{"passed":{"dns":[{"id":"dangling_mx_record","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Unregistered MX Domains","value":"[none]"}],"actual":[{"property":"Unregistered MX Domains","value":"[none]"}],"severity":4,"cloudscanCategory":"dns","prevCloudscanCategory":"email_sec","title":"No unregistered MX records detected","description":"No unregistered MX records that could lead to receiving mail on behalf of the target organization were detected.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"The address specified as the mailbox in the MX record for this domain is unregistered, allowing an attacker to register that domain and gain control of this domain's mailbox.","riskDetails":"A mail exchange or MX record is a DNS record that indicates the address of the mail server that should receive mail for a domain. If ownership of that domain lapses, attackers may be able to gain control of the specified domain, and thereby gain control of its mailbox.","recommendedRemediation":"Removing the DNS record that links your subdomain to the third domain or IP address will resolve the ability of attackers to hijack the domain. Modifying these records can typically be done by logging into your domain registrar and deleting the appropriate line. If necessary, you can contact the third party service provider and attempt to regain control of the account used for the takeover.","knownExploitedVulnCount":0,"checkID":"dangling_mx_record","category":"dns","controlCheckID":"IM.DS.PM.PA","passTitle":"No unregistered MX records detected","passDescription":"No unregistered MX records that could lead to receiving mail on behalf of the target organization were detected.","passGroupDescription":"No applicable sites had unregistered domains in their MX records.","failTitle":"MX record with unregistered domain detected","failDescription":"This domain contains DNS MX records that point to an expired or unregistered domain. A bad actor could register the domain and receive mail on behalf of the target organization.","remediation":"Review the DNS records and remove all expired and unregistered MX records.","issue":"This domain contains DNS MX records that point to an expired or unregistered domain. A bad actor could register the domain and receive mail on behalf of the target organization.","recommendation":"Review the DNS records and remove all expired and unregistered MX records.","defaultSeverity":4,"categoryTotalCost":8,"overrideContext":null,"Deprecated":false,"ISOControls":null,"ISO2022Controls":null,"NISTControls":null,"ExcludeFromHardcodedPassedRisks":false,"Summary":"The address specified as the mailbox in the MX record for this domain is unregistered, allowing an attacker to register that domain and gain control of this domain's mailbox.","RiskDetails":"A mail exchange or MX record is a DNS record that indicates the address of the mail server that should receive mail for a domain. If ownership of that domain lapses, attackers may be able to gain control of the specified domain, and thereby gain control of its mailbox.","RecommendedRemediation":"Removing the DNS record that links your subdomain to the third domain or IP address will resolve the ability of attackers to hijack the domain. Modifying these records can typically be done by logging into your domain registrar and deleting the appropriate line. If necessary, you can contact the third party service provider and attempt to regain control of the account used for the takeover."},{"id":"domain_expired","pass":true,"meta":"2026-04-17T10:32:18.000Z","vendorOnly":false,"expected":[{"property":"Domain > Expired","value":"[has not expired]"}],"actual":[{"property":"Domain > Expired","value":"2026-04-17T10:32:18.000Z"}],"severity":4,"cloudscanCategory":"dns","prevCloudscanCategory":"brand_protect","title":"Domain has not expired","description":"Domain has not expired.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Domains must be renewed within specified intervals to maintain ownership of the name. The minimum interval is 1 year and the maximum interval is 10 years. If a domain is not renewed within the appropriate interval, the domain name becomes “expired.” There is a 30 day grace period where the domain owner can still renew the expired domain name. After that, the domain can be purchased by a third party.","riskDetails":"This domain is expired. An expired domain is no longer functional. Any services relying on the expired domain will become unavailable. In addition to the loss of functionality, expired domains can be snapped up quickly by third parties and used to drive traffic to malicious and fraudulent websites.","recommendedRemediation":"The domain should be renewed as soon as possible with the registrar. Domains can be configured with auto-renewal to ensure that they are renewed before the expiration date.","knownExploitedVulnCount":0,"checkID":"domain_expired","category":"domain","controlCheckID":"IM.DS.DO.UQ","passTitle":"Domain has not expired","passDescription":"Domain has not expired.","passGroupDescription":"No domains have expired.","failTitle":"Domain expired","failDescription":"The domain has expired, meaning anyone can purchase this domain. You should renew your domain registration immediately.","remediation":"Renew domain registration.","issue":"Some domains have expired. This means anyone with a credit card can go to a domain name registrar and buy them, resulting in loss of control.","recommendation":"If the identified domain is important, register it at a domain name registrar. For important domains, we recommend setting up auto-renewal to prevent domain expiration. This can be done at the domain’s registrar.","defaultSeverity":4,"categoryTotalCost":10,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.2"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Domains must be renewed within specified intervals to maintain ownership of the name. The minimum interval is 1 year and the maximum interval is 10 years. If a domain is not renewed within the appropriate interval, the domain name becomes “expired.” There is a 30 day grace period where the domain owner can still renew the expired domain name. After that, the domain can be purchased by a third party.","RiskDetails":"This domain is expired. An expired domain is no longer functional. Any services relying on the expired domain will become unavailable. In addition to the loss of functionality, expired domains can be snapped up quickly by third parties and used to drive traffic to malicious and fraudulent websites.","RecommendedRemediation":"The domain should be renewed as soon as possible with the registrar. Domains can be configured with auto-renewal to ensure that they are renewed before the expiration date."},{"id":"domain_expiry","pass":true,"meta":"2026-04-17T10:32:18.000Z","vendorOnly":false,"expected":[{"property":"Domain > Expires On","value":"[does not expire in next 30 days]"}],"actual":[{"property":"Domain > Expires On","value":"2026-04-17T10:32:18.000Z"}],"severity":3,"cloudscanCategory":"dns","prevCloudscanCategory":"brand_protect","title":"Domain does not expire soon","description":"Domain does not expire within 30 days.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Domains must be renewed within specified intervals to maintain ownership of the name. The minimum interval is 1 year and the maximum interval is 10 years. If a domain is not renewed within the appropriate interval, the domain name becomes “expired.” There is a 30 day grace period where the domain owner can still renew the expired domain name. After that, the domain can be purchased by a third party.","riskDetails":"This domain is going to expire soon. An expired domain is no longer functional. Any services relying on the expired domain will become unavailable. In addition to the loss of functionality, expired domains can be snapped up quickly by third parties and used to drive traffic to malicious and fraudulent websites.","recommendedRemediation":"The domain should be renewed as soon as possible with the registrar. Domains can be configured with auto-renewal to ensure that they are renewed before the expiration date.","knownExploitedVulnCount":0,"checkID":"domain_expiry","category":"domain","controlCheckID":"IM.DS.DO.PA","passTitle":"Domain does not expire soon","passDescription":"Domain does not expire within 30 days.","passGroupDescription":"No domains detected to expire within 30 days.","failTitle":"Domain expires soon","failDescription":"The domain expires soon, and anyone may be able to purchase  it when it expires. You should renew your domain registration ASAP.","remediation":"Renew domain registration.","issue":"We've identified domains which are set to expire soon. When a domain expires, it may become available for purchase for anyone with a credit card on popular domain name registrars.","recommendation":"Renew the identified domains registration as soon as possible. For important domains, we recommend setting up auto-renewal to prevent domain expiration. This can be done at the domain’s registrar.","defaultSeverity":3,"categoryTotalCost":1,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.2"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Domains must be renewed within specified intervals to maintain ownership of the name. The minimum interval is 1 year and the maximum interval is 10 years. If a domain is not renewed within the appropriate interval, the domain name becomes “expired.” There is a 30 day grace period where the domain owner can still renew the expired domain name. After that, the domain can be purchased by a third party.","RiskDetails":"This domain is going to expire soon. An expired domain is no longer functional. Any services relying on the expired domain will become unavailable. In addition to the loss of functionality, expired domains can be snapped up quickly by third parties and used to drive traffic to malicious and fraudulent websites.","RecommendedRemediation":"The domain should be renewed as soon as possible with the registrar. Domains can be configured with auto-renewal to ensure that they are renewed before the expiration date."},{"id":"domain_not_resolvable","pass":true,"meta":"inactive: not set","vendorOnly":false,"expected":[{"property":"Domain > Not Resolvable","value":"inactive: not set"}],"actual":[{"property":"Domain > Not Resolvable","value":"inactive: not set"}],"severity":2,"cloudscanCategory":"dns","prevCloudscanCategory":"brand_protect","title":"Domain not flagged as inactive","description":"Domain is not flagged as inactive.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Registered domains can have domain name status codes (EPP codes) that describe certain attributes of the domain. The domain status code of Inactive indicates that a domain does not have name servers associated with it.","riskDetails":"Domains that are marked as inactive do not resolve on the internet. Services relying on them will be unavailable until the status is removed.","recommendedRemediation":"Name servers should be associated with the inactive domain(s). The specific process for doing this depends on your DNS service, but nameserver (NS) records must be created in the domain that point to the IP addresses of your name servers.","knownExploitedVulnCount":0,"checkID":"domain_not_resolvable","category":"domain","controlCheckID":"IM.DS.DO.VG","passTitle":"Domain not flagged as inactive","passDescription":"Domain is not flagged as inactive.","passGroupDescription":"No domains are flagged as inactive.","failTitle":"Domain flagged as inactive","failDescription":"Domain is flagged as inactive, meaning it does not resolve to an address via name servers.","remediation":"Ensure domain is not flagged as inactive.","issue":"Some domains have been flagged as inactive because they do not have name servers associated with them. This means the domain name will not resolve on the Internet and potential visitors will not be able to connect.","recommendation":"Associate name servers with the domain to ensure they resolve on the Internet. This will also remove the inactive status of the domain.","defaultSeverity":2,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.2"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Registered domains can have domain name status codes (EPP codes) that describe certain attributes of the domain. The domain status code of Inactive indicates that a domain does not have name servers associated with it.","RiskDetails":"Domains that are marked as inactive do not resolve on the internet. Services relying on them will be unavailable until the status is removed.","RecommendedRemediation":"Name servers should be associated with the inactive domain(s). The specific process for doing this depends on your DNS service, but nameserver (NS) records must be created in the domain that point to the IP addresses of your name servers."},{"id":"domain_pending_deletion","pass":true,"meta":"pendingDelete: not set","vendorOnly":false,"expected":[{"property":"Domain > Pending Deletion","value":"pendingDelete: not set"}],"actual":[{"property":"Domain > Pending Deletion","value":"pendingDelete: not set"}],"severity":2,"cloudscanCategory":"dns","prevCloudscanCategory":"brand_protect","title":"Domain not pending deletion","description":"Domain is not pending deletion with the registrar.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Registered domains can have domain name status codes (EPP codes) that describe certain attributes of the domain. The domain status code of pendingDelete (if not combined with redemptionPeriod or pendingRestore) means that the redemption period for the domain has expired and the domain will become available for public purchase within 5 business days.","riskDetails":"Domains that are marked as pendingDelete will be removed from the registry and put back on the market within a few days. If this happens, the domain can be quickly purchased by a malicious actor and used to route traffic to fraudulent sources.","recommendedRemediation":"To keep this domain name, the registrar must be contacted as soon as possible to see what options are available. If the domain goes back on the market it should be registered again quickly.","knownExploitedVulnCount":0,"checkID":"domain_pending_deletion","category":"domain","controlCheckID":"IM.DS.DO.DQ","passTitle":"Domain not pending deletion","passDescription":"Domain is not pending deletion with the registrar.","passGroupDescription":"No domains are pending deletion with the registrar.","failTitle":"Domain pending deletion","failDescription":"Domain pending deletion with the registrar.","remediation":"Ensure domain is not pending deletion.","issue":"The impacted domains are pending deletion at their domain name registrar. This means the domain can no longer be stored, renewed, or recovered and will become available for registration in five calendar days.","recommendation":"When domains are deleted, they become registrable to anyone on the Internet. We recommend registering them as soon as possible after deletion.","defaultSeverity":2,"categoryTotalCost":1,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.2"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Registered domains can have domain name status codes (EPP codes) that describe certain attributes of the domain. The domain status code of pendingDelete (if not combined with redemptionPeriod or pendingRestore) means that the redemption period for the domain has expired and the domain will become available for public purchase within 5 business days.","RiskDetails":"Domains that are marked as pendingDelete will be removed from the registry and put back on the market within a few days. If this happens, the domain can be quickly purchased by a malicious actor and used to route traffic to fraudulent sources.","RecommendedRemediation":"To keep this domain name, the registrar must be contacted as soon as possible to see what options are available. If the domain goes back on the market it should be registered again quickly."},{"id":"domain_pending_restoration","pass":true,"meta":"pendingRestore: not set","vendorOnly":false,"expected":[{"property":"Domain > Pending Restoration","value":"pendingRestore: not set"}],"actual":[{"property":"Domain > Pending Restoration","value":"pendingRestore: not set"}],"severity":2,"cloudscanCategory":"dns","prevCloudscanCategory":"brand_protect","title":"Domain not pending restoration","description":"Domain is not pending restoration with the registrar.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Registered domains can have domain name status codes (EPP codes) that describe certain attributes of the domain. The domain status code of pendingRestore means that the domain owner requested the domain be restored during the 30 day redemption period. Usually this status indicates that the registry is waiting for documentation from the registrar to approve the restoration. This status should only last for a few days and then be removed once the registry approves the provided documentation.","riskDetails":"Domains that are marked as pendingRestore may have an issue if this status exists for more than a few days during an intentional domain restoration. If the documentation necessary to restore the domain is not properly submitted within this timeframe, the domain may revert back to the redemptionPeriod status, meaning that when the redemption period expires the domain will be back on the public market.","recommendedRemediation":"If the pendingRestore status lasts more than a few days, the registrar should be contacted to find out what needs to be done to complete the restoration approval.","knownExploitedVulnCount":0,"checkID":"domain_pending_restoration","category":"domain","controlCheckID":"IM.DS.DO.KA","passTitle":"Domain not pending restoration","passDescription":"Domain is not pending restoration with the registrar.","passGroupDescription":"No domains are pending restoration with the registrar.","failTitle":"Domain pending restoration","failDescription":"Domain is pending restoration while the domain owner provides requested documentation.","remediation":"Ensure domain is not pending restoration.","issue":"These domains are pending restoration while the domain owner provides requested documentation. They are not yet active across the internet (for newly registered domains) or changes to the name server settings haven't taken effect.","recommendation":"The status of these domains will likely propagate across the Internet in the next 72 hours. If it takes longer than this, the domain owner will need to check with their domain name registrar and make sure DNS information is correct.","defaultSeverity":2,"categoryTotalCost":1,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.2"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Registered domains can have domain name status codes (EPP codes) that describe certain attributes of the domain. The domain status code of pendingRestore means that the domain owner requested the domain be restored during the 30 day redemption period. Usually this status indicates that the registry is waiting for documentation from the registrar to approve the restoration. This status should only last for a few days and then be removed once the registry approves the provided documentation.","RiskDetails":"Domains that are marked as pendingRestore may have an issue if this status exists for more than a few days during an intentional domain restoration. If the documentation necessary to restore the domain is not properly submitted within this timeframe, the domain may revert back to the redemptionPeriod status, meaning that when the redemption period expires the domain will be back on the public market.","RecommendedRemediation":"If the pendingRestore status lasts more than a few days, the registrar should be contacted to find out what needs to be done to complete the restoration approval."},{"id":"domain_registrar_transfer_protection","pass":true,"meta":"clientTransferProhibited:enabled","vendorOnly":false,"expected":[{"property":"Domain > Registrar Transfer Protection","value":"clientTransferProhibited or serverTransferProhibited: set"}],"actual":[{"property":"Domain > Registrar Transfer Protection","value":"clientTransferProhibited:enabled"}],"severity":2,"cloudscanCategory":"dns","prevCloudscanCategory":"brand_protect","title":"Domain registrar or registry transfer protection enabled","description":"Domain is protected from unsolicited transfer requests.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Domain transfer protection is a DNS setting that prevents the transfer of a domain until the lock has been removed. It is a DNS security mechanism intended to make it harder for an attacker to make unauthorized modifications to domain ownership.","riskDetails":"Attackers may attempt to hijack domains by impersonating the domain's owner and transfering ownership of the domain. ","recommendedRemediation":"Look up the whois information for the domain either using the CLI or an online tool. It should have a Domain Status of \"serverTransferProhibited\" or \"clientTransferProhibited.\" Log into your domain registrar's site. Navigate to the settings for this domain. You should have an option to enable this setting and save the configuration.","knownExploitedVulnCount":0,"checkID":"domain_registrar_transfer_protection","category":"domain","controlCheckID":"IM.DS.DO.ZW","passTitle":"Domain registrar or registry transfer protection enabled","passDescription":"Domain is protected from unsolicited transfer requests.","passGroupDescription":"No domains detected as being susceptible to unsolicited transfer requests.","failTitle":"Domain registrar or registry transfer protection enabled","failDescription":"Domain is not protected from unsolicited transfer requests with the registrar or registry. The domain should have clientTransferProhibited or serverTransferProhibited set.","remediation":"Set clientTransferProhibited or serverTransferProhibited with the registrar/registry.","issue":"Impacted domains are not protected from unsolicited transfer requests. This means an attacker may be able to convince the registrar/registry them to transfer the domain to another registrar, gaining control of the domain.","recommendation":"Set ClientTransferProhibited or ServerTransferProhibited to true. This prevents the domain from being transferred. Note: this may be something that the support team at the domain name registrar has to do.","defaultSeverity":2,"categoryTotalCost":1,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.2"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Domain transfer protection is a DNS setting that prevents the transfer of a domain until the lock has been removed. It is a DNS security mechanism intended to make it harder for an attacker to make unauthorized modifications to domain ownership.","RiskDetails":"Attackers may attempt to hijack domains by impersonating the domain's owner and transfering ownership of the domain. ","RecommendedRemediation":"Look up the whois information for the domain either using the CLI or an online tool. It should have a Domain Status of \"serverTransferProhibited\" or \"clientTransferProhibited.\" Log into your domain registrar's site. Navigate to the settings for this domain. You should have an option to enable this setting and save the configuration."},{"id":"domain_registrar_dns_resolution_hold","pass":true,"meta":"clientHold: not set","vendorOnly":false,"expected":[{"property":"Domain > Registrar DNS Resolution Hold","value":"clientHold: not set"}],"actual":[{"property":"Domain > Registrar DNS Resolution Hold","value":"clientHold: not set"}],"severity":2,"cloudscanCategory":"dns","prevCloudscanCategory":"brand_protect","title":"Domain free of registrar DNS resolution hold","description":"Domain is not under a DNS resolution hold with the registrar.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Registered domains can have domain name status codes (EPP codes) that describe certain attributes of the domain. The domain status code of clientHold indicates that the registrar has put a hold on the domain, preventing it from becoming active. This is an uncommon status that is usually only encountered during legal disputes, non-payment, or when the domain is subject to deletion.","riskDetails":"Domains in the clientHold status are not active and will not resolve on the internet. Services relying on these domains will be inaccessible during this time. Furthermore, if not part of a planned domain deletion, this status indicates that there are likely business problems with the registrar that should be addressed.","recommendedRemediation":"To activate this domain, the registrar must be contacted to determine what the problem is and what actions must be taken to remove the hold.","knownExploitedVulnCount":0,"checkID":"domain_registrar_dns_resolution_hold","category":"domain","controlCheckID":"IM.DS.DO.NQ","passTitle":"Domain free of registrar DNS resolution hold","passDescription":"Domain is not under a DNS resolution hold with the registrar.","passGroupDescription":"No domains are under a DNS resolution hold with the registrar.","failTitle":"Domain under Registrar DNS resolution hold","failDescription":"Domain is under a DNS resolution hold with the registrar pending issues that must be resolved.","remediation":"Ensure domain is not under a DNS resolution hold with the registrar.","issue":"Impacted domains have an issue related to a legal dispute, non-payment, or are subject to deletion. While unresolved, these domains will not be active in the DNS.","recommendation":"The domain name owner will need to talk to their domain name registrar for more information and remediation advice.","defaultSeverity":2,"categoryTotalCost":1,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.2"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Registered domains can have domain name status codes (EPP codes) that describe certain attributes of the domain. The domain status code of clientHold indicates that the registrar has put a hold on the domain, preventing it from becoming active. This is an uncommon status that is usually only encountered during legal disputes, non-payment, or when the domain is subject to deletion.","RiskDetails":"Domains in the clientHold status are not active and will not resolve on the internet. Services relying on these domains will be inaccessible during this time. Furthermore, if not part of a planned domain deletion, this status indicates that there are likely business problems with the registrar that should be addressed.","RecommendedRemediation":"To activate this domain, the registrar must be contacted to determine what the problem is and what actions must be taken to remove the hold."},{"id":"domain_registry_dns_resolution_hold","pass":true,"meta":"serverHold: not set","vendorOnly":false,"expected":[{"property":"Domain > Registry DNS Resolution Hold","value":"serverHold: not set"}],"actual":[{"property":"Domain > Registry DNS Resolution Hold","value":"serverHold: not set"}],"severity":2,"cloudscanCategory":"dns","prevCloudscanCategory":"brand_protect","title":"Domain free of registry DNS resolution hold","description":"Domain is not under a DNS resolution hold with the registry itself.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Registered domains can have domain name status codes (EPP codes) that describe certain attributes of the domain. The domain status code of serverHold means that the registry is preventing the domain from becoming active. This status is used when there is a problem with the domain information that must be resolved before approval.","riskDetails":"Domains in the serverHold status are not active and will not resolve on the internet. Services relying on these domains will be inaccessible during this time.","recommendedRemediation":"One possible issue that can cause this status is if the incorrect name server information has been provided to the registrar. However, the registrar must be contacted to determine what the problem is and what information is necessary to remove the code from the domain and activate it.","knownExploitedVulnCount":0,"checkID":"domain_registry_dns_resolution_hold","category":"domain","controlCheckID":"IM.DS.DO.TG","passTitle":"Domain free of registry DNS resolution hold","passDescription":"Domain is not under a DNS resolution hold with the registry itself.","passGroupDescription":"No domains are under a DNS resolution hold with the registry itself.","failTitle":"Domain under Registry DNS resolution hold","failDescription":"Domain is under a DNS resolution hold with the registry pending issues that must be resolved.","remediation":"Ensure domain is not under a DNS resolution hold with the registry.","issue":"Impacted domains have issues that needs to be resolved. While unresolved, these domains will not be active in the DNS.","recommendation":"The domain name owner will need to talk to their registry for more information and remediation advice.","defaultSeverity":2,"categoryTotalCost":1,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.2"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Registered domains can have domain name status codes (EPP codes) that describe certain attributes of the domain. The domain status code of serverHold means that the registry is preventing the domain from becoming active. This status is used when there is a problem with the domain information that must be resolved before approval.","RiskDetails":"Domains in the serverHold status are not active and will not resolve on the internet. Services relying on these domains will be inaccessible during this time.","RecommendedRemediation":"One possible issue that can cause this status is if the incorrect name server information has been provided to the registrar. However, the registrar must be contacted to determine what the problem is and what information is necessary to remove the code from the domain and activate it."},{"id":"domain_prohibited_from_renewal_at_registry","pass":true,"meta":"serverRenewProhibited: not set","vendorOnly":false,"expected":[{"property":"Domain > Prohibited from Renewal at Registry","value":"serverRenewProhibited: not set"}],"actual":[{"property":"Domain > Prohibited from Renewal at Registry","value":"serverRenewProhibited: not set"}],"severity":1,"cloudscanCategory":"dns","prevCloudscanCategory":"brand_protect","title":"Domain renewal not prohibited by registry","description":"Domain is not prohibited from renewal at the registry itself.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Registered domains can have domain name status codes (EPP codes) that describe certain attributes of the domain. The domain status code of serverRenewProhibited indicates that the registry operator will not allow your domain’s registrar to renew the domain. This is an uncommon status that is usually only utilized during legal disputes or when the domain is subject to deletion.","riskDetails":"Domains in the serverRenewProhibited status will not be eligible for renewal by the current domain owner. This means that at the end of the active period, the domain will enter the deletion process and be put back on the market.","recommendedRemediation":"This status often indicates a problem with the domain that needs to be addressed with the registrar. To renew this domain, the registrar must request that the registry remove this code from the domain. This process may take some time to complete.","knownExploitedVulnCount":0,"checkID":"domain_prohibited_from_renewal_at_registry","category":"domain","controlCheckID":"IM.DS.DO.RA","passTitle":"Domain renewal not prohibited by registry","passDescription":"Domain is not prohibited from renewal at the registry itself.","passGroupDescription":"No domains are prohibited from renewal at the registry itself.","failTitle":"Domain renewal prohibited by registry","failDescription":"Domain is prohibited from renewal at the registry itself. Often, this status indicates an issue with your domain that needs to be addressed promptly. You should contact your registrar to request more information and resolve the issue.","remediation":"Ensure serverRenewProhibited is not set with the registry.","issue":"Impacted domains can't be renewed due to a problem with the registry itself. This often indicates an issue with a domain that needs to be addressed as soon as possible.","recommendation":"The domain name owner will need to contact their domain name registrar and request more information and resolve the issue(s) relating to the identified domains.","defaultSeverity":1,"categoryTotalCost":1,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.2"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Registered domains can have domain name status codes (EPP codes) that describe certain attributes of the domain. The domain status code of serverRenewProhibited indicates that the registry operator will not allow your domain’s registrar to renew the domain. This is an uncommon status that is usually only utilized during legal disputes or when the domain is subject to deletion.","RiskDetails":"Domains in the serverRenewProhibited status will not be eligible for renewal by the current domain owner. This means that at the end of the active period, the domain will enter the deletion process and be put back on the market.","RecommendedRemediation":"This status often indicates a problem with the domain that needs to be addressed with the registrar. To renew this domain, the registrar must request that the registry remove this code from the domain. This process may take some time to complete."}],"email_sec_v2":[{"id":"spf_enabled","pass":true,"meta":"v=spf1 ip6:fd0d:d741:e183::/48 -all","vendorOnly":false,"expected":[{"property":"DNS > SPF","value":"v=spf1..."}],"actual":[{"property":"DNS > SPF","value":"v=spf1 ip6:fd0d:d741:e183::/48 -all"}],"severity":4,"cloudscanCategory":"email_sec_v2","prevCloudscanCategory":"email_sec","title":"SPF enabled","description":"Sender Policy Framework (SPF) records prevent spammers from sending messages with forged addresses.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"When enabled, SPF (Sender Policy Framework) prevents fraudulent emails from being sent by unauthorized domains or IP addresses, which helps to stop spoofing and phishing attacks.","riskDetails":"Emails from unauthorized domains or IP addresses can be sent to employees or customers. These emails could contain malicious links, attachments, or fake domains that can trick employees into providing sensitive information or downloading malware.","recommendedRemediation":"To remediate this risk, add SPF authentication on all email-enabled domains. This can be done by creating a DNS TXT record that specifies which IP addresses are authorized to send emails from that domain.","knownExploitedVulnCount":0,"checkID":"spf_enabled","category":"email","controlCheckID":"IM.ES.EA.PA","passTitle":"SPF enabled","passDescription":"Sender Policy Framework (SPF) records prevent spammers from sending messages with forged addresses.","passGroupDescription":"All applicable sites have Sender Policy Framework (SPF) enabled. This prevents spammers from sending messages with forged addresses.","failTitle":"SPF not enabled","failDescription":"Sender Policy Framework (SPF) record is not present. This may allow spammers to send messages with forged addresses using this domain. The DNS record for the domain should be modified to include an SPF record.","remediation":"Add SPF record.","issue":"Impacted domains do not have a Sender Policy Framework (SPF) record. This allows spammers to send messages with forged addresses using the domain, which greatly improves phishing and other social engineering-based attacks.","recommendation":"To implement SPF, the domain owner will need to add a DNS TXT record that lists the IP addresses authorized to send emails on behalf of their domain. Each domain can have a maximum of one SPF record, defined as a TXT or SPF record type.","defaultSeverity":4,"categoryTotalCost":9,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"When enabled, SPF (Sender Policy Framework) prevents fraudulent emails from being sent by unauthorized domains or IP addresses, which helps to stop spoofing and phishing attacks.","RiskDetails":"Emails from unauthorized domains or IP addresses can be sent to employees or customers. These emails could contain malicious links, attachments, or fake domains that can trick employees into providing sensitive information or downloading malware.","RecommendedRemediation":"To remediate this risk, add SPF authentication on all email-enabled domains. This can be done by creating a DNS TXT record that specifies which IP addresses are authorized to send emails from that domain."},{"id":"spf_filter_check","pass":true,"meta":"contains -all","vendorOnly":false,"expected":[{"property":"DNS > SPF > Filter","value":"contains -all"}],"actual":[{"property":"DNS > SPF > Filter","value":"contains -all"}],"severity":4,"cloudscanCategory":"email_sec_v2","prevCloudscanCategory":"email_sec","title":"Strict SPF filtering - not using +all","description":"Sender Policy Framework (SPF) record strictly enforces specific domains allowed to send email on its behalf.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Sender Policy Framework, or SPF, is a standard for specifying which domains and IP addresses can send email from a given domain. When SPF records are securely configured, email clients can validate that the sender is authorized to send mail from that domain and can filter out unwanted or malicious mail impersonating an organization. The +all mechanism is an instruction in an SPF record that tells mail recipients that any server can send mail on behalf of the sending domain, which opens this domain up to impersonation via email.","riskDetails":"Email security is vital to preventing phishing attacks, malware delivery, and protecting against brand abuse. SPF records are one of the foundational tools for preventing those attacks. While the +all mechanism is a valid directive, it is overly permissive and does not prevent attackers from impersonating a domain. The + mechanism indicates that mail send from this source should \"pass\" the SPF check done by the recipient. The \"all\" mechanism applies the \"pass\" rule to all domains and IPs, meaning that anyone, including attackers, can send email on behalf of this domain.","recommendedRemediation":"The SPF record for the domain should be configured to only allow specified systems under your organization's control to send mail on behalf of the domain. Any other sender should receive a \"fail\" response from the SPF check and thus block content from unauthorized domains. Through your DNS provider you should be able to find and update the SPF record for the domain. The \"+all\" mechanism should be changed to \"-all\" to hard fail all mail sent from unauthorized systems. If the domain is used to send mail and no IP addresses or domains specified yet, those should be added before the \"-all\" mechanism.","knownExploitedVulnCount":0,"checkID":"spf_filter_check","category":"email","controlCheckID":"IM.ES.EA.ZW","passTitle":"Strict SPF filtering - not using +all","passDescription":"Sender Policy Framework (SPF) record strictly enforces specific domains allowed to send email on its behalf.","passGroupDescription":"All applicable sites have a strict Sender Policy Framework (SPF) record.","failTitle":"SPF policy uses +all","failDescription":"Sender Policy Framework (SPF) record is too permissive as to which domains are allowed to send email on the domain's behalf. This record should not contain a +all mechanism, as this allows all hosts to send email posing as this domain.","remediation":"Use '-all' in SPF record.","issue":"We've identified domains with Sender Policy Framework (SPF) records that are too permissive (+all). This could result in fraudulent email being sent on the domain's behalf.","recommendation":"Change the SPF records associated with these domains and remove the +all mechanism. We recommend using '-all' in your SPF records.","defaultSeverity":4,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Sender Policy Framework, or SPF, is a standard for specifying which domains and IP addresses can send email from a given domain. When SPF records are securely configured, email clients can validate that the sender is authorized to send mail from that domain and can filter out unwanted or malicious mail impersonating an organization. The +all mechanism is an instruction in an SPF record that tells mail recipients that any server can send mail on behalf of the sending domain, which opens this domain up to impersonation via email.","RiskDetails":"Email security is vital to preventing phishing attacks, malware delivery, and protecting against brand abuse. SPF records are one of the foundational tools for preventing those attacks. While the +all mechanism is a valid directive, it is overly permissive and does not prevent attackers from impersonating a domain. The + mechanism indicates that mail send from this source should \"pass\" the SPF check done by the recipient. The \"all\" mechanism applies the \"pass\" rule to all domains and IPs, meaning that anyone, including attackers, can send email on behalf of this domain.","RecommendedRemediation":"The SPF record for the domain should be configured to only allow specified systems under your organization's control to send mail on behalf of the domain. Any other sender should receive a \"fail\" response from the SPF check and thus block content from unauthorized domains. Through your DNS provider you should be able to find and update the SPF record for the domain. The \"+all\" mechanism should be changed to \"-all\" to hard fail all mail sent from unauthorized systems. If the domain is used to send mail and no IP addresses or domains specified yet, those should be added before the \"-all\" mechanism."},{"id":"spf_syntax_check","pass":true,"meta":"passes simple syntax check","vendorOnly":false,"expected":[{"property":"DNS > SPF > Syntax","value":"passes simple syntax check"}],"actual":[{"property":"DNS > SPF > Syntax","value":"passes simple syntax check"}],"severity":3,"cloudscanCategory":"email_sec_v2","prevCloudscanCategory":"email_sec","title":"SPF syntax correct","description":"Sender Policy Framework (SPF) record passes basic syntax checks.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"SPF (Sender Policy Framework) is a protocol used to protect against email spoofing, spam and phishing. An SPF syntax error occurs when the SPF record in a domain's DNS configuration is malformed, preventing the SPF mechanism from functioning properly.","riskDetails":"This type of error can cause email delivery failures, since email receivers may reject emails that appear to be from an unauthorized source due to incorrect SPF information. Additionally, an SPF syntax error can also make an email system more vulnerable to phishing and spam, since spammers can potentially send messages that appear to be from the affected domain.","recommendedRemediation":"To remediate an SPF syntax error, review the SPF record for your domain and correct any issues. The record can be validated using online tools or test emails. Finally, update the domain's DNS with the corrected SPF record. DNS propagation may take some time. Regular review of the SPF record is important to ensure that it remains effective in preventing email spoofing and protecting against phishing and spam. Update the record if changes are made to your email infrastructure.","knownExploitedVulnCount":0,"checkID":"spf_syntax_check","category":"email","controlCheckID":"IM.ES.EA.UQ","passTitle":"SPF syntax correct","passDescription":"Sender Policy Framework (SPF) record passes basic syntax checks.","passGroupDescription":"All applicable sites have Sender Policy Framework (SPF) records that pass a basic syntax check.","failTitle":"SPF syntax error","failDescription":"Sender Policy Framework (SPF) record fails a basic syntax check. Records with syntax errors result in the protection mechanisms associated with SPF not being enforced. To be properly protected the SPF record syntax errors should be corrected.","remediation":"Fix SPF record syntax.","issue":"Impacted domains have a Sender Policy Framework (SPF) record that has failed a basic syntax check.  Records with syntax errors result in the protection mechanisms associated with SPF not being enforced.","recommendation":"To be properly protected the SPF record syntax errors should be corrected. SPF records always start with the v= element. This indicates the SPF version that is used. One or more terms will follow the version indicator. These define the rules for which hosts are allowed to send mail from the domain, or provide additional information for processing the SPF record.","defaultSeverity":3,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"SPF (Sender Policy Framework) is a protocol used to protect against email spoofing, spam and phishing. An SPF syntax error occurs when the SPF record in a domain's DNS configuration is malformed, preventing the SPF mechanism from functioning properly.","RiskDetails":"This type of error can cause email delivery failures, since email receivers may reject emails that appear to be from an unauthorized source due to incorrect SPF information. Additionally, an SPF syntax error can also make an email system more vulnerable to phishing and spam, since spammers can potentially send messages that appear to be from the affected domain.","RecommendedRemediation":"To remediate an SPF syntax error, review the SPF record for your domain and correct any issues. The record can be validated using online tools or test emails. Finally, update the domain's DNS with the corrected SPF record. DNS propagation may take some time. Regular review of the SPF record is important to ensure that it remains effective in preventing email spoofing and protecting against phishing and spam. Update the record if changes are made to your email infrastructure."},{"id":"spf_ptr_mechanism","pass":true,"meta":"SPF record does not contain a ptr mechanism","vendorOnly":false,"expected":[{"property":"DNS > SPF > ptr","value":"SPF record does not contain a ptr mechanism"}],"actual":[{"property":"DNS > SPF > ptr","value":"SPF record does not contain a ptr mechanism"}],"severity":2,"cloudscanCategory":"email_sec_v2","prevCloudscanCategory":"email_sec","title":"SPF ptr mechanism not used","description":"Sender Policy Framework (SPF) record does not include the ptr mechanism.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"An SPF (Sender Policy Framework) PTR (Pointer) mechanism is used in email authentication to detect and prevent email spoofing. The SPF PTR mechanism compares the domain name of the sending email address to the IP address of the server that sent the email, to ensure that the email was indeed sent from the domain it claims to be sent from.","riskDetails":"The SPF PTR mechanism relies on looking up a domain to check if it resolves to an SPF allowed IP address. This can be easily faked by someone who creates a fraudulent DNS record in their domain. This can allow unauthorized individuals to send emails that appear to come from a trusted domain, leading to the recipient being misled or giving sensitive information to an unauthorized source.","recommendedRemediation":"SPF should only rely on authorized IP addresses and domains. The PTR mechanism should be disabled. It is also recommended to implement a DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy in conjunction with SPF. This allows domain owners to monitor the authentication of emails sent from their domain and to take action against any unauthorized activity. In addition, it is important to regularly review and update the SPF record to ensure that it accurately reflects the authorized mail servers for the domain.","knownExploitedVulnCount":0,"checkID":"spf_ptr_mechanism","category":"email","controlCheckID":"IM.ES.EA.VG","passTitle":"SPF ptr mechanism not used","passDescription":"Sender Policy Framework (SPF) record does not include the ptr mechanism.","passGroupDescription":"All applicable sites that have an SPF record do not include the ptr mechanism.","failTitle":"SPF ptr mechanism used","failDescription":"Sender Policy Framework (SPF) record contains the ptr mechanism. This mechanism is intended to be used temporarily to check that a domain resolves to itself via a known IP address. This should not be used permanently as it puts unnecessary burden on DNS servers and some mail checkers may drop the SPF record if this mechanism is found.","remediation":"Remove ptr mechanism from SPF record.","issue":"The impacted domains have Sender Policy Framework (SPF) records that contain the 'ptr' mechanism. This mechanism is intended to be used temporarily to check that a domain resolves itself via a known IP address. This should not be used permanently as it puts unnecessary burden on DNS servers and some mail servers may drop the SPF record.","recommendation":"The domain owner should remove the ‘ptr’ from all SPF records to ensure that mail servers do not drop the SPF records associated with the domain.","defaultSeverity":2,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"An SPF (Sender Policy Framework) PTR (Pointer) mechanism is used in email authentication to detect and prevent email spoofing. The SPF PTR mechanism compares the domain name of the sending email address to the IP address of the server that sent the email, to ensure that the email was indeed sent from the domain it claims to be sent from.","RiskDetails":"The SPF PTR mechanism relies on looking up a domain to check if it resolves to an SPF allowed IP address. This can be easily faked by someone who creates a fraudulent DNS record in their domain. This can allow unauthorized individuals to send emails that appear to come from a trusted domain, leading to the recipient being misled or giving sensitive information to an unauthorized source.","RecommendedRemediation":"SPF should only rely on authorized IP addresses and domains. The PTR mechanism should be disabled. It is also recommended to implement a DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy in conjunction with SPF. This allows domain owners to monitor the authentication of emails sent from their domain and to take action against any unauthorized activity. In addition, it is important to regularly review and update the SPF record to ensure that it accurately reflects the authorized mail servers for the domain."}],"ip_domain_reputation":[{"id":"botnet_active","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Botnet Activity","value":"false"}],"actual":[{"property":"Botnet Activity","value":""}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of botnet activity in the last 30 days","description":"This IP/domain has not been reported as a source of botnet activity in the last 30 days.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Hosts observed communicating with botnet infrastructure may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","riskDetails":"Hosts that are infected with botnet malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation.","recommendedRemediation":"If a host is suspected of botnet activity, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"botnet_active","category":"malware","controlCheckID":"IM.IP.MA.KA","passTitle":"No reports of botnet activity in the last 30 days","passDescription":"This IP/domain has not been reported as a source of botnet activity in the last 30 days.","passGroupDescription":"No IPs/domains have been reported as a source of botnet activity in the last 30 days.","failTitle":"Suspected of botnet activity","failDescription":"This IP/domain has been reported as a source of botnet activity in the last 30 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove offending software.","issue":"IPs/domains have been reported for botnet activity in the last 30 days. These reports may affect the reputation of the IP/domain and be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Hosts observed communicating with botnet infrastructure may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","RiskDetails":"Hosts that are infected with botnet malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation.","RecommendedRemediation":"If a host is suspected of botnet activity, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"brute_force_login_active","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Unsolicited Communication > Brute Force Login Attempt","value":"false"}],"actual":[{"property":"Unsolicited Communication > Brute Force Login Attempt","value":""}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of brute force login attempts in the last 30 days","description":"This IP/domain did not appear on any list of IPs and domains known to perform brute force login attempts in the last 30 days.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"As part of gaininig initial access, attackers use compromised hosts to attempt brute force logins to other hosts. Using compromised hosts for this activity allows the attacker to disguise their presence.","riskDetails":"A host that has been observed attempting brute force logins may be compromised by an attacker. Even if that is not the case, this behavior may cause the domain or IP to be added to a blocklist to prevent future login attempts.","recommendedRemediation":"If a host has been reported for attempted brute force logins, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"brute_force_login_active","category":"malware","controlCheckID":"IM.IP.MA.VG","passTitle":"No reports of brute force login attempts in the last 30 days","passDescription":"This IP/domain did not appear on any list of IPs and domains known to perform brute force login attempts in the last 30 days.","passGroupDescription":"No IPs/domains appeared on any list of IPs and domains known to perform brute force login attempts in the last 30 days.","failTitle":"Suspected of brute force login attempt","failDescription":"This IP/domain has appeared on a list of IPs and domains reported for performing brute force login attempts in the last 30 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove offending software.","issue":"IPs/domains have been reported for brute force login attempts in the last 30 days. These reports can affect the reputation of the IP/domain and may be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"As part of gaininig initial access, attackers use compromised hosts to attempt brute force logins to other hosts. Using compromised hosts for this activity allows the attacker to disguise their presence.","RiskDetails":"A host that has been observed attempting brute force logins may be compromised by an attacker. Even if that is not the case, this behavior may cause the domain or IP to be added to a blocklist to prevent future login attempts.","RecommendedRemediation":"If a host has been reported for attempted brute force logins, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"malware_server_active","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Malware Server","value":"false"}],"actual":[{"property":"Malware Server","value":""}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of malware distribution in the last 30 days","description":"This IP/domain has been reported for distributing malware in the last 30 days.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Hosts observed distributing malware may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","riskDetails":"Hosts that are used for distributing malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","recommendedRemediation":"If a host is suspected of distributing malware, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"malware_server_active","category":"malware","controlCheckID":"IM.IP.MA.KW","passTitle":"No reports of malware distribution in the last 30 days","passDescription":"This IP/domain has been reported for distributing malware in the last 30 days.","passGroupDescription":"No IPs/domains have been reported for distributing malware in the last 30 days.","failTitle":"Suspected of distributing malware","failDescription":"This IP/domain has been reported for distributing malware in the last 30 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove offending software.","issue":"IPs/domains have been reported for distributing malware in the last 30 days. These reports may affect the reputation of the IP/domain and be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Hosts observed distributing malware may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","RiskDetails":"Hosts that are used for distributing malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","RecommendedRemediation":"If a host is suspected of distributing malware, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"unsolicited_scanning_active","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Unsolicited Communication > Scanning","value":"false"}],"actual":[{"property":"Unsolicited Communication > Scanning","value":""}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of unsolicited scanning in the last 30 days","description":"This IP/domain has not been reported for performing unsolicited scanning in the last 30 days.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"As part of reconnaissance activity, attackers will use compromised hosts to scan other hosts with the aim of discovering possible attack methods. This scanning activity can be detected by patterns in the requests sent, and the host performing the unwanted scanning is then reported to shared blocklists.","riskDetails":"There may be other reasons for a host to perform unsolicited scanning, but this behavior can indicate that the host is compromised and running malware responsible for the scanning. The presence of the host on blocklists for scanning may result in it being blocked by other users even if the activity is not the result of malware.","recommendedRemediation":"If a host has been reported for unsolicited scanning, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"unsolicited_scanning_active","category":"malware","controlCheckID":"IM.IP.MA.XG","passTitle":"No reports of unsolicited scanning in the last 30 days","passDescription":"This IP/domain has not been reported for performing unsolicited scanning in the last 30 days.","passGroupDescription":"No IPs/domains have been reported for performing unsolicited scanning in the last 30 days.","failTitle":"Suspected of unsolicited scanning","failDescription":"This IP/domain has been reported for performing unsolicited scanning in the last 30 days. The server should be checked to ensure this behavior is intentional and not the result of malware.","remediation":"Check IP/domain for offending software.","issue":"IPs/domains have have been reported for performing unsolicited scanning in the last 30 days. This behavior could affect the reputation of the IP/domain and be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"As part of reconnaissance activity, attackers will use compromised hosts to scan other hosts with the aim of discovering possible attack methods. This scanning activity can be detected by patterns in the requests sent, and the host performing the unwanted scanning is then reported to shared blocklists.","RiskDetails":"There may be other reasons for a host to perform unsolicited scanning, but this behavior can indicate that the host is compromised and running malware responsible for the scanning. The presence of the host on blocklists for scanning may result in it being blocked by other users even if the activity is not the result of malware.","RecommendedRemediation":"If a host has been reported for unsolicited scanning, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"phishing_site_active","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Phishing Site","value":"false"}],"actual":[{"property":"Phishing Site","value":""}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of phishing activity in the last 30 days","description":"This IP/domain has not been reported as a phishing site in the last 30 days.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Hosts suspected of phishing may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","riskDetails":"Hosts that are reported as phishing sites may be compromised in whole or part. Ownership of the domain may have lapsed, allowing attackers to take it over. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","recommendedRemediation":"If a host is suspected of being a phishing site, investigate the host to determine whether it has been compromised. Reviewing the current and historical site content should help show whether it has been modified to operate as a phishing site. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"phishing_site_active","category":"malware","controlCheckID":"IM.IP.MA.EA","passTitle":"No reports of phishing activity in the last 30 days","passDescription":"This IP/domain has not been reported as a phishing site in the last 30 days.","passGroupDescription":"No IPs/domains have been reported as a phishing site in the last 30 days.","failTitle":"Suspected phishing site","failDescription":"This IP/domain has been reported as a phishing site in the last 30 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove phishing code.","issue":"IPs/domains have been reported for phishing sites in the last 30 days. These sites may be compromised and under the control of threat actors.","recommendation":"The owner of the identified IP/domains needs to check for any unwanted software and remove any phishing code.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Hosts suspected of phishing may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","RiskDetails":"Hosts that are reported as phishing sites may be compromised in whole or part. Ownership of the domain may have lapsed, allowing attackers to take it over. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","RecommendedRemediation":"If a host is suspected of being a phishing site, investigate the host to determine whether it has been compromised. Reviewing the current and historical site content should help show whether it has been modified to operate as a phishing site. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"botnet_inactive","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Botnet Activity","value":"false"}],"actual":[{"property":"Botnet Activity","value":""}],"severity":1,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of botnet activity in the last 90 days","description":"This IP/domain has not been reported as a source of botnet activity in the last 90 days.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Hosts observed communicating with botnet infrastructure may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","riskDetails":"Hosts that are infected with botnet malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation.","recommendedRemediation":"If a host is suspected of botnet activity, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"botnet_inactive","category":"malware","controlCheckID":"IM.IP.MA.TG","passTitle":"No reports of botnet activity in the last 90 days","passDescription":"This IP/domain has not been reported as a source of botnet activity in the last 90 days.","passGroupDescription":"No IPs/domains have been reported as a source of botnet activity in the last 90 days.","failTitle":"Suspected of botnet activity in last 90 days","failDescription":"This IP/domain appeared on a list of IPs and domains known as source botnet activity in the last 90 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove offending software.","issue":"IPs/domains have been reported for botnet activity in the last 90 days. These reports may affect the reputation of the IP/domain and be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Hosts observed communicating with botnet infrastructure may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","RiskDetails":"Hosts that are infected with botnet malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation.","RecommendedRemediation":"If a host is suspected of botnet activity, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"brute_force_login_inactive","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Unsolicited Communication > Brute Force Login Attempt","value":"false"}],"actual":[{"property":"Unsolicited Communication > Brute Force Login Attempt","value":""}],"severity":1,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of brute force login attempts in the last 90 days","description":"This IP/domain did not appear on any list of IPs and domains known to perform brute force login attempts in the last 90 days.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"As part of gaininig initial access, attackers use compromised hosts to attempt brute force logins to other hosts. Using compromised hosts for this activity allows the attacker to disguise their presence. Hosts observed attempting logins in the last 90 days may be compromised or on blocklists.","riskDetails":"A host that has been observed attempting brute force logins may be compromised by an attacker. Even if that is not the case, this behavior may cause the domain or IP to be added to a blocklist to prevent future login attempts.","recommendedRemediation":"If a host has been reported for attempted brute force logins, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"brute_force_login_inactive","category":"malware","controlCheckID":"IM.IP.MA.DQ","passTitle":"No reports of brute force login attempts in the last 90 days","passDescription":"This IP/domain did not appear on any list of IPs and domains known to perform brute force login attempts in the last 90 days.","passGroupDescription":"No IPs/domains appeared on any list of IPs and domains known to perform brute force login attempts in the last 90 days.","failTitle":"Suspected of brute force login attempt in the last 90 days","failDescription":"This IP/domain has appeared on a list of IPs and domains reported for performing brute force login attempts in the last 90 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove offending software.","issue":"IPs/domains have been reported for brute force login attempts in the last 90 days. These reports can affect the reputation of the IP/domain and may be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"As part of gaininig initial access, attackers use compromised hosts to attempt brute force logins to other hosts. Using compromised hosts for this activity allows the attacker to disguise their presence. Hosts observed attempting logins in the last 90 days may be compromised or on blocklists.","RiskDetails":"A host that has been observed attempting brute force logins may be compromised by an attacker. Even if that is not the case, this behavior may cause the domain or IP to be added to a blocklist to prevent future login attempts.","RecommendedRemediation":"If a host has been reported for attempted brute force logins, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"malware_server_inactive","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Malware Server","value":"false"}],"actual":[{"property":"Malware Server","value":""}],"severity":1,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of malware distribution in the last 90 days","description":"This IP/domain has been reported for distributing malware in the last 90 days.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Hosts observed distributing malware may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","riskDetails":"Hosts that have recently been used for distributing malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","recommendedRemediation":"If a host is suspected of distributing malware, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"malware_server_inactive","category":"malware","controlCheckID":"IM.IP.MA.QG","passTitle":"No reports of malware distribution in the last 90 days","passDescription":"This IP/domain has been reported for distributing malware in the last 90 days.","passGroupDescription":"No IPs/domains have been reported for distributing malware in the last 90 days.","failTitle":"Suspected of distributing malware in last 90 days","failDescription":"This IP/domain has been reported for distributing malware in the last 90 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove offending software.","issue":"IPs/domains have been reported for distributing malware in the last 90 days. These reports may affect the reputation of the IP/domain and be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Hosts observed distributing malware may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","RiskDetails":"Hosts that have recently been used for distributing malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","RecommendedRemediation":"If a host is suspected of distributing malware, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"unsolicited_scanning_inactive","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Unsolicited Communication > Scanning","value":"false"}],"actual":[{"property":"Unsolicited Communication > Scanning","value":""}],"severity":1,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of unsolicited scanning in the last 90 days","description":"This IP/domain has not been reported for performing unsolicited scanning in the last 90 days.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"As part of reconnaissance activity, attackers will use compromised hosts to scan other hosts with the aim of discovering possible attack methods. Reports of unsolicited scanning in the last 90 days may indicate the host is infected or has been placed on blocklists that will affect availability.","riskDetails":"There may be other reasons for a host to perform unsolicited scanning, but this behavior can indicate that the host is compromised and running malware responsible for the scanning. The presence of the host on blocklists for scanning may result in it being blocked by other users even if the activity is not the result of malware.","recommendedRemediation":"If a host has been reported for unsolicited scanning, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"unsolicited_scanning_inactive","category":"malware","controlCheckID":"IM.IP.MA.AA","passTitle":"No reports of unsolicited scanning in the last 90 days","passDescription":"This IP/domain has not been reported for performing unsolicited scanning in the last 90 days.","passGroupDescription":"No IPs/domains have been reported for performing unsolicited scanning in the last 90 days.","failTitle":"Suspected of unsolicited scanning in last 90 days","failDescription":"This IP/domain has been reported for performing unsolicited scanning in the last 90 days. The server should be checked to ensure this behavior is intentional and not the result of malware.","remediation":"Check IP/domain for offending software.","issue":"IPs/domains have have been reported for performing unsolicited scanning in the last 90 days. This behavior could affect the reputation of the IP/domain and be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"As part of reconnaissance activity, attackers will use compromised hosts to scan other hosts with the aim of discovering possible attack methods. Reports of unsolicited scanning in the last 90 days may indicate the host is infected or has been placed on blocklists that will affect availability.","RiskDetails":"There may be other reasons for a host to perform unsolicited scanning, but this behavior can indicate that the host is compromised and running malware responsible for the scanning. The presence of the host on blocklists for scanning may result in it being blocked by other users even if the activity is not the result of malware.","RecommendedRemediation":"If a host has been reported for unsolicited scanning, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"phishing_site_inactive","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Phishing Site","value":"false"}],"actual":[{"property":"Phishing Site","value":""}],"severity":1,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of phishing activity in the last 90 days","description":"This IP/domain has not been reported as a phishing site in the last 90 days.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Hosts suspected of phishing may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","riskDetails":"Hosts that have been reported as phishing sites may be compromised in whole or part. Ownership of the domain may have lapsed, allowing attackers to take it over. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","recommendedRemediation":"If a host is suspected of being a phishing site, investigate the host to determine whether it has been compromised. Reviewing the current and historical site content should help show whether it has been modified to operate as a phishing site. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"phishing_site_inactive","category":"malware","controlCheckID":"IM.IP.MA.LG","passTitle":"No reports of phishing activity in the last 90 days","passDescription":"This IP/domain has not been reported as a phishing site in the last 90 days.","passGroupDescription":"No IPs/domains have been reported as a phishing site in the last 90 days.","failTitle":"Suspected phishing site in last 90 days","failDescription":"This IP/domain has been reported as a phishing site in the last 90 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove phishing code.","issue":"IPs/domains have been reported for phishing sites in the last 90 days. These sites may be compromised and under the control of threat actors.","recommendation":"The owner of the identified IP/domains needs to check for any unwanted software and remove any phishing code.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Hosts suspected of phishing may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","RiskDetails":"Hosts that have been reported as phishing sites may be compromised in whole or part. Ownership of the domain may have lapsed, allowing attackers to take it over. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","RecommendedRemediation":"If a host is suspected of being a phishing site, investigate the host to determine whether it has been compromised. Reviewing the current and historical site content should help show whether it has been modified to operate as a phishing site. If the host is behaving as expected, contact the blocklist owner to have the host removed."}],"network_sec_v2":[{"id":"open_port","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Ports > Ports Open","value":"[all ports closed]"}],"actual":[{"property":"Ports > Ports Open","value":"[all ports closed]"}],"severity":3,"cloudscanCategory":"network_sec_v2","prevCloudscanCategory":"network_sec","title":"No ports are open","description":"No open ports were detected.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"","riskDetails":"","recommendedRemediation":"","knownExploitedVulnCount":0}]},"failed":{"email_sec_v2":[{"id":"dmarc_enabled","pass":false,"meta":"invalid record: DMARC record must begin with v=DMARC1: v=spf1 ip6:fd0d:d741:e183::/48 -all","vendorOnly":false,"expected":[{"property":"DNS > DMARC","value":"v=DMARC1; p=reject; ..."}],"actual":[{"property":"DNS > DMARC","value":"invalid record: DMARC record must begin with v=DMARC1: v=spf1 ip6:fd0d:d741:e183::/48 -all"}],"severity":4,"cloudscanCategory":"email_sec_v2","prevCloudscanCategory":"email_sec","title":"DMARC policy not found","description":"DMARC policy was not found. This makes it easier for attackers to send email from this domain. A DMARC policy should be deployed for this domain.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":"2023-03-04T08:58:53.432169Z","sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email security feature that works in conjunction with Sender Policy Framework (SPF) and/or DomainKeys Identified Mail (DKIM) to ensure that messages actually originate from the organizations claimed in the From: address. It does this by “aligning” the From: address with either the SPF or DKIM policy in the sender domain. If a message’s From: address does not align with either of these policies, DMARC offers options on how to handle the message, including delivering it, quarantining it and blocking it altogether.","riskDetails":"One of the most common phishing techniques is called email spoofing. Spoofing is when a malicious actor rewrites their email headers to make it seem as if the message is coming from a different, legitimate email domain. Users are much more likely to fall for phishing scams when the From: address appears legitimate. Phishing scams usually involve the harvesting of credentials and other information from victims who are directed to malicious websites. DMARC helps prevent spoofing by authenticating the From: address to the sender’s domain.","recommendedRemediation":"DMARC should be established on the email domain. To establish DMARC, you must already have SPF and/or DKIM in place on the email domain. Once one or both of those are ready, a TXT record named _DMARC should be created in DNS. There are several parameters for the _DMARC record, but the most important are to specify v=DMARC1; rua=yourpreferredaddress@yourdomain.com; and p= none, quarantine or reject. The v= value is constant. The rua= value allows you to specify the address to receive reports from DMARC. The p= value provides instructions on what to do with an email that fails DMARC alignment. The p= value should ultimately be set to reject for best security; however, the other options may be introduced first to ensure no false positives are being picked up by the DMARC policy.","knownExploitedVulnCount":0,"checkID":"dmarc_enabled","category":"email","controlCheckID":"IM.ES.EA.DQ","passTitle":"DMARC policy exists","passDescription":"DMARC protects against fraudulent emails being sent from a domain.","passGroupDescription":"All applicable sites have a DMARC policy deployed.","failTitle":"DMARC policy not found","failDescription":"DMARC policy was not found. This makes it easier for attackers to send email from this domain. A DMARC policy should be deployed for this domain.","remediation":"Add DMARC record.","issue":"We didn't find a DMARC policy associated with some domains. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise (BEC) attacks, phishing emails, email scams and other email threats.","recommendation":"The domain owner needs to add a DMARC policy to these domains. This will provide a mechanism to authenticate the domain in the From header based on their SPF and DKIM records.","defaultSeverity":4,"categoryTotalCost":7,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email security feature that works in conjunction with Sender Policy Framework (SPF) and/or DomainKeys Identified Mail (DKIM) to ensure that messages actually originate from the organizations claimed in the From: address. It does this by “aligning” the From: address with either the SPF or DKIM policy in the sender domain. If a message’s From: address does not align with either of these policies, DMARC offers options on how to handle the message, including delivering it, quarantining it and blocking it altogether.","RiskDetails":"One of the most common phishing techniques is called email spoofing. Spoofing is when a malicious actor rewrites their email headers to make it seem as if the message is coming from a different, legitimate email domain. Users are much more likely to fall for phishing scams when the From: address appears legitimate. Phishing scams usually involve the harvesting of credentials and other information from victims who are directed to malicious websites. DMARC helps prevent spoofing by authenticating the From: address to the sender’s domain.","RecommendedRemediation":"DMARC should be established on the email domain. To establish DMARC, you must already have SPF and/or DKIM in place on the email domain. Once one or both of those are ready, a TXT record named _DMARC should be created in DNS. There are several parameters for the _DMARC record, but the most important are to specify v=DMARC1; rua=yourpreferredaddress@yourdomain.com; and p= none, quarantine or reject. The v= value is constant. The rua= value allows you to specify the address to receive reports from DMARC. The p= value provides instructions on what to do with an email that fails DMARC alignment. The p= value should ultimately be set to reject for best security; however, the other options may be introduced first to ensure no false positives are being picked up by the DMARC policy."}],"dns":[{"id":"dnssec_enabled","pass":false,"meta":"","vendorOnly":false,"expected":[{"property":"DNSSEC enabled","value":"true"}],"actual":[{"property":"DNSSEC enabled","value":"false"}],"severity":2,"cloudscanCategory":"dns","prevCloudscanCategory":"network_sec","title":"DNSSEC not enabled","description":"DNSSEC records prevent third parties from forging the records that guarantee a domain's identity. DNSSEC should be configured for this domain.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":"2023-03-04T08:58:53.432169Z","sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Domain Name System (DNS) is the service that translates human-friendly names to IP addresses. When a URL is sent from the browser, it goes to a DNS server that references its database and returns an IP address for the browser to use. Domain Name System Security Extensions (DNSSEC) is an optional feature of DNS that authenticates (but does not encrypt) responses to DNS requests. DNSSEC uses certificates to ensure only authorized DNS translations are returned to a client.","riskDetails":"Without DNSSEC, domains are much more susceptible to DNS poisoning attacks. DNS poisoning is when a malicious actor manipulates the response to a DNS request in order to point the client to an IP address of their choosing. This allows them to then impersonate a valid website and capture any credentials or sensitive information given by the client.","recommendedRemediation":"Enable DNSSEC on the domain. This is a three step process that involves creating the necessary DNSSEC records in your domain, activating DNSSEC at your domain registrar and enabling DNSSEC signature validation on all DNS servers. The specifics of each step vary depending on the platforms and vendors in play.","knownExploitedVulnCount":0,"checkID":"dnssec_enabled","category":"dns","controlCheckID":"IM.DS.DA.PA","passTitle":"DNSSEC enabled","passDescription":"DNSSEC records prevent third parties from forging the records that guarantee a domain's identity.","passGroupDescription":"All applicable sites have DNSSEC enabled.","failTitle":"DNSSEC not enabled","failDescription":"DNSSEC records prevent third parties from forging the records that guarantee a domain's identity. DNSSEC should be configured for this domain.","remediation":"Configure DNSSEC for domain.","issue":"We've detected that DNSSEC is missing from some domains. DNSSEC provides DNS resolvers origin authentication of DNS data, authenticated denial of existence and data integrity but not availability or confidentiality.","recommendation":"The domain owner should turn on DNSSEC for all domains. This can generally be done at their domain name registrar.","defaultSeverity":2,"categoryTotalCost":2,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.2"],"ISO2022Controls":["8.20"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Domain Name System (DNS) is the service that translates human-friendly names to IP addresses. When a URL is sent from the browser, it goes to a DNS server that references its database and returns an IP address for the browser to use. Domain Name System Security Extensions (DNSSEC) is an optional feature of DNS that authenticates (but does not encrypt) responses to DNS requests. DNSSEC uses certificates to ensure only authorized DNS translations are returned to a client.","RiskDetails":"Without DNSSEC, domains are much more susceptible to DNS poisoning attacks. DNS poisoning is when a malicious actor manipulates the response to a DNS request in order to point the client to an IP address of their choosing. This allows them to then impersonate a valid website and capture any credentials or sensitive information given by the client.","RecommendedRemediation":"Enable DNSSEC on the domain. This is a three step process that involves creating the necessary DNSSEC records in your domain, activating DNSSEC at your domain registrar and enabling DNSSEC signature validation on all DNS servers. The specifics of each step vary depending on the platforms and vendors in play."},{"id":"domain_registrar_deletion_protection","pass":false,"meta":"clientDeleteProhibited:not enabled, serverDeleteProhibited:not enabled","vendorOnly":false,"expected":[{"property":"Domain > Registrar Deletion Protection","value":"clientDeleteProhibited or serverDeleteProhibited: set"}],"actual":[{"property":"Domain > Registrar Deletion Protection","value":"clientDeleteProhibited:not enabled, serverDeleteProhibited:not enabled"}],"severity":2,"cloudscanCategory":"dns","prevCloudscanCategory":"brand_protect","title":"Domain registrar or registry deletion protection not enabled","description":"Domain is not protected from unsolicited deletion requests with the registrar or registry. The domain should have clientDeleteProhibited or serverDeleteProhibited set.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":"2023-03-04T08:58:53.432169Z","sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Domain deletion protection is a DNS setting that prevents ownership of the domain from being deleted until the owner has disabled this setting. It is a DNS security mechanism intended to make it harder for an attacker to make unauthorized modifications to domain ownership.","riskDetails":"Attackers may attempt to hijack domains or disrupt their availability by impersonating the domain's owner and deleting domain data. ","recommendedRemediation":"Look up the whois information for the domain either using the CLI or an online tool. It should have a Domain Status of \"serverDeleteProhibited\" or \"clientDeleteProhibited.\" Log into your domain registrar's site. Navigate to the settings for this domain. You should have an option to enable this setting and save the configuration.","knownExploitedVulnCount":0,"checkID":"domain_registrar_deletion_protection","category":"domain","controlCheckID":"IM.DS.DO.XG","passTitle":"Domain registrar or registry deletion protection enabled","passDescription":"Domain is protected from unsolicited deletion requests with the registrar or registry.","passGroupDescription":"No domains detected as being susceptible to unsolicited deletion requests.","failTitle":"Domain registrar or registry deletion protection not enabled","failDescription":"Domain is not protected from unsolicited deletion requests with the registrar or registry. The domain should have clientDeleteProhibited or serverDeleteProhibited set.","remediation":"Set clientDeleteProhibited or serverDeleteProhibited with the registrar/registry.","issue":"Impacted domains are not protected from unsolicited deletion requests. This means the domain could be deleted by a third-party via social engineering.","recommendation":"Contact the domain name registrar and enact status restriction clientDeleteProhibited which prevents the unauthorized deletion of the domain.","defaultSeverity":2,"categoryTotalCost":1,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.2"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Domain deletion protection is a DNS setting that prevents ownership of the domain from being deleted until the owner has disabled this setting. It is a DNS security mechanism intended to make it harder for an attacker to make unauthorized modifications to domain ownership.","RiskDetails":"Attackers may attempt to hijack domains or disrupt their availability by impersonating the domain's owner and deleting domain data. ","RecommendedRemediation":"Look up the whois information for the domain either using the CLI or an online tool. It should have a Domain Status of \"serverDeleteProhibited\" or \"clientDeleteProhibited.\" Log into your domain registrar's site. Navigate to the settings for this domain. You should have an option to enable this setting and save the configuration."},{"id":"domain_registrar_update_protection","pass":false,"meta":"clientUpdateProhibited:not enabled, serverUpdateProhibited:not enabled","vendorOnly":false,"expected":[{"property":"Domain > Registrar Update Protection","value":"clientUpdateProhibited: set or serverUpdateProhibited: set"}],"actual":[{"property":"Domain > Registrar Update Protection","value":"clientUpdateProhibited:not enabled, serverUpdateProhibited:not enabled"}],"severity":2,"cloudscanCategory":"dns","prevCloudscanCategory":"brand_protect","title":"Domain registrar or registry update protection not enabled","description":"Domain is not protected from unsolicited update requests with the registrar or registry. The domain should have clientUpdateProhibited or serverUpdateProhibited set.","checkedAt":"2026-03-05T03:34:21.368592Z","dateDetected":"2023-03-04T08:58:53.432169Z","sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Domain update protection is a DNS setting that prevents updates to the ownership of the domain until the owner has disabled this setting. It is a DNS security mechanism intended to make it harder for an attacker to make unauthorized modifications to domain ownership through social engineering. ","riskDetails":"Attackers may attempt to hijack domains by impersonating the domain's owner and modifying domain ownership data. ","recommendedRemediation":"Look up the whois information for the domain either using the CLI or an online tool. It should have a Domain Status of \"serverUpdateProhibited\" or \"clientUpdateProhibited.\" Log into your domain registrar's site. Navigate to the settings for this domain. You should have an option to enable this setting and save the configuration.","knownExploitedVulnCount":0,"checkID":"domain_registrar_update_protection","category":"domain","controlCheckID":"IM.DS.DO.AA","passTitle":"Domain registrar or registry update protection enabled","passDescription":"Domain is protected from unsolicited update requests with the registrar or registry.","passGroupDescription":"No domains detected as being susceptible to unsolicited update requests.","failTitle":"Domain registrar or registry update protection not enabled","failDescription":"Domain is not protected from unsolicited update requests with the registrar or registry. The domain should have clientUpdateProhibited or serverUpdateProhibited set.","remediation":"Set clientUpdateProhibited or serverUpdateProhibited with the registrar/registry.","issue":"Some domains aren’t protected from unsolicited update requests. This means the domain’s DNS records could be changed by a third-party via social engineering.","recommendation":"Ask the domain name registrar to enact status restriction clientUpdateProhibited which prevents unauthorized updates to the domain.","defaultSeverity":2,"categoryTotalCost":1,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.2"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Domain update protection is a DNS setting that prevents updates to the ownership of the domain until the owner has disabled this setting. It is a DNS security mechanism intended to make it harder for an attacker to make unauthorized modifications to domain ownership through social engineering. ","RiskDetails":"Attackers may attempt to hijack domains by impersonating the domain's owner and modifying domain ownership data. ","RecommendedRemediation":"Look up the whois information for the domain either using the CLI or an online tool. It should have a Domain Status of \"serverUpdateProhibited\" or \"clientUpdateProhibited.\" Log into your domain registrar's site. Navigate to the settings for this domain. You should have an option to enable this setting and save the configuration."}]},"cstarScore":846,"publicScore":500,"vendorName":"cndm.com","name":"cndm.com","display_name":"cndm.com","vendorId":6187231862784000,"business":{},"address":{},"ceo":{},"primaryHostname":"cndm.com"}