Skip to main content
EFROS

Resource · Sample Security Score report

What the free Security Score actually delivers.

Most "free scans" are sales funnels with a TLS check bolted on. Ours isn't. You get an executive summary, every finding documented with the underlying evidence, and a remediation list ranked by what to fix first. Here is the actual report we send back, anonymized.

Step 1

Enter your domain

One field. No password. No login. The scan starts inside your browser and queries only public data sources.

Step 2

Receive the report

A composed report lands in your inbox: executive summary, findings by severity, evidence, and the recommended next step per finding.

Step 3

Decide

Fix in-house, hand to your existing IT vendor, or book a 30-minute call to map findings to a service tier. No sales pressure either way.

What the scan actually checks.

Every check is a passive query against public records — DNS, certificate transparency logs, mail-authentication TXT records, HTTP response headers, published reputation feeds. We never log into anything you own and we never run intrusive tests.

DNS & domain hygiene

  • DNSSEC enabled
  • WHOIS / registrar lock
  • Authoritative nameserver health
  • Suspicious lookalike domains in our typosquat watchlist

Email authentication

  • SPF (presence, syntax, ~all/-all hardness)
  • DKIM (signing on the primary mail vendor)
  • DMARC (policy, alignment, percent rollout, reporting URIs)
  • BIMI + MTA-STS + TLS-RPT support

Web TLS / certificate hygiene

  • Certificate validity, chain, OCSP / stapling
  • Supported TLS versions (TLS 1.2 + 1.3 only)
  • Cipher suite hardness
  • HSTS + preload status

HTTP security headers

  • Content-Security-Policy
  • Strict-Transport-Security
  • X-Frame-Options / frame-ancestors
  • Referrer-Policy, Permissions-Policy, X-Content-Type-Options

Cookie posture

  • Secure flag
  • HttpOnly flag
  • SameSite attribute
  • Cross-site request behaviour

Surface enumeration

  • Subdomain discovery (passive sources only)
  • Certificate-transparency cross-reference
  • Open ports on canonical hosts
  • Common admin endpoints exposed to the public internet

Reputation

  • Domain on public threat intelligence blocklists
  • IP-range reputation
  • Known phishing campaigns referencing the domain
  • Open-source breach corpora hits

Sample findings from a real scan.

These four findings are representative — anonymized from a real mid-market engagement. Every finding in the live report includes the underlying evidence (DNS record, header value, certificate fingerprint) so your team can verify.

CRITICAL

DMARC policy is `p=none`

Your domain advertises DMARC monitoring but does not reject failures. External attackers can spoof your domain in phishing attacks against your customers and partners. Recommended next action: move to `p=quarantine` after a 30-day reporting window, then to `p=reject`.

HIGH

Web TLS allows TLS 1.0 / 1.1

Legacy TLS versions are deprecated and break PCI-DSS / SOC 2 evidence. Recommended next action: update server / CDN configuration to TLS 1.2 minimum, ideally TLS 1.3. PCI-DSS requires this; most cyber-insurance questionnaires now ask for it.

MEDIUM

Missing Content-Security-Policy header

Your primary domain serves no CSP header. This means in-page script-injection attacks have no browser-level mitigation. Recommended next action: add a `Content-Security-Policy` header in report-only mode, observe for two weeks, then enforce.

LOW

Subdomain enumeration found 14 candidates

Public certificate transparency logs reveal 14 hostnames under your domain. None are flagged as actively vulnerable in this scan, but a quarterly review of which subdomains are still in service is recommended.

What the scan does NOT do.

  • No password required. No login required. No agent installed.
  • No internal network access. No inbound connections to your environment.
  • No active or intrusive testing. No exploitation of any vulnerability.
  • No persistent tracking. We do not enroll the scanned domain in any drip campaign.
  • Read-only external public-data checks only.
Scan my domain

Free · 60 seconds · Read-only public DNS, mail, and TLS data. We never touch your network.

Related work

Free Security Scan

Run the actual scan on your domain. 60 seconds, no signup, graded report.

Open

DMARC Rollout Guide

When the scan flags email auth gaps — the step-by-step rollout to p=reject.

Open

Microsoft 365 Checklist

Tenant hardening list addressing the identity and email findings most scans surface.

Open

Full Cybersecurity Assessment

When the free scan surfaces enough red to warrant a real engagement.

Open

MDR — 24/7 SOC

External posture is only half the story — what monitoring covers everything else.

Open

Book the Free Assessment

Talk to a senior engineer about what the scan found and what to fix first.

Open

Related EFROS resources

From sample report to your security program

Free Security Scan

Run a passive scan against your own domain in 60 seconds.

Open

EFROS Security service catalog

Managed services that operationalize findings from the report.

Open

MDR — detection layer

24/7 SOC for organizations whose scan reveals coverage gaps.

Open

vCISO — strategic ownership

Named operator who owns remediation of scan findings.

Open

Cyber insurance prep

Use scan findings as the renewal evidence pack.

Open

Discuss your scan

Book a 20-minute call to walk through findings together.

Open
MCP · agent ready