External security
assessment sample
1. Scope & methodology
Every assessment starts by agreeing what is in scope and confirming written authorisation for it. For this sample, the scope is the organisation's public-facing footprint only.
In-scope resources
| Resource | What was examined |
|---|---|
| Primary domain | musterfirma-example.ch, DNS records, mail configuration |
| Subdomains | Public subdomains discovered via passive enumeration |
| Web server | HTTP(S) responses, security headers, TLS configuration |
| Mail service | SPF, DKIM and DMARC policy records |
| Exposed services | Internet-reachable ports and service banners |
| Public data | Breach databases, code repositories, indexed documents |
Approach
The assessment follows a standard external-reconnaissance sequence, each step feeding the next:
- Reconnaissance, map the public footprint: domains, subdomains, IP ranges, published contacts.
- Service identification, determine which services are internet-reachable and their versions from banners.
- Configuration review, check DNS, TLS and email-authentication records against current best practice.
- Exposure analysis, look for forgotten hosts, leaked data and unnecessary attack surface.
- Reporting, rate each finding by severity and translate it into a concrete, prioritised action.
All steps here are passive and non-intrusive: only publicly observable information is used. No exploitation, no password guessing and no load is placed on any system.
2. Executive summary
The external footprint of Musterfirma AG was assessed on the domain musterfirma-example.ch and its public services. Overall posture is reasonable but improvable: the website and certificates are well maintained, while email protection and one legacy subdomain need attention. None of the findings indicates an active compromise, they are doors that should be closed before someone tries them.
3. Findings summary
| Area | What it means for the business | Result |
|---|---|---|
| DNS configuration | Whether your domain records can be abused or leak internal details | OK · 1 note |
| TLS / certificates | Whether connections to your site are properly encrypted | OK |
| Email security | Whether criminals can send email that looks like it comes from you | Action needed |
| Exposed services | What ports and services are reachable from the internet | 2 findings |
| Subdomains | Forgotten systems still online under your name | 1 finding |
| Public data footprint | Company data visible in breaches, code repos or documents | Minor |
4. Findings in detail
Domain can be spoofed, DMARC not enforced
p=none and DKIM is not configured for the main mail stream. In practice: anyone can send email that appears to come from @musterfirma-example.ch, and receiving servers are told to deliver it anyway.p=quarantine and finally p=reject after a 2–4 week monitoring period. Effort: ~2 hours plus monitoring. No user impact when staged correctly.Remote management interface reachable from the internet
Forgotten legacy subdomain still online
alt.musterfirma-example.ch serves an old website copy on outdated server software, with a TLS certificate that expired five months ago.Staff email addresses in old data breaches
DNS record reveals internal hostname scheme
5. Prioritised action plan
| # | Action | Fixes | Effort | Urgency |
|---|---|---|---|---|
| 1 | Enable DKIM, stage DMARC to enforcement | F-01 | ~2 h + monitoring | This month |
| 2 | Restrict firewall management to VPN, add MFA, update firmware | F-02 | ~2 h | This month |
| 3 | Decommission legacy subdomain | F-03 | ~1 h | This quarter |
| 4 | Password rotation check + MFA verification for breached accounts | F-04 | ~1 h | This quarter |
| 5 | Clean up revealing DNS record | F-05 | Minutes | Convenient |
6. Boundaries & authorisation
The assessment uses passive and non-intrusive techniques only: public DNS and certificate data, standard service identification, and open breach databases. No exploitation, no password guessing, no load is placed on any system. Checks are only ever performed with the domain owner's written authorisation, and this report is delivered confidentially to the owner alone.