Scan complete

Security report — acmecorp.com

Scanned 3 June 2026·50-node pipeline·Duration: 1h 47m·Subdomains discovered: 23

This scan found 2 critical issues that need immediate attention, including a verified attack path — a chain of real vulnerabilities an attacker could follow from the public internet to a damaging outcome. 3 high severity issues should also be addressed within 7 days.

Business risk score

7.2/10

↑ High risk

Critical

Fix within 24h

High

Fix within 7 days

Medium

Fix within 30 days

Low

Review in cycle

Total

across all severity

Attack path — verified chain

Verified chain

Step 1 · Critical

SQL Injection

api.acmecorp.com

→

Step 2 · Critical

Exposed .env file

app.acmecorp.com

→

Step 3 · High

Admin panel access

admin.acmecorp.com

What this means

An attacker exploits the SQL injection on the user search endpoint to extract database credentials from the users table. The exposed .env file on the app subdomain independently confirms the admin panel password. Using these credentials, the attacker logs into the admin panel without authentication checks — gaining full control over customer data and application configuration.

Business consequence: Full customer database exposed. Unauthenticated admin access confirmed. GDPR breach notification required within 72 hours. Estimated regulatory exposure: Article 83 fine applicable.

Actionable findings

8 issues to review

SQL Injection — User Search Endpoint

api.acmecorp.com/users/search

Critical ✓ Confirmed exploit web_vulnerability

BIS 9.1

The q parameter on the user search endpoint is injectable. Error-based and boolean-blind extraction confirmed. An unauthenticated attacker can dump the full users table including email addresses, password hashes, and session tokens without any authentication.

Reproduction

curl -s "https://api.acmecorp.com/users/search?q=' OR '1'='1'--"

HTTP/2 200
Content-Type: application/json

{"users":[{"id":1,"email":"admin@acmecorp.com","role":"admin","created_at":"2024-01-12"},{"id":2,"email":"ceo@acmecorp.com","role":"owner"...

Remediation

Use parameterised queries or prepared statements for all database operations. Apply input validation and a WAF rule to block SQLi patterns. Rotate all database credentials immediately. Review access logs for prior exploitation.

ISO 27001 A.14.2.5 GDPR Art. 32 PCI DSS 6.3.3 SOC 2 CC6.1

Exposed .env file with live credentials

app.acmecorp.com/.env

Critical ✓ Confirmed exploit sensitive_file

BIS 9.4

The application's .env file is publicly accessible with no authentication. It contains live Stripe secret keys, a database connection string with credentials, and an admin panel password. Any unauthenticated visitor can retrieve this file.

Reproduction

curl -s "https://app.acmecorp.com/.env"

HTTP/2 200
Content-Type: text/plain

APP_ENV=production
STRIPE_SECRET_KEY=sk_live_4xKqR...
DATABASE_URL=postgres://admin:P@ssw0rd123@db.acmecorp.com/prod
ADMIN_PASSWORD=Acme2024!
REDIS_URL=redis://cache.acmecorp.com:6379

Remediation

Block .env access at the web server level immediately (nginx: location ~ /\.env { deny all; }). Rotate all exposed credentials — Stripe key, database password, and admin password. Audit access logs to determine if the file has already been retrieved.

ISO 27001 A.12.6.1 GDPR Art. 32 PCI DSS 6.4.1 Cyber Essentials: Secure Config

TLS 1.0 still enabled

api.acmecorp.com:443

High ✓ Confirmed misconfiguration ssl

BIS 6.2

TLS 1.0 is enabled on the API server. This protocol was officially deprecated in RFC 8996 (2021) due to known weaknesses including POODLE and BEAST. Under a network-adjacent position, an attacker can downgrade TLS sessions and intercept or modify encrypted traffic.

Reproduction

openssl s_client -connect api.acmecorp.com:443 -tls1

CONNECTED(00000003)
Protocol: TLSv1.0
Cipher: AES128-SHA
Server certificate: *.acmecorp.com
Verify return code: 0 (ok)

Remediation

Disable TLS 1.0 and 1.1 in your web server configuration. Enable TLS 1.2 and 1.3 only. For nginx: ssl_protocols TLSv1.2 TLSv1.3;

ISO 27001 A.18.1.3 PCI DSS 4.2.1 Cyber Essentials: Secure Config

Missing DMARC record

acmecorp.com

Medium Validated email

BIS 4.3

No DMARC DNS record exists for acmecorp.com. Without DMARC, any attacker can send spoofed email appearing to come from @acmecorp.com addresses. This enables phishing attacks that impersonate your brand to customers, suppliers, and employees.

Reproduction

dig TXT _dmarc.acmecorp.com +short

(no record returned)

Remediation

Add a DMARC TXT record at _dmarc.acmecorp.com. Start with monitoring policy: v=DMARC1; p=none; rua=mailto:dmarc@acmecorp.com then tighten to p=quarantine once reports confirm legitimate sending sources.

ISO 27001 A.13.2.3 GDPR Art. 32 Cyber Essentials: Email

4 further findings (1 High · 1 Medium · 1 Low · 1 Informational) not shown in this demo. The full report PDF includes all findings with proof, remediation steps, and CVSS scores.

Compliance framework mapping

ISO 27001 · GDPR · SOC 2 · PCI DSS · Cyber Essentials

ISO 27001:2022

A.12.6.1 A.14.2.5 A.18.1.3 A.13.2.3

GDPR

Art. 32 Art. 83 Art. 33

SOC 2 Type II

CC6.1 CC7.1 CC8.1

PCI DSS v4.0

6.3.3 6.4.1 4.2.1

Cyber Essentials

Patch Management Secure Config Access Control

Each finding is mapped automatically. The full PDF report includes a compliance evidence pack suitable for direct submission to auditors.

Scan your domain — first report in under two hours

Free plan includes one domain and one lifetime scan. No credit card required. Paid plans add continuous monitoring, attack paths, and PDF reports.

Start free scan → See all plans

No credit card required Setup in 2 minutes Data stays in London (eu-west-2)