Below are real excerpts from the same reporting engine we use on every engagement — not a mockup drawn up for the website. It's the output of assessment software we built in-house, so what you see here is what lands in your inbox: severity-ranked findings, compliance citations, a prioritized fix list, and clean data exports. Company name, hosts, and addresses are fictional; report structure and depth are not.
1 targetvpn.alderwood-mfg.example (203.0.113.10:443)collapsed above 15 matches per our clustering rule — full list in the JSON/CSV/SARIF export.
Port 3389 accepts connections from any source on the internet. RDP is a frequent target for credential-stuffing and ransomware-precursor activity.
The presented certificate expired before the assessment date, which breaks encrypted-transport trust and typically also breaks automated mail-client warnings for end users.
Responses omit HSTS and CSP headers, leaving visitors more exposed to protocol-downgrade and injection-style attacks than necessary.
Strict-Transport-Security and a scoped Content-Security-Policy at the web server or load balancer.TLS 1.0 and 1.1 remain enabled alongside 1.2/1.3. Both are deprecated and disallowed under current PCI DSS guidance.
Full reports also include a cover page, engagement scope and methodology, a complete compliance-coverage appendix, remediation-script attachments where applicable, and open-source tool attribution — trimmed here to keep this page a reasonable length.
We didn't stitch this together by pasting raw scanner output into a Word template. Every engagement runs through assessment platforms we built and maintain in-house, purpose-built to turn scan data into the report above.
Every finding is auto-tagged against PCI DSS 4.0 and CIS Controls v8 at scan time — not added after the fact by hand — so your report doubles as evidence for an audit conversation.
Detected service versions are checked against a locally-synced copy of the full NVD CVE/CPE dataset — millions of records, matched precisely by version range, with no live lookups during a scan that could leak your environment to a third party.
Findings are automatically ranked by severity and how many targets they affect, and near-duplicate CVE matches on the same asset are collapsed into one card — so a 4,000-finding scan reads like a punch list, not a phone book.
Beyond the PDF, every engagement exports to JSON, CSV, and SARIF — so findings can flow straight into a ticketing system or a CI pipeline instead of getting manually re-typed.
Request an assessment and we'll scope it with you before anything runs.