Security guides & remediation

Misconfigured cloud storage buckets expose sensitive data to the internet. Learn how to detect public S3, GCS, and Azure Blob Storage and lock them down.

Exposed API endpoints without authentication or rate limiting are a top attack vector. Learn how to discover, audit, and secure your APIs before attackers do.

CORS misconfigurations let malicious websites access your APIs on behalf of users. Learn how to detect insecure CORS headers and configure them correctly.

HTTP security headers like HSTS, CSP, and X-Frame-Options protect your site from clickjacking, XSS, and MIME sniffing. Learn how to add them on Nginx and Apache.

Harden your Nginx web server with this practical checklist. Covers version hiding, security headers, TLS configuration, rate limiting, and a complete example config.

CVSS scores classify vulnerabilities as Critical, High, Medium, or Low. Learn what each level means, how to prioritise remediation, and SLA recommendations per severity.

Database ports like MySQL 3306, PostgreSQL 5432, MongoDB 27017, and Redis 6379 exposed to the internet are a critical risk. Learn how to detect and secure them.

RDP on port 3389 exposed to the internet is the most common ransomware entry point. Learn why you must never expose RDP directly and what secure alternatives exist.

SMB port 445 exposed to the internet is a critical security risk linked to WannaCry and EternalBlue. Learn how to check for exposure, close it, and disable SMBv1.

Telnet transmits everything in plain text, including passwords. If port 23 is open on your network, it is a critical finding. Learn how to find and eliminate it.

SSH is a top target for attackers. Learn how to secure SSH with key-based authentication, fail2ban, firewall rules, and bastion hosts to prevent brute force attacks.

SNMP with default community strings exposed to the internet lets attackers map and reconfigure your network. Learn how to detect and lock down SNMP services.

Shodan indexes every internet-connected device. Learn what information it exposes about your organisation, how attackers use it, and how to reduce your footprint.

Not all open ports are a problem, but some should never be exposed to the internet. Learn which ports are dangerous, why, and how to close them safely.

An unrestricted DNS zone transfer lets anyone download all your DNS records. Learn how to test for AXFR exposure and lock down your name servers.

Subdomain takeover happens when a DNS record points to a deprovisioned service. Learn how to detect dangling CNAMEs, prevent takeover, and protect your domains.

Orphan DNS records are subdomains pointing to servers that no longer exist. Learn how to find them, why they are a security risk, and how to clean them up safely.

Missing or mismatched reverse DNS (PTR) records cause email rejection and weaken security auditing. Learn how to check and configure rDNS for your mail servers.

DNS TXT records power SPF, DKIM, DMARC, and domain verification. Learn what they are, how to inspect them, and the common mistakes that create security gaps.

Prevent email spoofing with SPF, DKIM, and DMARC working together. Step-by-step implementation guide for IT admins to fully protect their domain from impersonation.

Misconfigured MX records can send your email to the wrong server or let attackers intercept it. Learn how to check, fix, and secure your mail routing.

BIMI lets your brand logo appear next to emails in supporting inboxes. Learn how to set up BIMI, the DMARC prerequisite, and whether a VMC certificate is needed.

DMARC aggregate reports show who sends email as your domain and whether it passes authentication. Learn how to read RUA reports and act on the data inside them.

DKIM prevents email spoofing by adding a cryptographic signature to outgoing emails. Step-by-step setup guide for common email providers.

SPF tells receiving mail servers which servers are allowed to send email for your domain. Learn softfail vs hardfail and fix common SPF mistakes.

DMARC ties SPF and DKIM together. Learn the three policy levels (none, quarantine, reject) and how to implement DMARC safely without breaking email.

Incomplete TLS certificate chains cause trust errors in some browsers but not others. Learn how to diagnose chain problems and fix them on Nginx and Apache.

HSTS preloading tells browsers to always use HTTPS, even on the first visit. Learn how to configure HSTS, submit to the preload list, and avoid common pitfalls.

Weak TLS cipher suites like RC4 and 3DES leave your HTTPS connections vulnerable. Learn how to identify weak ciphers and configure strong ones on Nginx and Apache.

Wildcard certificates cover all subdomains but introduce security risks. Learn when to use them, when to avoid them, and how to manage them safely.

Certificate Transparency logs reveal every TLS certificate issued for your domain. Learn how attackers use them for recon and how you can monitor them for security.

DANE uses TLSA DNS records to pin TLS certificates, preventing CA compromise and MITM attacks on email. Learn how DANE works and when to deploy it.

An expired TLS certificate causes browser security warnings. Learn how to renew it quickly with Let's Encrypt or commercial CAs, and prevent it from happening again.

Attack surface management (ASM) helps organisations discover, monitor, and secure all internet-facing assets. Learn the ASM lifecycle and why continuous monitoring matters.

Learn which ISO 27001 controls require vulnerability scanning, what evidence auditors want to see, and how to build a compliant vulnerability management process.

The NIS2 directive requires organisations to manage cybersecurity risks including vulnerability scanning. Learn who it applies to, what it requires, and how to comply.

SOC 2 requires continuous monitoring and evidence of security controls. Learn which Trust Services Criteria map to external scanning and what auditors look for.