not found in the checked public locations.
Recommended action: Consider publishing /.well-known/security.txt with Contact, Expires, Policy and Encryption fields so researchers and users know where to report security issues.
Evidence: /.well-known/security.txt /security.txt

Summary & Next Review

Action Summary

  • Critical: 2 items - Fix within 24 hours
  • High: 1 items - Fix within 1 week
  • Medium: 13 items - Fix within 1 month
  • Advanced evidence: 18 review items - Verify during normal hardening review

Scheduled Reviews

Daily Check:
Monitor critical CVE patches
Weekly Review:
Monday, June 1
Full Re-scan:
June 25, 2026
⚠️

Important: Limitations of Automated Scanning

A perfect security score (100) does not mean your systems are fully protected. This automated scan detects common vulnerabilities but cannot identify all security risks. Results may contain false positives or miss certain vulnerabilities. Always verify findings manually and implement additional security measures.

⚡ Action Required: Treat this report as a starting point, not a complete security assessment. Engage security professionals for comprehensive penetration testing and security audits.

Emerging / Zero-Day Exposure Review

Important: this is not a claim that Scantide found an unknown zero-day. A true zero-day may not have a CVE or stable signature yet. This section highlights exposed products, management surfaces and uncertainty signals that become important when new vendor advisories or fast-moving attacks appear.

Exposure score
65/100
Level
REVIEW
High-value products
2
Admin surfaces
2
What this means: No zero-day was confirmed. The scan did find exposed technologies or surfaces that should be watched closely when new advisories are released.

Recommended action: Confirm patch levels, reduce exposed admin surfaces and subscribe to vendor advisories for the detected products.
Detected focus products:
WordPress F5 / BIG-IP
Evidence examples:
  • blog.example-customer-10.com: exposed or detected WordPress
  • www.example-customer-19.com: exposed or detected F5 / BIG-IP
  • 2 login/admin surface signal(s) detected in web evidence

Beyond This Scan: Critical Security Areas Not Covered

This automated scanner focuses on visible internet-facing evidence: infrastructure vulnerabilities, exposed services, certificates, headers, DNS/email signals, third-party web evidence and configuration issues. It is valuable for prioritization, but it is not a complete security audit. Many important risks require authenticated testing, internal visibility, code review, staff process review or specialist tools.

How to use this section: treat it as the management checklist for what the scan cannot fully prove. The scan may show symptoms, but these areas need people, process and deeper testing to confirm control maturity.
Identity & access

Review MFA, admin accounts, service accounts, password resets, stale users and privileged access. Public scans cannot see whether the right people have the right access.

Process & ownership

Every exposed system, supplier, DNS record and mail sender should have an owner, business reason and review date. Unknown ownership is a real risk even when the technology looks clean.

Application logic

Business-logic flaws, authorization bypasses, payment manipulation and workflow abuse usually require authenticated manual testing and cannot be proven by passive scanning alone.

Supplier dependency

Hosting, mail, analytics, CDN, CRM and support tools can create privacy, availability and legal exposure. Review contracts, data location, subprocessors and exit plans.

Internal network visibility

This report mainly shows what is visible from the internet. Use Scantide Auditor on local networks to find internal devices, forgotten servers, exposed services, weak banners, certificate issues and unmanaged assets that external scanning cannot see.

User browsing awareness

Use Scantide Observe for everyday browsing awareness. It helps users see website risk signals, privacy/tracking behavior, certificate trust, third-party services and compliance clues while they browse, turning security awareness into something visible and practical.

Application Layer Attacks

  • SQL Injection: Validate and sanitize all database inputs. Use parameterized queries/prepared statements.
  • Cross-Site Scripting (XSS): Sanitize user inputs and encode outputs. Implement Content Security Policy.
  • Input Validation: Validate all form inputs server-side. Never trust client-side validation alone.
  • Authentication Flaws: Implement MFA, secure password policies, and proper session management.

Infrastructure Attacks

  • DDoS Protection: Implement rate limiting, CDN with DDoS protection, and traffic filtering.
  • Brute Force Prevention: Add account lockout policies, CAPTCHA, and login attempt monitoring.
  • Path Traversal: Validate file paths, use chroot jails, and restrict directory access in web server config.
  • Server Misconfiguration: Disable directory listing, remove default pages, and restrict file permissions.

Advanced & Emerging Threats

  • 0-Day Vulnerabilities: These are unknown vulnerabilities that automated scanners cannot detect. Maintain defense-in-depth strategy.
  • Supply Chain Attacks: Audit third-party dependencies, use Software Composition Analysis (SCA) tools.
  • API Security: Implement proper authentication, rate limiting, and input validation for all APIs.
  • Social Engineering: Train staff on phishing, pretexting, and other manipulation tactics.

Data & Business Logic

  • Data Encryption: Encrypt sensitive data at rest and in transit. Use strong encryption algorithms (AES-256).
  • Access Control: Implement principle of least privilege. Review permissions regularly.
  • Business Logic Flaws: Test for race conditions, price manipulation, and workflow bypasses.
  • Backup Security: Encrypt backups, test restoration procedures, and store off-site securely.

Malware & Virus Protection

  • Endpoint Protection: Deploy enterprise-grade antivirus/anti-malware on all devices (servers, workstations, mobile). Consumer AV is insufficient for business.
  • Real-Time Scanning: Enable continuous monitoring and automatic updates. Malware signatures become outdated within hours.
  • Email Security: Implement email filtering and sandboxing. 94% of malware is delivered via email attachments or links.
  • Web Filtering: Block access to known malicious domains and prevent drive-by downloads from compromised websites.
  • EDR/XDR Solutions: Go beyond traditional AV with Endpoint/Extended Detection and Response for behavioral analysis and threat hunting.
  • Regular Scans: Schedule full system scans weekly. Don't rely solely on real-time protection.
⚠️ CRITICAL:

Antivirus is NOT optional. Even with perfect network security, one infected USB drive, malicious email attachment, or compromised website can introduce malware. Modern threats include trojans, keyloggers, spyware, cryptominers, and fileless malware that traditional scanners miss.

Asset Management & Rogue Infrastructure

  • Server Inventory: Maintain complete asset inventory of all servers (physical, virtual, cloud). Include IP addresses, purposes, owners, and last patched dates.
  • Forgotten Servers: Regularly scan your network for unknown or forgotten servers. These become prime targets - unpatched, unmonitored, and exploitable.
  • Shadow IT Detection: Identify unauthorized servers, cloud services, or applications deployed without IT approval. They bypass security controls.
  • Decommissioning Process: Properly shut down and remove old servers. Forgotten dev/test servers often remain accessible with default credentials.
  • Certificate Tracking: Monitor all SSL certificates across infrastructure. Expired certs on forgotten servers expose vulnerabilities.
  • Network Mapping: Quarterly network scans to discover all active devices. Compare against known asset inventory.
⚡ COMMON SCENARIO:

A developer spins up a test server, forgets about it after project ends. Server runs outdated software with default passwords. Attackers find it, use it as entry point to internal network. This happens more often than you think.

Domain Monitoring & Brand Protection

  • Domain Portfolio Management: Track ALL domains your organization owns across all TLDs. Include expiration dates, registrars, and DNS providers.
  • Typosquatting Detection: Monitor for domains similar to yours (e.g., company-name.com vs companyname.com, c0mpany.com). Attackers use these for phishing.
  • TLD Variations: Register critical variations (.com, .net, .org, .co, country-specific) to prevent domain squatting and brand abuse.
  • Lookalike Domains: Watch for domains using similar words, different TLDs, or internationalized characters that visually mimic your brand.
  • Phishing Monitoring: Use services to detect phishing sites impersonating your brand. Report and take down quickly.
  • Auto-Renewal: Enable auto-renewal on all critical domains. Expired domains can be bought by cybercriminals or competitors.
  • DNS Security: Enable DNSSEC, registry lock, and two-factor authentication on domain registrar accounts.
🎯 REAL THREAT:

Attackers register domains like "yourcompany-secure.com" or "yourcompany-login.com" for phishing campaigns. Your customers receive emails from these lookalike domains and enter credentials. Monitor tools: DomainTools, DNSTwist, or manual searches.

Network Devices & Peripherals

  • Device Inventory: Document ALL network-connected devices: printers, scanners, IP cameras, HVAC controllers, door access systems, smart TVs, VoIP phones.
  • Firmware Updates: Regularly update firmware on routers, switches, access points, and peripherals. These often contain critical security patches.
  • Default Credentials: NEVER leave default usernames/passwords (admin/admin, admin/password). Change immediately on deployment.
  • Printer Security: Printers store documents, have web interfaces, and can be entry points. Update firmware, disable unnecessary services, use authentication.
  • IoT Devices: Security cameras, smart thermostats, and other IoT devices are frequent attack targets. Segment them from main network.
  • Network Segmentation: Place peripherals on separate VLANs isolated from critical business systems. Limit communication to necessary ports only.
  • Access Control: Restrict administrative access to network devices. Use strong passwords and disable remote management if not needed.
  • Monitoring & Logging: Enable logging on routers/switches. Monitor for unusual traffic patterns or unauthorized configuration changes.
🖨️ FORGOTTEN ATTACK VECTOR:

Network printers running outdated firmware are often exploited to access internal networks. One casino was breached through a connected fish tank thermometer. Old routers with unpatched vulnerabilities provide persistent backdoor access. These "insignificant" devices are prime targets because they're rarely monitored or updated.

Recommended Security Actions

1. Deploy Antivirus/EDR

Install enterprise endpoint protection on all devices. Consider EDR solutions like CrowdStrike, Microsoft Defender for Endpoint, or SentinelOne.

2. Implement DNS Filtering

Use secure DNS services: Quad9 (203.0.113.36), Cloudflare for Families (203.0.113.37), Cisco Umbrella, or CleanBrowsing to block malicious domains.

3. Manual Penetration Testing

Use professional penetration testing after major changes and on a regular risk-based schedule.

4. Code Security Review

Conduct static and dynamic application security testing (SAST/DAST).

5. Security Monitoring

Implement SIEM, IDS/IPS, and continuous security monitoring.

6. Incident Response Plan

Develop and regularly test your incident response and disaster recovery plans.

7. Security Training

Provide regular security awareness training for all employees.

8. Compliance Audits

Regular audits for GDPR, PCI-DSS, HIPAA, NIS2 or other applicable standards. Review vendors too: where they store/process data, who their subprocessors are, and whether "EU hosted" also means EU-controlled and contractually protected.

9. Scan Local Networks with Scantide Auditor

Run Scantide Auditor inside trusted networks to discover internal systems, printers, appliances, forgotten services, certificate problems, open ports and local exposure that an internet-facing scan cannot reach.

10. Use Scantide Observe for Browsing Awareness

Deploy Scantide Observe for general browsing so users can see website trust, privacy and third-party risk signals in context. This supports security awareness without relying only on annual training.

11. Monitor Emerging Threats

Track vendor advisories, CISA KEV-style known exploitation signals and fast-moving security news for exposed products. This is especially important for VPNs, gateways, CMS/admin portals, file-transfer tools and internet-facing management systems.

Scantide Follow-through: From Report to Daily Security Practice

This report gives a strong external view, but good security also needs internal visibility and user awareness. Use the wider Scantide toolset to cover what this scan cannot fully see by itself.

Scantide Auditor for local networks

Use Scantide Auditor from inside the network to identify unmanaged devices, exposed local services, open ports, certificate problems, printer/appliance exposure, old banners and systems that may never appear in an external internet scan.

Scantide Observe for user awareness

Use Scantide Observe during normal browsing to show users understandable website risk signals: HTTPS and certificate trust, security headers, trackers, third-party scripts, jurisdiction clues and privacy/compliance indicators. This makes awareness continuous instead of theoretical.

DNS Filtering Services for Malware & Phishing Protection:

DNS filtering blocks access to malicious domains before connections are made. Configure these at your router, firewall, or individual devices:

Quad9 FREE

203.0.113.36 - Blocks malware and phishing, privacy-focused, no logs

Cloudflare for Families FREE

203.0.113.37 - Blocks malware and adult content options

CleanBrowsing FREE

203.0.113.38 - Multiple filtering levels available

Cisco Umbrella PAID

Enterprise-grade with reporting and policy controls

OpenDNS Home FREE

203.0.113.39 - Customizable content filtering

NextDNS FREEMIUM

Customizable blocklists with analytics and logging

Implementation: Configure these DNS servers in your router/firewall for network-wide protection, or set them on individual devices. Many services offer deployment guides for various platforms.

Always Verify Results:

Automated scanners can produce false positives or miss vulnerabilities due to network conditions, security controls, or scanner limitations. Manually verify critical findings before taking action. When in doubt, consult with cybersecurity professionals.

🛡️

Ransomware Protection & Business Continuity

No security scan can prevent ransomware. Your survival depends on preparation.

⚠️ CRITICAL REALITY CHECK: Ransomware attacks are not "if" but "when." Even with perfect security scores, attackers find ways in through phishing, compromised credentials, or zero-day exploits. The only guaranteed defense is having tested, immutable backups and a solid recovery plan.

Immutable Backups

Your last line of defense. Without these, ransomware wins.

  • Immutable storage: Use write-once-read-many (WORM) or object lock features that prevent deletion or encryption for 30-90 days
  • Air-gapped backups: Keep offline copies disconnected from network that ransomware cannot reach
  • 3-2-1 Rule: 3 copies, 2 different media types, 1 off-site
  • Test monthly: Verify backup integrity and practice restoration procedures
  • Version retention: Keep multiple backup versions (14-30 days) in case ransomware sits dormant
🔴 WITHOUT IMMUTABLE BACKUPS:

Ransomware encrypts or deletes your backups before encrypting production systems. You have no recovery option except paying ransom (which often fails anyway).

Recovery Plans & Keys

Backups are useless without the ability to restore them.

  • Document everything: Step-by-step restoration procedures for each system. Don't rely on memory during crisis
  • Encryption key management: Store backup encryption keys in secure, separate location (password manager, HSM, or physical safe)
  • Access credentials: Maintain offline copies of all system passwords, API keys, and access credentials needed for restore
  • Recovery priorities: Define which systems to restore first (RTO/RPO for each service)
  • Quarterly testing: Practice full restore procedures. Time them. Find gaps before disaster strikes
🔶 COMMON FAILURE:

Organizations discover their backup encryption keys were stored on encrypted servers, or documentation was outdated. Result: Backups exist but are inaccessible.

Business Continuity

Keep business running during and after an attack.

  • Incident response plan: Pre-defined steps for detection, containment, eradication, and recovery
  • Communication plan: Who to notify (leadership, customers, authorities), when, and how
  • Alternative operations: Manual processes or backup systems to maintain critical services
  • Legal & insurance: Cyber insurance policy, legal counsel contacts, regulatory reporting requirements
  • Vendor contacts: List of security vendors, forensics teams, and crisis management firms
💡 BUSINESS IMPACT:

Average ransomware downtime: 21 days. Average cost including ransom, lost revenue, and recovery: $4.54M. Good planning reduces both dramatically.

Essential Ransomware Readiness Checklist

⏰ Don't wait until you're facing a ransom demand to prepare.
Test your backups and recovery plans TODAY.