This is an anonymized, illustrative sample report. It shows how we translate technical findings into business risks.
| Domain reviewed | example-ltd.com |
| Review date | March 15, 2025 |
| Overall rating | Medium — action recommended |
| Findings | 2 Critical · 3 High · 4 Medium |
Business risk: Without DMARC, an attacker can send forged emails using your company name. Fake invoices, email fraud, CEO fraud — all with your domain as sender.
Recommendation: Add DMARC record with p=none (monitoring), then gradually increase to p=quarantine. Your IT partner or hosting provider can implement this in minutes.
Business risk: A publicly reachable .env file may contain database credentials, API keys or mail credentials. This is an entry point for complete system takeover.
Recommendation: Remove from webroot immediately. Add .htaccess or nginx rule to block all dotfiles. Retest included.
Business risk: Missing CSP and X-Frame-Options make your site vulnerable to clickjacking and XSS. Browsers show less trust to your website.
Recommendation: Add CSP header and X-Frame-Options: DENY via server configuration. Your web developer can implement this.
Positive: Your website correctly redirects HTTP to HTTPS. The SSL certificate is valid and cipher suites are modern. Customers see the lock icon — an important trust signal.