01
Risk summary
Critical/high/medium/low distribution and the overall security score are visible at a glance.
VS-PRF-2026-0519-security-assessment.pdf
Read-only access · 5 / 32 · 118%
VefaSec sample report
What exactly does the customer receive?
This sample lets you review the delivery format before payment. Live reports use the same structure for risk level, validated findings, evidence, remediation guidance and the first 30-day action plan.
02
Evidence-led finding
Each finding includes impact, evidence, CVSS, affected area and recommended action.
03
Priority plan
Items are grouped into the first 48 hours, 14 days and 30 days.
04
Panel delivery
The report link stays in the client panel with time-limited access; email is used only for notification.
VefaSec Security Command01
VefaSec
Security Command
CONFIDENTIAL - CUSTOMER COPY
Website Security Assessment Report
Professional assessment
No critical issue was found. Email security, browser-side protections and session hardening should be improved in the short term.
- Prepared for
- Example Site Inc.
- Assessed website
- example-site.com
- Prepared by
- VefaSec Security Command
- Delivery date
- May 19, 2026
- Report code
- VS-PRF-2026-0519
- Access window
- 30 days
Overall security score
Improvement needed
82
/ 100
VefaSec Security Command02
VS-PRF-2026-0519
Executive summary
No immediately exploitable critical issue was identified on the sample target. Still, short-term risks were found around brand impersonation, browser-side protection and session hardening.
What the customer receives
Executive summary
Business-friendly risk picture, impact and priority order for non-technical decision makers.
Technical finding register
Affected area, CVSS, evidence, impact and actionable remediation guidance for each finding.
Closure tracking
Reviewed, action planned and closed states tracked from the client panel.
Critical
0
No immediate closure item
High
2
Close within 7-14 days
Medium
4
Track as planned improvements
Low
3
Hardening and hygiene items
Scope and authorization
Primary scope
Web application, redirects, TLS, HTTP security headers, DNS and email records
Authorized work
Assessment is performed only on targets with verified ownership
Risky checks
Professional package includes limited attack simulation with explicit customer approval
Out of scope
Third-party services, unapproved subdomains and social engineering are excluded
Methodology
- 1Passive discovery and safe automated scanning
- 2Manual validation of outputs from 30+ tools
- 3Prioritization aligned with OWASP WSTG, OWASP ASVS and CVSS 4.0
- 4False-positive cleanup and impact-focused interpretation
- 5Panel-based report delivery and action tracking
Revision history
1.0
Initial delivery
May 19, 2026
1.1
Customer notes attached
Pending
VefaSec Security Command03
VS-PRF-2026-0519
Prioritized risk register
ID
Finding
Severity
CVSS
Owner
Due
Status
VS-01
Content-Security-Policy is not enforced
High
8.1
Frontend / infrastructure
7 days
Action required
VS-02
DMARC policy remains in monitoring mode
High
7.4
DNS / mail
14 days
Planned
VS-03
HSTS duration is low for enterprise hardening
Medium
5.9
Infrastructure
30 days
Under review
VS-04
Session cookie lacks explicit SameSite hardening
Medium
5.3
Backend
30 days
Action required
Table of contents
1
Executive summary
03
2
Scope and authorization
06
3
Prioritized risk register
09
4
Validated findings
12
5
Evidence appendix and delivery notes
28
CONFIDENTIAL - CUSTOMER COPY
This sample masks real customer names, IPs, tokens, user data and sensitive system output. Live reports use the same format and are delivered with time-limited client panel access.
VefaSec Security Command12
VS-01 · CVSS 8.1
Finding detail: Content-Security-Policy is not enforced
- Affected area
- Main website
- Owner area
- Frontend / infrastructure
- Status
- Action required
- Due
- 7 days
CVSS v4.0 vector
AV:N/AC:L/AT:N/PR:N/UI:R/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
Impact
Browser-side protection remains weak if XSS or third-party script injection occurs.
Evidence
No CSP header was observed. Script sources, frame behavior and object-src policy are not constrained.
Recommended action
Start with Report-Only monitoring, then enforce script-src, frame-ancestors and object-src rules.
Masked response sample
HTTP/2 200 server: masked strict-transport-security: max-age=2592000 x-content-type-options: nosniff content-security-policy: <not present> set-cookie: session=<masked>; Secure; HttpOnly
Evidence chain
01
Observation
Tool output and manual checks are merged under the same finding.
02
Validation
False positives are removed; exploit risk and business impact are separated.
03
Action
Remediation step, owner area and closure window are made explicit.
VefaSec Security Command28
VS-PRF-2026-0519
Delivery and access notes
First 30 days action plan
0-48 hours
Start CSP Report-Only, review DMARC reports and prepare low-risk header hardening.
3-14 days
Enforce CSP, move DMARC into staged enforcement and test session cookie behavior.
15-30 days
Extend HSTS, close remaining medium and low findings and archive closure evidence in the panel.
Delivery and access notes
- The report link is shown inside the Reports area of the client panel.
- Email notification only announces that the report is ready; the sensitive link stays in the panel.
- Access is shown according to the 7 or 30 day window selected in the admin panel.
- The customer can track findings as reviewed, action taken or closed.
CONFIDENTIAL - CUSTOMER COPY
This sample masks real customer names, IPs, tokens, user data and sensitive system output. Live reports use the same format and are delivered with time-limited client panel access.