{"passed":{"encryption":[{"id":"ssl_cert_revoked","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"SSL > Revoked","value":"false"}],"actual":[{"property":"SSL > Revoked","value":"false"}],"severity":5,"cloudscanCategory":"encryption","prevCloudscanCategory":"website_sec","title":"Certificate not found on our revoked certificate list","description":"The site's certificate chain was checked against our list of revoked certificates.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com:443","www.ttec.com:443"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. Certificates expire after a set period of time and must be renewed to keep SSL/TLS active. Certificates may be revoked before their expiration date for several reasons, including a compromised private key or decommissioned domain.","riskDetails":"A revoked certificate is invalid and does not provide proper SSL/TLS protection. Revoked certificates are also untrusted in most browsers, rendering the site inaccessible. One of the main reasons a certificate would be revoked is that the private encryption key has been compromised. This means a malicious actor would be able to impersonate the recipient with the private key and decrypt the data.","recommendedRemediation":"Revoked certificates should be immediately replaced by new, valid certificates from a trusted authority. This will ensure the continuity of encrypted communications between affected servers and their clients. Certificates should be regularly audited to ensure no revoked certificates are in use.","knownExploitedVulnCount":0,"checkID":"ssl_cert_revoked","category":"ssl","controlCheckID":"IM.EN.TC.UQ","passTitle":"Certificate not found on our revoked certificate list","passDescription":"The site's certificate chain was checked against our list of revoked certificates.","passGroupDescription":"No sites were found to be using revoked certificates.","failTitle":"Revoked certificate in use","failDescription":"The TLS certificate chain presented by the web server contains a revoked certificate.","remediation":"Install a new certificate.","issue":"SSL certificates have been revoked prior to their scheduled expiration date. This means the certificate is no longer trusted and visitors may not be able to connect to the website.","recommendation":"Install a new SSL certificate on all impacted domains to prevent errors being shown to the end-user. This ensures communications remain secure between the server and visitors.","defaultSeverity":5,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.3"],"ISO2022Controls":["8.12"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6","PR.PT-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. Certificates expire after a set period of time and must be renewed to keep SSL/TLS active. Certificates may be revoked before their expiration date for several reasons, including a compromised private key or decommissioned domain.","RiskDetails":"A revoked certificate is invalid and does not provide proper SSL/TLS protection. Revoked certificates are also untrusted in most browsers, rendering the site inaccessible. One of the main reasons a certificate would be revoked is that the private encryption key has been compromised. This means a malicious actor would be able to impersonate the recipient with the private key and decrypt the data.","RecommendedRemediation":"Revoked certificates should be immediately replaced by new, valid certificates from a trusted authority. This will ensure the continuity of encrypted communications between affected servers and their clients. Certificates should be regularly audited to ensure no revoked certificates are in use."},{"id":"ssl_enabled","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"SSL","value":"true"}],"actual":[{"property":"SSL","value":"true"}],"severity":5,"cloudscanCategory":"encryption","prevCloudscanCategory":"website_sec","title":"SSL available","description":"SSL is supported for this site.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com:80","www.ttec.com:80"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. Certificates expire after a set period of time and must be renewed to keep SSL/TLS active. SSL/TLS uses the HTTPS protocol, so all client connections must be rerouted from HTTP to HTTPS when necessary.","riskDetails":"Without SSL, all communications between systems are sent in plain text. This plain text can then be intercepted by a third party in what is called a man-in-the-middle (MITM) attack. These attacks target and harvest credentials and other sensitive information, which can in turn be used for further malicious activity. Improperly configured SSL/TLS and certificates that are out of date or encrypted with weak algorithms do not provide the necessary protection to prevent MITM attacks, and will make the site unreachable in most browsers.","recommendedRemediation":"Valid SSL/TLS certificates with strong encryption algorithms should be obtained from a trusted authority and properly installed and configured on all internet facing systems. Every system must have its name on the certificate to prevent mismatch errors in the browser. HTTPS should be made mandatory, with the necessary redirects and enforcement in place to ensure no plain text connections are possible. Processes should be established to ensure certificates are renewed before they expire.","knownExploitedVulnCount":0,"checkID":"ssl_enabled","category":"ssl","controlCheckID":"IM.EN.DT.PA","passTitle":"SSL available","passDescription":"SSL is supported for this site.","passGroupDescription":"SSL is supported on all sites.","failTitle":"SSL not available","failDescription":"SSL is the standard encryption method for browsing websites. Enabling SSL requires installing an SSL certificate on the site.","remediation":"Install SSL certificates.","issue":"We've detected websites that lack a valid SSL certificate. Without SSL, website visitors and customers are at higher risk of having their data stolen through man-in-the-middle and other cyber attacks.","recommendation":"Install valid SSL certificates on affected domains. Websites without valid SSL certificates are shown as 'non-secure' in modern browsers and will rank worse in Google and other search engines.","defaultSeverity":5,"categoryTotalCost":29,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.3"],"ISO2022Controls":["8.12"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6","PR.PT-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. Certificates expire after a set period of time and must be renewed to keep SSL/TLS active. SSL/TLS uses the HTTPS protocol, so all client connections must be rerouted from HTTP to HTTPS when necessary.","RiskDetails":"Without SSL, all communications between systems are sent in plain text. This plain text can then be intercepted by a third party in what is called a man-in-the-middle (MITM) attack. These attacks target and harvest credentials and other sensitive information, which can in turn be used for further malicious activity. Improperly configured SSL/TLS and certificates that are out of date or encrypted with weak algorithms do not provide the necessary protection to prevent MITM attacks, and will make the site unreachable in most browsers.","RecommendedRemediation":"Valid SSL/TLS certificates with strong encryption algorithms should be obtained from a trusted authority and properly installed and configured on all internet facing systems. Every system must have its name on the certificate to prevent mismatch errors in the browser. HTTPS should be made mandatory, with the necessary redirects and enforcement in place to ensure no plain text connections are possible. Processes should be established to ensure certificates are renewed before they expire."},{"id":"http_available","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"HTTP Accessible","value":"false"}],"actual":[{"property":"HTTP Accessible","value":"false"}],"severity":4,"cloudscanCategory":"encryption","prevCloudscanCategory":"website_sec","title":"HTTP requests are redirected to HTTPS","description":"All HTTP requests are redirected to HTTPS.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com:80","www.ttec.com:80"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"The HTTP Still Available check is used to measure whether a server is allowing users to connect to it via HTTP rather than HTTPS. Connecting to a website via HTTPS is more secure as it involves a SSL/TLS-based connection, which encrypts data in transit. Many web browsers will try the HTTP version of a website first before trying the HTTPS version. If you have a proper redirect response on your HTTP port then you will pass this check. You should combine this with proper HSTS settings to ensure browsers always attempt a HTTPS-based connection from the beginning.","riskDetails":"Encrypting data using SSL/TLS prevents any attackers who intercept the data from reading it. If any part of the connection transmits data using HTTP, even if it later uses HTTPS, the data transmitted over HTTP is susceptible to man-in-the-middle attacks. For example, a user might attempt to visit your website and embed their username and password in the URL parameters or the request headers as part of the request. Even if that data is then redirected to an HTTPS connection, it was still transmitted via HTTP.","recommendedRemediation":"All HTTP connections should be redirected to HTTPS connections instead. The method for doing this differs by technology. For some websites, the .htaccess file can be modified to reroute requests to HTTPS. For Microsoft IIS, the URL Rewrite module for IIS will allow you to redirect HTTP requests to HTTPS. HTTPS redirects should always be paired with HTTP Strict Transport Security (HSTS). HSTS will ensure no HTTP connections are allowed.","knownExploitedVulnCount":0,"checkID":"http_available","category":"ssl","controlCheckID":"IM.EN.DT.ZW","passTitle":"HTTP requests are redirected to HTTPS","passDescription":"All HTTP requests are redirected to HTTPS.","passGroupDescription":"All HTTP requests are redirected to HTTPS.","failTitle":"HTTP does not redirect to HTTPS","failDescription":"The domain is still accessible over HTTP. All HTTP requests should be redirected to HTTPS.","remediation":"Redirect HTTP requests to HTTPS.","issue":"Websites are still accessible over HTTP. All HTTP requests should be redirected to HTTPS to ensure encrypted communications between the website and its visitors.","recommendation":"Redirect users and search engines to the HTTPS page or resource with server-side 301 HTTP redirects. This ensures all communications are encrypted, preventing certain man-in-the-middle attacks.","defaultSeverity":4,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.2"],"ISO2022Controls":["8.12"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"The HTTP Still Available check is used to measure whether a server is allowing users to connect to it via HTTP rather than HTTPS. Connecting to a website via HTTPS is more secure as it involves a SSL/TLS-based connection, which encrypts data in transit. Many web browsers will try the HTTP version of a website first before trying the HTTPS version. If you have a proper redirect response on your HTTP port then you will pass this check. You should combine this with proper HSTS settings to ensure browsers always attempt a HTTPS-based connection from the beginning.","RiskDetails":"Encrypting data using SSL/TLS prevents any attackers who intercept the data from reading it. If any part of the connection transmits data using HTTP, even if it later uses HTTPS, the data transmitted over HTTP is susceptible to man-in-the-middle attacks. For example, a user might attempt to visit your website and embed their username and password in the URL parameters or the request headers as part of the request. Even if that data is then redirected to an HTTPS connection, it was still transmitted via HTTP.","RecommendedRemediation":"All HTTP connections should be redirected to HTTPS connections instead. The method for doing this differs by technology. For some websites, the .htaccess file can be modified to reroute requests to HTTPS. For Microsoft IIS, the URL Rewrite module for IIS will allow you to redirect HTTP requests to HTTPS. HTTPS redirects should always be paired with HTTP Strict Transport Security (HSTS). HSTS will ensure no HTTP connections are allowed."},{"id":"ssl_host_match","pass":true,"meta":"ttec.com matches ttec.com, www.ttec.com matches www.ttec.com","vendorOnly":false,"expected":[{"property":"SSL > Host Match","value":"[hostname matches SSL certificate]"}],"actual":[{"property":"SSL > Host Match","value":"ttec.com matches ttec.com, www.ttec.com matches www.ttec.com"}],"severity":4,"cloudscanCategory":"encryption","prevCloudscanCategory":"website_sec","title":"Hostname matches SSL certificate","description":"The site's hostname matches the SSL certificate.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com:443","www.ttec.com:443"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. Every certificate should include the preferred hostname(s) for the system that is being protected, so that the certificate can be verified to the address being accessed by the client.","riskDetails":"When a certificate does not match the hostname the client is trying to access, it produces an error in the browser. This is because each certificate must specify the addresses for which it is valid. In addition to sites being rendered inaccessible to most browsers, mismatched certificates open the door for man-in-the-middle (MITM) attacks, as name confusion reduces the trustworthiness of all systems involved.","recommendedRemediation":"A new certificate should be requested from a trusted authority with the correct hostname(s) listed on it. This will prevent browser errors and reduce certificate complexity across the organization. All existing certificates should be audited to ensure that each one has the proper hostnames. Changes to hostnames or aliases should include steps to update certificates with the new names.","knownExploitedVulnCount":0,"checkID":"ssl_host_match","category":"ssl","controlCheckID":"IM.EN.TC.PA","passTitle":"Hostname matches SSL certificate","passDescription":"The site's hostname matches the SSL certificate.","passGroupDescription":"All hostnames match their corresponding SSL certificates.","failTitle":"Hostname does not match SSL certificate","failDescription":"The site's hostname does not match the SSL certificate. The domain name should be added to the certificate, either as a Subject Alternative Name or as the Common Name.","remediation":"Set certificate Subject Alternative Name or Common Name correctly.","issue":"The hostname does not match the SSL certificate on the identified websites. This will result in modern browsers throwing an error and in some cases, refusing to connect to the website. This can also be a signal of an in-progress cyber attack.","recommendation":"Add the hostname to the SSL certificate, as a Subject Alternative Name or as Common Name, to ensure the website remains secure and does not expose errors to visitors through their browser.","defaultSeverity":4,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.3"],"ISO2022Controls":["8.12"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6","PR.PT-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. Every certificate should include the preferred hostname(s) for the system that is being protected, so that the certificate can be verified to the address being accessed by the client.","RiskDetails":"When a certificate does not match the hostname the client is trying to access, it produces an error in the browser. This is because each certificate must specify the addresses for which it is valid. In addition to sites being rendered inaccessible to most browsers, mismatched certificates open the door for man-in-the-middle (MITM) attacks, as name confusion reduces the trustworthiness of all systems involved.","RecommendedRemediation":"A new certificate should be requested from a trusted authority with the correct hostname(s) listed on it. This will prevent browser errors and reduce certificate complexity across the organization. All existing certificates should be audited to ensure that each one has the proper hostnames. Changes to hostnames or aliases should include steps to update certificates with the new names."},{"id":"ssl_expired","pass":true,"meta":"2026-06-12 11:17:41 UTC","vendorOnly":false,"expected":[{"property":"SSL > Expired","value":"[has not expired]"}],"actual":[{"property":"SSL > Expired","value":"2026-06-12 11:17:41 UTC"}],"severity":4,"cloudscanCategory":"encryption","prevCloudscanCategory":"website_sec","title":"SSL has not expired","description":"SSL certificate has not expired.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com:443","www.ttec.com:443"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. SSL/TLS uses the HTTPS protocol, so all client connections must be rerouted from HTTP to HTTPS when necessary. Certificates expire after a set period of time and must be renewed to keep SSL/TLS active.","riskDetails":"Expired SSL/TLS certificates can no longer provide encrypted channels for data, increasing the risk of a man-in-the-middle attack. Furthermore, most browsers will not allow access to sites with expired certificates, rendering them unavailable to most users.","recommendedRemediation":"Expired certificates must be replaced with valid certificates from a trusted authority. Once a valid certificate has been installed on the system, SSL/TLS functionality will be restored. Validity periods are limited to 398 days. In order to maintain continuity, processes should be established to renew certificates within that time frame before they expire.","knownExploitedVulnCount":0,"checkID":"ssl_expired","category":"ssl","controlCheckID":"IM.EN.DT.DQ","passTitle":"SSL has not expired","passDescription":"SSL certificate has not expired.","passGroupDescription":"No SSL certificates have expired.","failTitle":"SSL expired","failDescription":"SSL certificate has expired. The certificate will need to be renewed for connections to your domain to be trusted.","remediation":"Renew expired SSL certificates.","issue":"Websites have expired SSL certificates. SSL certificates facilitate the encryption of data in transit. When an SSL certificate expires, modern web browsers will issue a security warning that often results in visitors leaving the website.","recommendation":"Renew expired SSL certificates to ensure that the connections to the domain are secure and trust by modern browsers. This keeps your customers secure and ensures visitors don't bounce from your site.","defaultSeverity":4,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.3"],"ISO2022Controls":["8.12"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6","PR.PT-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. SSL/TLS uses the HTTPS protocol, so all client connections must be rerouted from HTTP to HTTPS when necessary. Certificates expire after a set period of time and must be renewed to keep SSL/TLS active.","RiskDetails":"Expired SSL/TLS certificates can no longer provide encrypted channels for data, increasing the risk of a man-in-the-middle attack. Furthermore, most browsers will not allow access to sites with expired certificates, rendering them unavailable to most users.","RecommendedRemediation":"Expired certificates must be replaced with valid certificates from a trusted authority. Once a valid certificate has been installed on the system, SSL/TLS functionality will be restored. Validity periods are limited to 398 days. In order to maintain continuity, processes should be established to renew certificates within that time frame before they expire."},{"id":"ssl_trusted_v2","pass":true,"meta":"Trusted SSL certificate","vendorOnly":false,"expected":[{"property":"SSL > Trusted","value":"true"}],"actual":[{"property":"SSL > Trusted","value":"true"}],"severity":4,"cloudscanCategory":"encryption","prevCloudscanCategory":"website_sec","title":"Trusted SSL certificate","description":"The certificate presented by this domain was issued by a trusted certificate authority.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com:443","www.ttec.com:443"],"none":false,"noneReason":null,"prevProvisionalID":"ssl_trusted","summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. Most certificates are issued from trusted authorities that are already allowed in most browsers. However, in certain circumstances, certificates can also be self-signed or issued by an untrusted authority.","riskDetails":"Untrusted certificates will cause an error in most browsers, preventing them from accessing the site. This is to ensure that only trustworthy certificates are accepted. Untrusted certificates could come from anywhere, and do not necessarily provide any guarantee of security. In some cases, untrusted certificates may be used internally in combination with the installation of client side certificates, but internet facing services should almost always use certificates from trusted third party authorities to provide a smooth end user experience.","recommendedRemediation":"Untrusted certificates should be replaced by valid certificates issued by trusted authorities. The untrusted certificate cannot be renewed. A new request must be generated by the affected system and submitted to the trusted authority. Intentional use of self-signed or untrusted certificates should be done with care to ensure both the accessibility and security of affected systems.","knownExploitedVulnCount":0,"checkID":"ssl_trusted_v2","category":"ssl","controlCheckID":"IM.EN.TC.ZW","passTitle":"Trusted SSL certificate","passDescription":"The certificate presented by this domain was issued by a trusted certificate authority.","passGroupDescription":"All responses contained a certificate issued by a trusted certificate authority.","failTitle":"Untrusted SSL certificate","failDescription":"The certificate presented by this domain was not issued by a trusted certificate authority and therefore cannot be verified by browsers.","remediation":"Configure the server to use a trusted SSL certificate.","issue":"Server responses contain untrusted SSL certificate. When the certificate is not trusted, web browsers will issue a security warning that often results in visitors leaving the website.","recommendation":"We recommend that you configure your server to use a trusted SSL certificate.","defaultSeverity":4,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.3"],"ISO2022Controls":["8.12"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6","PR.PT-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. Most certificates are issued from trusted authorities that are already allowed in most browsers. However, in certain circumstances, certificates can also be self-signed or issued by an untrusted authority.","RiskDetails":"Untrusted certificates will cause an error in most browsers, preventing them from accessing the site. This is to ensure that only trustworthy certificates are accepted. Untrusted certificates could come from anywhere, and do not necessarily provide any guarantee of security. In some cases, untrusted certificates may be used internally in combination with the installation of client side certificates, but internet facing services should almost always use certificates from trusted third party authorities to provide a smooth end user experience.","RecommendedRemediation":"Untrusted certificates should be replaced by valid certificates issued by trusted authorities. The untrusted certificate cannot be renewed. A new request must be generated by the affected system and submitted to the trusted authority. Intentional use of self-signed or untrusted certificates should be done with care to ensure both the accessibility and security of affected systems."},{"id":"ssl_version","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"SSL > Insecure Protocol Versions","value":"[none found]"}],"actual":[{"property":"SSL > Insecure Protocol Versions","value":"[none found]"}],"severity":3,"cloudscanCategory":"encryption","prevCloudscanCategory":"website_sec","title":"No insecure SSL/TLS versions available","description":"No insecure SSL/TLS versions are available for this site.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. There are multiple versions of SSL and TLS that can be used. Although each version supersedes the last, many times the older protocols remain enabled for legacy support.","riskDetails":"All versions of SSL, and TLS versions below 1.2, are insecure. There are known vulnerabilities for these versions that can allow malicious actors to bypass encryption and access the data. Therefore, these versions of SSL and TLS are susceptible to man-in-the-middle (MITM) attacks, where a third party intercepts data between the client and server.","recommendedRemediation":"Only TLS 1.2 or higher should be allowed. All older versions should be disabled on the server to prevent malicious actors from trying to connect to these vulnerable protocols.","knownExploitedVulnCount":0,"checkID":"ssl_version","category":"ssl","controlCheckID":"IM.EN.SE.UQ","passTitle":"No insecure SSL/TLS versions available","passDescription":"No insecure SSL/TLS versions are available for this site.","passGroupDescription":"No insecure SSL/TLS versions are available for any site.","failTitle":"Insecure SSL/TLS versions available","failDescription":"Any version of the SSL protocol, and TLS prior to version 1.2, are now considered insecure. The server should disable support for these old protocols.","remediation":"Disable support for the SSL protocol and TLS prior to version 1.2.","issue":"Impacted websites are using an insecure SSL/TLS version. Any version of the SSL protocol, and TLS protocol prior to version 1.2 are now insecure. Websites should not use these protocols.","recommendation":"Disable support of the SSL protocol and TLS protocol prior to version 1.2. Doing so will ensure the integrity of communications between the website and its visitors.","defaultSeverity":3,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.3"],"ISO2022Controls":["8.12"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6","PR.PT-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. There are multiple versions of SSL and TLS that can be used. Although each version supersedes the last, many times the older protocols remain enabled for legacy support.","RiskDetails":"All versions of SSL, and TLS versions below 1.2, are insecure. There are known vulnerabilities for these versions that can allow malicious actors to bypass encryption and access the data. Therefore, these versions of SSL and TLS are susceptible to man-in-the-middle (MITM) attacks, where a third party intercepts data between the client and server.","RecommendedRemediation":"Only TLS 1.2 or higher should be allowed. All older versions should be disabled on the server to prevent malicious actors from trying to connect to these vulnerable protocols."},{"id":"ssl_chain_present","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"SSL > Chain","value":"[certificate chain present in server response]"}],"actual":[{"property":"SSL > Chain","value":"present"}],"severity":3,"cloudscanCategory":"encryption","prevCloudscanCategory":"website_sec","title":"SSL certificate chain present in server response","description":"A complete SSL certificate chain was presented by the server for this domain.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com:443","www.ttec.com:443"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. Certificates belong to a “certificate chain” that provides validity at different levels. The Root certificate validates the issuer of the certificate, ensuring it actually came from that authority. There may also be intermediate certificates, depending on the structure and hierarchy of the issuer. Intermediate certificates provide an extra layer of security for the issuer to ensure the root keys are not compromised.","riskDetails":"Every certificate in the chain must be valid for the end certificate to be valid. Even if the end certificate is valid in itself, a missing root or intermediate certificate in the chain will invalidate the entire set. This is because the chain functions as a whole, with the validity of the end certificate being guaranteed by the validity of the issuer. Most browsers will encounter error messages when accessing websites with missing certificate chains, making them inaccessible to most users.","recommendedRemediation":"Servers should be configured to return the entire certificate chain. This problem often occurs when intermediate certificates need to be installed on the server in addition to the end certificate. This prevents gaps between the end certificate and the root authority. Ensure all necessary certificates in the chain are available on the system. Once they are, browsers will be able to access the system as normal. Certificates should be monitored or audited to ensure there are no chain gaps that could interrupt service.","knownExploitedVulnCount":0,"checkID":"ssl_chain_present","category":"ssl","controlCheckID":"IM.EN.TC.XG","passTitle":"SSL certificate chain present in server response","passDescription":"A complete SSL certificate chain was presented by the server for this domain.","passGroupDescription":"All server responses contained a complete SSL certificate chain.","failTitle":"SSL certificate chain missing from server response","failDescription":"There is an invalid or missing intermediate certificate. This can cause some browsers to break the padlock. An intermediate/chain certificate may need to be installed to link it to a trusted root certificate.","remediation":"Configure the server to include the certificate chain in the responses.","issue":"Server responses do not include the full certificate chain. When the certificate chain is missing, web browsers will issue a security warning that often results in visitors leaving the website.","recommendation":"We recommend that you configure your server to return the full SSL certificate chain.","defaultSeverity":3,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.3"],"ISO2022Controls":["8.12"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6","PR.PT-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. Certificates belong to a “certificate chain” that provides validity at different levels. The Root certificate validates the issuer of the certificate, ensuring it actually came from that authority. There may also be intermediate certificates, depending on the structure and hierarchy of the issuer. Intermediate certificates provide an extra layer of security for the issuer to ensure the root keys are not compromised.","RiskDetails":"Every certificate in the chain must be valid for the end certificate to be valid. Even if the end certificate is valid in itself, a missing root or intermediate certificate in the chain will invalidate the entire set. This is because the chain functions as a whole, with the validity of the end certificate being guaranteed by the validity of the issuer. Most browsers will encounter error messages when accessing websites with missing certificate chains, making them inaccessible to most users.","RecommendedRemediation":"Servers should be configured to return the entire certificate chain. This problem often occurs when intermediate certificates need to be installed on the server in addition to the end certificate. This prevents gaps between the end certificate and the root authority. Ensure all necessary certificates in the chain are available on the system. Once they are, browsers will be able to access the system as normal. Certificates should be monitored or audited to ensure there are no chain gaps that could interrupt service."},{"id":"ssl_expiry_chain","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"SSL > Chain","value":"[does not expire within 20 days]"}],"actual":[{"property":"SSL > Chain","value":"[none found]"}],"severity":3,"cloudscanCategory":"encryption","prevCloudscanCategory":"website_sec","title":"SSL chain certificates do not expire within 20 days","description":"SSL intermediate and root certificates do not expire within 20 days.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com:443","www.ttec.com:443"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. Certificates belong to a “certificate chain” that provides validity at different levels. The Root certificate validates the issuer of the certificate, ensuring it actually came from that authority. There may also be intermediate certificates, depending on the structure and hierarchy of the issuer. Intermediate certificates provide an extra layer of security for the issuer to ensure the root keys are not compromised.","riskDetails":"A certificate in the chain will become invalid if its validity period expires. Every certificate in the chain must be valid for the end certificate to be valid. Even if the end certificate is valid in itself, an invalid root or intermediate certificate in the chain will invalidate the entire set. This is because the chain functions as a whole, with the validity of the end certificate being guaranteed by the validity of the issuer. Most browsers will not open websites with invalid certificate chains, making them inaccessible to most users.","recommendedRemediation":"Certificates with links in the chain that are about to expire must be reissued from a valid authority and replaced on the server. Certificate status should be monitored or regularly reviewed to ensure the validity status of the certificate chain.","knownExploitedVulnCount":0,"checkID":"ssl_expiry_chain","category":"ssl","controlCheckID":"IM.EN.DT.VG","passTitle":"SSL chain certificates do not expire within 20 days","passDescription":"SSL intermediate and root certificates do not expire within 20 days.","passGroupDescription":"All certificates in the SSL chain do not expire within 20 days.","failTitle":"SSL chain certificate expires within 20 days","failDescription":"An intermediate or root certificate expires within 20 days. When certificates expire they become invalid, and will no longer be able to run secure transactions.","remediation":"Renew SSL certificates.","issue":"Impacted domains have SSL intermediate or root certificates which are set to expire within 20 days. When certificates expire they become invalid, and will no longer be able to run secure transactions.","recommendation":"We recommend that you renew impacted SSL certificates prior to their expiry to avoid unencrypted communications. This helps keep your customers shape by ensuring adequate encryption.","defaultSeverity":3,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.3"],"ISO2022Controls":["8.12"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6","PR.PT-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. Certificates belong to a “certificate chain” that provides validity at different levels. The Root certificate validates the issuer of the certificate, ensuring it actually came from that authority. There may also be intermediate certificates, depending on the structure and hierarchy of the issuer. Intermediate certificates provide an extra layer of security for the issuer to ensure the root keys are not compromised.","RiskDetails":"A certificate in the chain will become invalid if its validity period expires. Every certificate in the chain must be valid for the end certificate to be valid. Even if the end certificate is valid in itself, an invalid root or intermediate certificate in the chain will invalidate the entire set. This is because the chain functions as a whole, with the validity of the end certificate being guaranteed by the validity of the issuer. Most browsers will not open websites with invalid certificate chains, making them inaccessible to most users.","RecommendedRemediation":"Certificates with links in the chain that are about to expire must be reissued from a valid authority and replaced on the server. Certificate status should be monitored or regularly reviewed to ensure the validity status of the certificate chain."},{"id":"ssl_expiry_long","pass":true,"meta":"90","vendorOnly":false,"expected":[{"property":"SSL > Expires","value":"[expiration period shorter than 398 days]"}],"actual":[{"property":"SSL > Expires","value":"90"}],"severity":3,"cloudscanCategory":"encryption","prevCloudscanCategory":"website_sec","title":"SSL expiration period shorter than 398 days","description":"The SSL certificate presented by the server has an expiration period shorter than 398 days.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com:443","www.ttec.com:443"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. SSL/TLS uses the HTTPS protocol, so all client connections must be rerouted from HTTP to HTTPS when necessary. Certificates expire after a set period of time and must be renewed to keep SSL/TLS active.","riskDetails":"As of September 1 2020, the maximum supported validity duration for SSL/TLS certificates was reduced to 398 days. Certificates with durations greater than this are considered invalid by many browsers and will not allow communication with sites that have them. Furthermore, shorter renewal periods offer the best chance to continuously use the latest and most secure encryption. Certificates with very long validity durations may become suspect to attack if vulnerabilities are eventually found in the algorithm.","recommendedRemediation":"Certificates with validity durations longer than 398 days should be replaced with valid certificates within the 398 day limit. All new and renewed certificates should follow this limit as well, with a process expectation of roughly a yearly cycle for all certificates.","knownExploitedVulnCount":0,"checkID":"ssl_expiry_long","category":"ssl","controlCheckID":"IM.EN.DT.AA","passTitle":"SSL expiration period shorter than 398 days","passDescription":"The SSL certificate presented by the server has an expiration period shorter than 398 days.","passGroupDescription":"All SSL certificates expiration periods are shorter than 398 days.","failTitle":"SSL expiration period longer than 398 days","failDescription":"Certificates issued on or after September 1, 2020 must not have a validity period greater than 398 days. The certificate will need to be reissued with a maximum validity of 397 days.","remediation":"Re-issue SSL certificates.","issue":"Impacted domains have SSL certificates which have expiration periods longer than 398 days. Browsers enforce a maximum certificate expiration of 398 days.","recommendation":"We recommend that you re-issue impacted SSL certificates.","defaultSeverity":3,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.3"],"ISO2022Controls":["8.12"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6","PR.PT-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. SSL/TLS uses the HTTPS protocol, so all client connections must be rerouted from HTTP to HTTPS when necessary. Certificates expire after a set period of time and must be renewed to keep SSL/TLS active.","RiskDetails":"As of September 1 2020, the maximum supported validity duration for SSL/TLS certificates was reduced to 398 days. Certificates with durations greater than this are considered invalid by many browsers and will not allow communication with sites that have them. Furthermore, shorter renewal periods offer the best chance to continuously use the latest and most secure encryption. Certificates with very long validity durations may become suspect to attack if vulnerabilities are eventually found in the algorithm.","RecommendedRemediation":"Certificates with validity durations longer than 398 days should be replaced with valid certificates within the 398 day limit. All new and renewed certificates should follow this limit as well, with a process expectation of roughly a yearly cycle for all certificates."},{"id":"ssl_expires_soon","pass":true,"meta":"2026-06-12 11:17:41 UTC","vendorOnly":false,"expected":[{"property":"SSL > Expires","value":"[has more than 20% of its valid period remaining]"}],"actual":[{"property":"SSL > Expires","value":"2026-06-12 11:17:41 UTC"}],"severity":3,"cloudscanCategory":"encryption","prevCloudscanCategory":"website_sec","title":"SSL has more than 20% of its valid period remaining","description":"SSL certificate does not expire in less than 20% of its total valid period.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com:443","www.ttec.com:443"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. SSL/TLS uses the HTTPS protocol, so all client connections must be rerouted from HTTP to HTTPS when necessary. Certificates expire after a set period of time and must be renewed to keep SSL/TLS active.","riskDetails":"Allowing certificates to expire can affect both security and functionality. An invalid certificate cannot provide proper protection against man-in-the-middle (MITM) attacks, undermining the point of SSL/TLS entirely. Furthermore, most browsers will not allow users to go to sites with expired certificates. If a certificate expires on an important service or system it may render it virtually unreachable until the certificate is renewed.","recommendedRemediation":"A process should be in place to track certificate expiry across all systems and renew them before they expire. Renewed certificates should have a strong encryption algorithm and specify the name of the system they are for. Certificates should be valid for no longer than 398 days, as many browsers will no longer accept validity durations beyond this limit.","knownExploitedVulnCount":0,"checkID":"ssl_expires_soon","category":"ssl","controlCheckID":"IM.EN.DT.XH","passTitle":"SSL has more than 20% of its valid period remaining","passDescription":"SSL certificate does not expire in less than 20% of its total valid period.","passGroupDescription":"No SSL certificates expire in less than 20% of their total valid period.","failTitle":"SSL expires in less than 20% of its total valid period","failDescription":"SSL certificate has less than 20% of its total valid period remaining. The certificate will need to be renewed to avoid expiry.","remediation":"Renew SSL certificates.","issue":"Impacted domains have SSL certificates which have less than 20% of their total valid period remaining. When certificates expire they become invalid, and will no longer be able to run secure transactions.","recommendation":"We recommend that you renew impacted SSL certificates prior to their expiry to avoid unencrypted communications. This helps keep your customers shape by ensuring adequate encryption.","defaultSeverity":3,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.3"],"ISO2022Controls":["8.12"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6","PR.PT-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. SSL/TLS uses the HTTPS protocol, so all client connections must be rerouted from HTTP to HTTPS when necessary. Certificates expire after a set period of time and must be renewed to keep SSL/TLS active.","RiskDetails":"Allowing certificates to expire can affect both security and functionality. An invalid certificate cannot provide proper protection against man-in-the-middle (MITM) attacks, undermining the point of SSL/TLS entirely. Furthermore, most browsers will not allow users to go to sites with expired certificates. If a certificate expires on an important service or system it may render it virtually unreachable until the certificate is renewed.","RecommendedRemediation":"A process should be in place to track certificate expiry across all systems and renew them before they expire. Renewed certificates should have a strong encryption algorithm and specify the name of the system they are for. Certificates should be valid for no longer than 398 days, as many browsers will no longer accept validity durations beyond this limit."},{"id":"ssl_strength","pass":true,"meta":"SHA256-RSA","vendorOnly":false,"expected":[{"property":"SSL > Algorithm","value":"[at least 'sha256']"}],"actual":[{"property":"SSL > Algorithm","value":"SHA256-RSA"}],"severity":3,"cloudscanCategory":"encryption","prevCloudscanCategory":"website_sec","title":"Strong SSL algorithm","description":"Industry standard SHA-256 encryption in use.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com:443","www.ttec.com:443"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. Every certificate utilizes an encryption algorithm to scramble the encrypted data and make it unreadable. These algorithms are designed to be extremely difficult to reverse engineer, giving the best protection. Better algorithms are incorporated as they come about and certificates are constantly adapting to more secure standards.","riskDetails":"Although encryption algorithms are designed to be difficult to break, they are occasionally broken. When an algorithm has been successfully reverse engineered, it is no longer considered secure, as third parties may be able to access the encrypted data with an imposter key. Even when an algorithm hasn’t been breached, new algorithms may provide increased protection and are thus preferable over maintaining older algorithms. Most browsers have a changing list of approved encryption algorithms. If an algorithm is not approved, the browser will not be able to access that site.","recommendedRemediation":"Certificates with weak SSL algorithms should be replaced with new valid certificates from a trusted authority. When requesting the certificate, you will be able to specify stronger encryption algorithms from the issuer. Because algorithms are always changing, it is important to consistently renew certificates about every year and always use the most secure algorithm available at the time of renewal.","knownExploitedVulnCount":0,"checkID":"ssl_strength","category":"ssl","controlCheckID":"IM.EN.SE.PA","passTitle":"Strong SSL algorithm","passDescription":"Industry standard SHA-256 encryption in use.","passGroupDescription":"Industry standard encryption in use.","failTitle":"Weak SSL algorithm","failDescription":"Industry standard SHA-256 encryption is not in use. The SSL certificate should be migrated to a SHA-256 certificate.","remediation":"Upgrade to at least SHA-256 encryption for SSL certificates.","issue":"The impacted domains are using a weak SSL-cipher. It’s important to only use strong ciphers on websites to ensure secure communications with visitors. Otherwise, attackers may be able to decrypt SSL traffic between the server and visitors.","recommendation":"Migrate to an SSL certificate that uses the industry standard, SHA-256 encryption. SHA-256 provides stronger encryption and has replaced SHA-1 as the defacto standard for encryption on the web.","defaultSeverity":3,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.3"],"ISO2022Controls":["8.12"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6","PR.PT-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. Every certificate utilizes an encryption algorithm to scramble the encrypted data and make it unreadable. These algorithms are designed to be extremely difficult to reverse engineer, giving the best protection. Better algorithms are incorporated as they come about and certificates are constantly adapting to more secure standards.","RiskDetails":"Although encryption algorithms are designed to be difficult to break, they are occasionally broken. When an algorithm has been successfully reverse engineered, it is no longer considered secure, as third parties may be able to access the encrypted data with an imposter key. Even when an algorithm hasn’t been breached, new algorithms may provide increased protection and are thus preferable over maintaining older algorithms. Most browsers have a changing list of approved encryption algorithms. If an algorithm is not approved, the browser will not be able to access that site.","RecommendedRemediation":"Certificates with weak SSL algorithms should be replaced with new valid certificates from a trusted authority. When requesting the certificate, you will be able to specify stronger encryption algorithms from the issuer. Because algorithms are always changing, it is important to consistently renew certificates about every year and always use the most secure algorithm available at the time of renewal."},{"id":"http_strict_transport_security_include_subdomains","pass":true,"meta":"max-age=31622400; includeSubDomains; preload","vendorOnly":false,"expected":[{"property":"Headers > strict-transport-security","value":"max-age=[anything]; includeSubDomains; ..."}],"actual":[{"property":"Headers > strict-transport-security","value":"max-age=31622400; includeSubDomains; preload"}],"severity":2,"cloudscanCategory":"encryption","prevCloudscanCategory":"website_sec","title":"HSTS header contains includeSubDomains","description":"The HTTP Strict Transport Security (HSTS) header contains the includeSubDomains directive.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["www.ttec.com:443"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. SSL/TLS uses the HTTPS protocol, so all client connections must be rerouted from HTTP to HTTPS when necessary. HTTP Strict Transport Security (HSTS) ensures that no HTTP connections will be allowed from the server. This forces the use of HTTPS, which maintains encryption at all times. The IncludeSubDomains directive enforces HSTS across subdomains as well.","riskDetails":"If the IncludeSubDomains directive is not specified, subdomains will not be forced to HTTPS. This means the root domain will be secured, but resources located in subdomains will be able to establish unencrypted HTTP connections. This can open the door for unexpected and unseen circumstances where a client passes sensitive information in plain text, leaving it vulnerable to man-in-the-middle (MITM) attacks.","recommendedRemediation":"Update the Strict-Transport-Security header on the system to contain the IncludeSubDomains parameter. Web services may need to be restarted for the change to take effect. Processes should be established to monitor or audit the status of HSTS on all internet-facing systems to ensure HSTS is present and properly configured.","knownExploitedVulnCount":0,"checkID":"http_strict_transport_security_include_subdomains","category":"ssl","controlCheckID":"IM.EN.ET.UQ","passTitle":"HSTS header contains includeSubDomains","passDescription":"The HTTP Strict Transport Security (HSTS) header contains the includeSubDomains directive.","passGroupDescription":"All sites have the includeSubDomains directive set in their HSTS header.","failTitle":"HSTS header does not contain includeSubDomains","failDescription":"The HTTP Strict Transport Security (HSTS) header does not contain the includeSubDomains directive. This directive instructs the browser to also enforce the HSTS policy over subdomains of this domain.","remediation":"Set the includeSubdomains directive in the Strict-Transport-Security header.","issue":"The HTTP Strict Transport Security (HSTS) header on identified websites does not contain the includeSubDomains directive. Without this directive, the browser won’t enforce the HSTS policy over subdomains.","recommendation":"Include the includeSubDomains directive. This ensures the HSTS policy is applied to the website and all subdomains, preventing them from accepting connections through HTTP.","defaultSeverity":2,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. SSL/TLS uses the HTTPS protocol, so all client connections must be rerouted from HTTP to HTTPS when necessary. HTTP Strict Transport Security (HSTS) ensures that no HTTP connections will be allowed from the server. This forces the use of HTTPS, which maintains encryption at all times. The IncludeSubDomains directive enforces HSTS across subdomains as well.","RiskDetails":"If the IncludeSubDomains directive is not specified, subdomains will not be forced to HTTPS. This means the root domain will be secured, but resources located in subdomains will be able to establish unencrypted HTTP connections. This can open the door for unexpected and unseen circumstances where a client passes sensitive information in plain text, leaving it vulnerable to man-in-the-middle (MITM) attacks.","RecommendedRemediation":"Update the Strict-Transport-Security header on the system to contain the IncludeSubDomains parameter. Web services may need to be restarted for the change to take effect. Processes should be established to monitor or audit the status of HSTS on all internet-facing systems to ensure HSTS is present and properly configured."},{"id":"ssl_certificate_length","pass":true,"meta":"2048-bit RSA","vendorOnly":false,"expected":[{"property":"SSL > Public Certificate Key Length","value":"[RSA >= 2048 or ECDSA >= 224]"}],"actual":[{"property":"SSL > Public Certificate Key Length","value":"2048-bit RSA"}],"severity":2,"cloudscanCategory":"encryption","prevCloudscanCategory":"website_sec","title":"Strong public certificate key length","description":"The site's public certificate provides at least 112 bits of security strength.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com:443","www.ttec.com:443"],"none":false,"noneReason":null,"prevProvisionalID":"ssl_certificate_length_provisional","summary":"The key length in an SSL certificate is a critical factor in determining the strength of the encryption used to secure communications between a user's browser and a website. Keys that are too short are not long enough to provide adequate security.","riskDetails":"A weak key length, such as 1024 bits or shorter, is vulnerable to brute-force attacks, where attackers use computational power to try every possible key until they find the correct one. Advances in computing power have made it possible to break shorter keys within a feasible amount of time.","recommendedRemediation":"If a certificate is found to have a weak public key length, it should be reissued with a stronger key. This involves generating a new key pair with a recommended key length (2048 bits or higher for RSA) and obtaining a new certificate from a trusted Certificate Authority.","knownExploitedVulnCount":0,"checkID":"ssl_certificate_length","category":"ssl","controlCheckID":"IM.EN.SE.ZW","passTitle":"Strong public certificate key length","passDescription":"The site's public certificate provides at least 112 bits of security strength.","passGroupDescription":"All public certificates provide at least 112 bits of security strength.","failTitle":"Weak public certificate key length","failDescription":"Public key algorithms and key sizes offering less than 112 bits of security strength are no longer considered secure. Public RSA keys should be at least 2048-bit and ECDSA keys should be at least 224-bit.","remediation":"Ensure public RSA keys are at least 2048-bit, and ECDSA keys are at least 224-bit.","issue":"The impacted domains are using weak public certificates, making them more vulnerable to man-in-the-middle attacks.","recommendation":"Migrate to an RSA certificate of at least 2048-bits or an ECDSA certificate  of at least 224-bits.","defaultSeverity":2,"categoryTotalCost":2,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.3"],"ISO2022Controls":["8.12"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6","PR.PT-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"The key length in an SSL certificate is a critical factor in determining the strength of the encryption used to secure communications between a user's browser and a website. Keys that are too short are not long enough to provide adequate security.","RiskDetails":"A weak key length, such as 1024 bits or shorter, is vulnerable to brute-force attacks, where attackers use computational power to try every possible key until they find the correct one. Advances in computing power have made it possible to break shorter keys within a feasible amount of time.","RecommendedRemediation":"If a certificate is found to have a weak public key length, it should be reissued with a stronger key. This involves generating a new key pair with a recommended key length (2048 bits or higher for RSA) and obtaining a new certificate from a trusted Certificate Authority."},{"id":"ssl_weak_cipher","pass":true,"meta":"TLSv1.2: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","vendorOnly":false,"expected":[{"property":"SSL > Supported Cipher Suite","value":"[secure ciphers only]"}],"actual":[{"property":"SSL > Supported Cipher Suite","value":"TLSv1.2: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"}],"severity":1,"cloudscanCategory":"encryption","prevCloudscanCategory":"website_sec","title":"No weak cipher suites supported in TLS 1.2","description":"TLS connections to the site do not support any weak cipher suites.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com:443","www.ttec.com:443"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Transport Layer Security (TLS) 1.2 supports several strong cipher suites, but also includes some that are considered obsolete or weak. Weak encryption algorithms in TLS 1.2 include NULL, RC2, RC4, DES, IDEA, and TDES/3DES, and cipher suites using these algorithms should not be used.","riskDetails":"Supporting weak cipher suites in TLS 1.2 means that attackers can attempt to force the usage of these cipher suites, even when secure ciphers are also available. Exploiting weak cipher suites can be used by hackers to eavesdrop on communications, intercept data, and launch adversary-in-the-middle attacks.","recommendedRemediation":"TLS 1.3 no longer includes the weak cipher suites available in 1.2. Upgrading to 1.3 will resolve the issue. Within 1.2, compare the list of cipher suites in use to the list at ciphersuite.info/cs to identify which are insecure.","knownExploitedVulnCount":0,"checkID":"ssl_weak_cipher","category":"ssl","controlCheckID":"IM.EN.SE.KA","passTitle":"No weak cipher suites supported in TLS 1.2","passDescription":"TLS connections to the site do not support any weak cipher suites.","passGroupDescription":"TLS connections to all sites do not support any weak cipher suites.","failTitle":"Weak cipher suites supported in TLS 1.2","failDescription":"Weak cipher suites can potentially be broken by a well resourced attacker, and should not be supported by the server unless very old devices or browsers must be supported.","remediation":"Ensure the server only supports secure cipher suites.","issue":"The impacted domains support weak cipher suites in TLS 1.2.","recommendation":"Ensure only secure ciphers are supported by the server.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.3"],"ISO2022Controls":["8.12"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6","PR.PT-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Transport Layer Security (TLS) 1.2 supports several strong cipher suites, but also includes some that are considered obsolete or weak. Weak encryption algorithms in TLS 1.2 include NULL, RC2, RC4, DES, IDEA, and TDES/3DES, and cipher suites using these algorithms should not be used.","RiskDetails":"Supporting weak cipher suites in TLS 1.2 means that attackers can attempt to force the usage of these cipher suites, even when secure ciphers are also available. Exploiting weak cipher suites can be used by hackers to eavesdrop on communications, intercept data, and launch adversary-in-the-middle attacks.","RecommendedRemediation":"TLS 1.3 no longer includes the weak cipher suites available in 1.2. Upgrading to 1.3 will resolve the issue. Within 1.2, compare the list of cipher suites in use to the list at ciphersuite.info/cs to identify which are insecure."}],"dns":[{"id":"dangling_mx_record","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Unregistered MX Domains","value":"[none]"}],"actual":[{"property":"Unregistered MX Domains","value":"[none]"}],"severity":4,"cloudscanCategory":"dns","prevCloudscanCategory":"email_sec","title":"No unregistered MX records detected","description":"No unregistered MX records that could lead to receiving mail on behalf of the target organization were detected.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"The address specified as the mailbox in the MX record for this domain is unregistered, allowing an attacker to register that domain and gain control of this domain's mailbox.","riskDetails":"A mail exchange or MX record is a DNS record that indicates the address of the mail server that should receive mail for a domain. If ownership of that domain lapses, attackers may be able to gain control of the specified domain, and thereby gain control of its mailbox.","recommendedRemediation":"Removing the DNS record that links your subdomain to the third domain or IP address will resolve the ability of attackers to hijack the domain. Modifying these records can typically be done by logging into your domain registrar and deleting the appropriate line. If necessary, you can contact the third party service provider and attempt to regain control of the account used for the takeover.","knownExploitedVulnCount":0,"checkID":"dangling_mx_record","category":"dns","controlCheckID":"IM.DS.PM.PA","passTitle":"No unregistered MX records detected","passDescription":"No unregistered MX records that could lead to receiving mail on behalf of the target organization were detected.","passGroupDescription":"No applicable sites had unregistered domains in their MX records.","failTitle":"MX record with unregistered domain detected","failDescription":"This domain contains DNS MX records that point to an expired or unregistered domain. A bad actor could register the domain and receive mail on behalf of the target organization.","remediation":"Review the DNS records and remove all expired and unregistered MX records.","issue":"This domain contains DNS MX records that point to an expired or unregistered domain. A bad actor could register the domain and receive mail on behalf of the target organization.","recommendation":"Review the DNS records and remove all expired and unregistered MX records.","defaultSeverity":4,"categoryTotalCost":8,"overrideContext":null,"Deprecated":false,"ISOControls":null,"ISO2022Controls":null,"NISTControls":null,"ExcludeFromHardcodedPassedRisks":false,"Summary":"The address specified as the mailbox in the MX record for this domain is unregistered, allowing an attacker to register that domain and gain control of this domain's mailbox.","RiskDetails":"A mail exchange or MX record is a DNS record that indicates the address of the mail server that should receive mail for a domain. If ownership of that domain lapses, attackers may be able to gain control of the specified domain, and thereby gain control of its mailbox.","RecommendedRemediation":"Removing the DNS record that links your subdomain to the third domain or IP address will resolve the ability of attackers to hijack the domain. Modifying these records can typically be done by logging into your domain registrar and deleting the appropriate line. If necessary, you can contact the third party service provider and attempt to regain control of the account used for the takeover."},{"id":"domain_expired","pass":true,"meta":"2026-11-24T05:00:00.000Z","vendorOnly":false,"expected":[{"property":"Domain > Expired","value":"[has not expired]"}],"actual":[{"property":"Domain > Expired","value":"2026-11-24T05:00:00.000Z"}],"severity":4,"cloudscanCategory":"dns","prevCloudscanCategory":"brand_protect","title":"Domain has not expired","description":"Domain has not expired.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Domains must be renewed within specified intervals to maintain ownership of the name. The minimum interval is 1 year and the maximum interval is 10 years. If a domain is not renewed within the appropriate interval, the domain name becomes “expired.” There is a 30 day grace period where the domain owner can still renew the expired domain name. After that, the domain can be purchased by a third party.","riskDetails":"This domain is expired. An expired domain is no longer functional. Any services relying on the expired domain will become unavailable. In addition to the loss of functionality, expired domains can be snapped up quickly by third parties and used to drive traffic to malicious and fraudulent websites.","recommendedRemediation":"The domain should be renewed as soon as possible with the registrar. Domains can be configured with auto-renewal to ensure that they are renewed before the expiration date.","knownExploitedVulnCount":0,"checkID":"domain_expired","category":"domain","controlCheckID":"IM.DS.DO.UQ","passTitle":"Domain has not expired","passDescription":"Domain has not expired.","passGroupDescription":"No domains have expired.","failTitle":"Domain expired","failDescription":"The domain has expired, meaning anyone can purchase this domain. You should renew your domain registration immediately.","remediation":"Renew domain registration.","issue":"Some domains have expired. This means anyone with a credit card can go to a domain name registrar and buy them, resulting in loss of control.","recommendation":"If the identified domain is important, register it at a domain name registrar. For important domains, we recommend setting up auto-renewal to prevent domain expiration. This can be done at the domain’s registrar.","defaultSeverity":4,"categoryTotalCost":10,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.2"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Domains must be renewed within specified intervals to maintain ownership of the name. The minimum interval is 1 year and the maximum interval is 10 years. If a domain is not renewed within the appropriate interval, the domain name becomes “expired.” There is a 30 day grace period where the domain owner can still renew the expired domain name. After that, the domain can be purchased by a third party.","RiskDetails":"This domain is expired. An expired domain is no longer functional. Any services relying on the expired domain will become unavailable. In addition to the loss of functionality, expired domains can be snapped up quickly by third parties and used to drive traffic to malicious and fraudulent websites.","RecommendedRemediation":"The domain should be renewed as soon as possible with the registrar. Domains can be configured with auto-renewal to ensure that they are renewed before the expiration date."},{"id":"subdomain_takeover","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Subdomain Takeover","value":"[not vulnerable]"}],"actual":[{"property":"Subdomain Takeover","value":"[not vulnerable]"}],"severity":4,"cloudscanCategory":"dns","prevCloudscanCategory":"brand_protect","title":"No subdomain takeover vulnerability detected","description":"No dangling DNS records that could lead to subdomain takeover were detected.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["www.ttec.com:443"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"When subdomains use CNAMEs in their DNS records to point to third party services, the third party addresses can become abandoned and available for registration by attackers. If an attacker registers that third party address and the subdomain continues to point to it, the attacker now controls the content of the subdomain.","riskDetails":"If an attacker registers the address used in the subdomain's CNAME, the attacker can use the subdomain for a number of attack methods. They may be able to control content on the page and use it as a phishing page. If other domains or applications route traffic through this page, they could collect any data (including credentials) sent to it. If other sites load script content from this subdomain, the attacker could inject malicious content.","recommendedRemediation":"Removing the DNS record that links your subdomain to the third domain or IP address will resolve the ability of attackers to hijack the domain. Modifying these records can typically be done by logging into your domain registrar and deleting the appropriate line. If necessary, you can contact the third party service provider and attempt to regain control of the account used for the takeover.","knownExploitedVulnCount":0,"checkID":"subdomain_takeover","category":"domain","controlCheckID":"IM.DS.DA.UQ","passTitle":"No subdomain takeover vulnerability detected","passDescription":"No dangling DNS records that could lead to subdomain takeover were detected.","passGroupDescription":"No applicable sites show vulnerability to subdomain takeover.","failTitle":"Subdomain takeover vulnerability detected","failDescription":"This domain contains a DNS record that points to an unclaimed or decommissioned service. A bad actor could register the service and control the content distributed on the domain.","remediation":"Review the page and remove any dangling DNS records.","issue":"This domain contains a DNS record that points to an unclaimed or decommissioned service. A bad actor could register the service and control the content distributed on the domain.","recommendation":"Review the page and remove any dangling DNS records.","defaultSeverity":4,"categoryTotalCost":8,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.20"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"When subdomains use CNAMEs in their DNS records to point to third party services, the third party addresses can become abandoned and available for registration by attackers. If an attacker registers that third party address and the subdomain continues to point to it, the attacker now controls the content of the subdomain.","RiskDetails":"If an attacker registers the address used in the subdomain's CNAME, the attacker can use the subdomain for a number of attack methods. They may be able to control content on the page and use it as a phishing page. If other domains or applications route traffic through this page, they could collect any data (including credentials) sent to it. If other sites load script content from this subdomain, the attacker could inject malicious content.","RecommendedRemediation":"Removing the DNS record that links your subdomain to the third domain or IP address will resolve the ability of attackers to hijack the domain. Modifying these records can typically be done by logging into your domain registrar and deleting the appropriate line. If necessary, you can contact the third party service provider and attempt to regain control of the account used for the takeover."},{"id":"domain_expiry","pass":true,"meta":"2026-11-24T05:00:00.000Z","vendorOnly":false,"expected":[{"property":"Domain > Expires On","value":"[does not expire in next 30 days]"}],"actual":[{"property":"Domain > Expires On","value":"2026-11-24T05:00:00.000Z"}],"severity":3,"cloudscanCategory":"dns","prevCloudscanCategory":"brand_protect","title":"Domain does not expire soon","description":"Domain does not expire within 30 days.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Domains must be renewed within specified intervals to maintain ownership of the name. The minimum interval is 1 year and the maximum interval is 10 years. If a domain is not renewed within the appropriate interval, the domain name becomes “expired.” There is a 30 day grace period where the domain owner can still renew the expired domain name. After that, the domain can be purchased by a third party.","riskDetails":"This domain is going to expire soon. An expired domain is no longer functional. Any services relying on the expired domain will become unavailable. In addition to the loss of functionality, expired domains can be snapped up quickly by third parties and used to drive traffic to malicious and fraudulent websites.","recommendedRemediation":"The domain should be renewed as soon as possible with the registrar. Domains can be configured with auto-renewal to ensure that they are renewed before the expiration date.","knownExploitedVulnCount":0,"checkID":"domain_expiry","category":"domain","controlCheckID":"IM.DS.DO.PA","passTitle":"Domain does not expire soon","passDescription":"Domain does not expire within 30 days.","passGroupDescription":"No domains detected to expire within 30 days.","failTitle":"Domain expires soon","failDescription":"The domain expires soon, and anyone may be able to purchase  it when it expires. You should renew your domain registration ASAP.","remediation":"Renew domain registration.","issue":"We've identified domains which are set to expire soon. When a domain expires, it may become available for purchase for anyone with a credit card on popular domain name registrars.","recommendation":"Renew the identified domains registration as soon as possible. For important domains, we recommend setting up auto-renewal to prevent domain expiration. This can be done at the domain’s registrar.","defaultSeverity":3,"categoryTotalCost":1,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.2"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Domains must be renewed within specified intervals to maintain ownership of the name. The minimum interval is 1 year and the maximum interval is 10 years. If a domain is not renewed within the appropriate interval, the domain name becomes “expired.” There is a 30 day grace period where the domain owner can still renew the expired domain name. After that, the domain can be purchased by a third party.","RiskDetails":"This domain is going to expire soon. An expired domain is no longer functional. Any services relying on the expired domain will become unavailable. In addition to the loss of functionality, expired domains can be snapped up quickly by third parties and used to drive traffic to malicious and fraudulent websites.","RecommendedRemediation":"The domain should be renewed as soon as possible with the registrar. Domains can be configured with auto-renewal to ensure that they are renewed before the expiration date."},{"id":"domain_not_resolvable","pass":true,"meta":"inactive: not set","vendorOnly":false,"expected":[{"property":"Domain > Not Resolvable","value":"inactive: not set"}],"actual":[{"property":"Domain > Not Resolvable","value":"inactive: not set"}],"severity":2,"cloudscanCategory":"dns","prevCloudscanCategory":"brand_protect","title":"Domain not flagged as inactive","description":"Domain is not flagged as inactive.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Registered domains can have domain name status codes (EPP codes) that describe certain attributes of the domain. The domain status code of Inactive indicates that a domain does not have name servers associated with it.","riskDetails":"Domains that are marked as inactive do not resolve on the internet. Services relying on them will be unavailable until the status is removed.","recommendedRemediation":"Name servers should be associated with the inactive domain(s). The specific process for doing this depends on your DNS service, but nameserver (NS) records must be created in the domain that point to the IP addresses of your name servers.","knownExploitedVulnCount":0,"checkID":"domain_not_resolvable","category":"domain","controlCheckID":"IM.DS.DO.VG","passTitle":"Domain not flagged as inactive","passDescription":"Domain is not flagged as inactive.","passGroupDescription":"No domains are flagged as inactive.","failTitle":"Domain flagged as inactive","failDescription":"Domain is flagged as inactive, meaning it does not resolve to an address via name servers.","remediation":"Ensure domain is not flagged as inactive.","issue":"Some domains have been flagged as inactive because they do not have name servers associated with them. This means the domain name will not resolve on the Internet and potential visitors will not be able to connect.","recommendation":"Associate name servers with the domain to ensure they resolve on the Internet. This will also remove the inactive status of the domain.","defaultSeverity":2,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.2"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Registered domains can have domain name status codes (EPP codes) that describe certain attributes of the domain. The domain status code of Inactive indicates that a domain does not have name servers associated with it.","RiskDetails":"Domains that are marked as inactive do not resolve on the internet. Services relying on them will be unavailable until the status is removed.","RecommendedRemediation":"Name servers should be associated with the inactive domain(s). The specific process for doing this depends on your DNS service, but nameserver (NS) records must be created in the domain that point to the IP addresses of your name servers."},{"id":"domain_pending_deletion","pass":true,"meta":"pendingDelete: not set","vendorOnly":false,"expected":[{"property":"Domain > Pending Deletion","value":"pendingDelete: not set"}],"actual":[{"property":"Domain > Pending Deletion","value":"pendingDelete: not set"}],"severity":2,"cloudscanCategory":"dns","prevCloudscanCategory":"brand_protect","title":"Domain not pending deletion","description":"Domain is not pending deletion with the registrar.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Registered domains can have domain name status codes (EPP codes) that describe certain attributes of the domain. The domain status code of pendingDelete (if not combined with redemptionPeriod or pendingRestore) means that the redemption period for the domain has expired and the domain will become available for public purchase within 5 business days.","riskDetails":"Domains that are marked as pendingDelete will be removed from the registry and put back on the market within a few days. If this happens, the domain can be quickly purchased by a malicious actor and used to route traffic to fraudulent sources.","recommendedRemediation":"To keep this domain name, the registrar must be contacted as soon as possible to see what options are available. If the domain goes back on the market it should be registered again quickly.","knownExploitedVulnCount":0,"checkID":"domain_pending_deletion","category":"domain","controlCheckID":"IM.DS.DO.DQ","passTitle":"Domain not pending deletion","passDescription":"Domain is not pending deletion with the registrar.","passGroupDescription":"No domains are pending deletion with the registrar.","failTitle":"Domain pending deletion","failDescription":"Domain pending deletion with the registrar.","remediation":"Ensure domain is not pending deletion.","issue":"The impacted domains are pending deletion at their domain name registrar. This means the domain can no longer be stored, renewed, or recovered and will become available for registration in five calendar days.","recommendation":"When domains are deleted, they become registrable to anyone on the Internet. We recommend registering them as soon as possible after deletion.","defaultSeverity":2,"categoryTotalCost":1,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.2"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Registered domains can have domain name status codes (EPP codes) that describe certain attributes of the domain. The domain status code of pendingDelete (if not combined with redemptionPeriod or pendingRestore) means that the redemption period for the domain has expired and the domain will become available for public purchase within 5 business days.","RiskDetails":"Domains that are marked as pendingDelete will be removed from the registry and put back on the market within a few days. If this happens, the domain can be quickly purchased by a malicious actor and used to route traffic to fraudulent sources.","RecommendedRemediation":"To keep this domain name, the registrar must be contacted as soon as possible to see what options are available. If the domain goes back on the market it should be registered again quickly."},{"id":"domain_pending_restoration","pass":true,"meta":"pendingRestore: not set","vendorOnly":false,"expected":[{"property":"Domain > Pending Restoration","value":"pendingRestore: not set"}],"actual":[{"property":"Domain > Pending Restoration","value":"pendingRestore: not set"}],"severity":2,"cloudscanCategory":"dns","prevCloudscanCategory":"brand_protect","title":"Domain not pending restoration","description":"Domain is not pending restoration with the registrar.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Registered domains can have domain name status codes (EPP codes) that describe certain attributes of the domain. The domain status code of pendingRestore means that the domain owner requested the domain be restored during the 30 day redemption period. Usually this status indicates that the registry is waiting for documentation from the registrar to approve the restoration. This status should only last for a few days and then be removed once the registry approves the provided documentation.","riskDetails":"Domains that are marked as pendingRestore may have an issue if this status exists for more than a few days during an intentional domain restoration. If the documentation necessary to restore the domain is not properly submitted within this timeframe, the domain may revert back to the redemptionPeriod status, meaning that when the redemption period expires the domain will be back on the public market.","recommendedRemediation":"If the pendingRestore status lasts more than a few days, the registrar should be contacted to find out what needs to be done to complete the restoration approval.","knownExploitedVulnCount":0,"checkID":"domain_pending_restoration","category":"domain","controlCheckID":"IM.DS.DO.KA","passTitle":"Domain not pending restoration","passDescription":"Domain is not pending restoration with the registrar.","passGroupDescription":"No domains are pending restoration with the registrar.","failTitle":"Domain pending restoration","failDescription":"Domain is pending restoration while the domain owner provides requested documentation.","remediation":"Ensure domain is not pending restoration.","issue":"These domains are pending restoration while the domain owner provides requested documentation. They are not yet active across the internet (for newly registered domains) or changes to the name server settings haven't taken effect.","recommendation":"The status of these domains will likely propagate across the Internet in the next 72 hours. If it takes longer than this, the domain owner will need to check with their domain name registrar and make sure DNS information is correct.","defaultSeverity":2,"categoryTotalCost":1,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.2"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Registered domains can have domain name status codes (EPP codes) that describe certain attributes of the domain. The domain status code of pendingRestore means that the domain owner requested the domain be restored during the 30 day redemption period. Usually this status indicates that the registry is waiting for documentation from the registrar to approve the restoration. This status should only last for a few days and then be removed once the registry approves the provided documentation.","RiskDetails":"Domains that are marked as pendingRestore may have an issue if this status exists for more than a few days during an intentional domain restoration. If the documentation necessary to restore the domain is not properly submitted within this timeframe, the domain may revert back to the redemptionPeriod status, meaning that when the redemption period expires the domain will be back on the public market.","RecommendedRemediation":"If the pendingRestore status lasts more than a few days, the registrar should be contacted to find out what needs to be done to complete the restoration approval."},{"id":"domain_registrar_transfer_protection","pass":true,"meta":"clientTransferProhibited:enabled","vendorOnly":false,"expected":[{"property":"Domain > Registrar Transfer Protection","value":"clientTransferProhibited or serverTransferProhibited: set"}],"actual":[{"property":"Domain > Registrar Transfer Protection","value":"clientTransferProhibited:enabled"}],"severity":2,"cloudscanCategory":"dns","prevCloudscanCategory":"brand_protect","title":"Domain registrar or registry transfer protection enabled","description":"Domain is protected from unsolicited transfer requests.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Domain transfer protection is a DNS setting that prevents the transfer of a domain until the lock has been removed. It is a DNS security mechanism intended to make it harder for an attacker to make unauthorized modifications to domain ownership.","riskDetails":"Attackers may attempt to hijack domains by impersonating the domain's owner and transfering ownership of the domain. ","recommendedRemediation":"Look up the whois information for the domain either using the CLI or an online tool. It should have a Domain Status of \"serverTransferProhibited\" or \"clientTransferProhibited.\" Log into your domain registrar's site. Navigate to the settings for this domain. You should have an option to enable this setting and save the configuration.","knownExploitedVulnCount":0,"checkID":"domain_registrar_transfer_protection","category":"domain","controlCheckID":"IM.DS.DO.ZW","passTitle":"Domain registrar or registry transfer protection enabled","passDescription":"Domain is protected from unsolicited transfer requests.","passGroupDescription":"No domains detected as being susceptible to unsolicited transfer requests.","failTitle":"Domain registrar or registry transfer protection enabled","failDescription":"Domain is not protected from unsolicited transfer requests with the registrar or registry. The domain should have clientTransferProhibited or serverTransferProhibited set.","remediation":"Set clientTransferProhibited or serverTransferProhibited with the registrar/registry.","issue":"Impacted domains are not protected from unsolicited transfer requests. This means an attacker may be able to convince the registrar/registry them to transfer the domain to another registrar, gaining control of the domain.","recommendation":"Set ClientTransferProhibited or ServerTransferProhibited to true. This prevents the domain from being transferred. Note: this may be something that the support team at the domain name registrar has to do.","defaultSeverity":2,"categoryTotalCost":1,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.2"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Domain transfer protection is a DNS setting that prevents the transfer of a domain until the lock has been removed. It is a DNS security mechanism intended to make it harder for an attacker to make unauthorized modifications to domain ownership.","RiskDetails":"Attackers may attempt to hijack domains by impersonating the domain's owner and transfering ownership of the domain. ","RecommendedRemediation":"Look up the whois information for the domain either using the CLI or an online tool. It should have a Domain Status of \"serverTransferProhibited\" or \"clientTransferProhibited.\" Log into your domain registrar's site. Navigate to the settings for this domain. You should have an option to enable this setting and save the configuration."},{"id":"domain_registrar_dns_resolution_hold","pass":true,"meta":"clientHold: not set","vendorOnly":false,"expected":[{"property":"Domain > Registrar DNS Resolution Hold","value":"clientHold: not set"}],"actual":[{"property":"Domain > Registrar DNS Resolution Hold","value":"clientHold: not set"}],"severity":2,"cloudscanCategory":"dns","prevCloudscanCategory":"brand_protect","title":"Domain free of registrar DNS resolution hold","description":"Domain is not under a DNS resolution hold with the registrar.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Registered domains can have domain name status codes (EPP codes) that describe certain attributes of the domain. The domain status code of clientHold indicates that the registrar has put a hold on the domain, preventing it from becoming active. This is an uncommon status that is usually only encountered during legal disputes, non-payment, or when the domain is subject to deletion.","riskDetails":"Domains in the clientHold status are not active and will not resolve on the internet. Services relying on these domains will be inaccessible during this time. Furthermore, if not part of a planned domain deletion, this status indicates that there are likely business problems with the registrar that should be addressed.","recommendedRemediation":"To activate this domain, the registrar must be contacted to determine what the problem is and what actions must be taken to remove the hold.","knownExploitedVulnCount":0,"checkID":"domain_registrar_dns_resolution_hold","category":"domain","controlCheckID":"IM.DS.DO.NQ","passTitle":"Domain free of registrar DNS resolution hold","passDescription":"Domain is not under a DNS resolution hold with the registrar.","passGroupDescription":"No domains are under a DNS resolution hold with the registrar.","failTitle":"Domain under Registrar DNS resolution hold","failDescription":"Domain is under a DNS resolution hold with the registrar pending issues that must be resolved.","remediation":"Ensure domain is not under a DNS resolution hold with the registrar.","issue":"Impacted domains have an issue related to a legal dispute, non-payment, or are subject to deletion. While unresolved, these domains will not be active in the DNS.","recommendation":"The domain name owner will need to talk to their domain name registrar for more information and remediation advice.","defaultSeverity":2,"categoryTotalCost":1,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.2"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Registered domains can have domain name status codes (EPP codes) that describe certain attributes of the domain. The domain status code of clientHold indicates that the registrar has put a hold on the domain, preventing it from becoming active. This is an uncommon status that is usually only encountered during legal disputes, non-payment, or when the domain is subject to deletion.","RiskDetails":"Domains in the clientHold status are not active and will not resolve on the internet. Services relying on these domains will be inaccessible during this time. Furthermore, if not part of a planned domain deletion, this status indicates that there are likely business problems with the registrar that should be addressed.","RecommendedRemediation":"To activate this domain, the registrar must be contacted to determine what the problem is and what actions must be taken to remove the hold."},{"id":"domain_registry_dns_resolution_hold","pass":true,"meta":"serverHold: not set","vendorOnly":false,"expected":[{"property":"Domain > Registry DNS Resolution Hold","value":"serverHold: not set"}],"actual":[{"property":"Domain > Registry DNS Resolution Hold","value":"serverHold: not set"}],"severity":2,"cloudscanCategory":"dns","prevCloudscanCategory":"brand_protect","title":"Domain free of registry DNS resolution hold","description":"Domain is not under a DNS resolution hold with the registry itself.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Registered domains can have domain name status codes (EPP codes) that describe certain attributes of the domain. The domain status code of serverHold means that the registry is preventing the domain from becoming active. This status is used when there is a problem with the domain information that must be resolved before approval.","riskDetails":"Domains in the serverHold status are not active and will not resolve on the internet. Services relying on these domains will be inaccessible during this time.","recommendedRemediation":"One possible issue that can cause this status is if the incorrect name server information has been provided to the registrar. However, the registrar must be contacted to determine what the problem is and what information is necessary to remove the code from the domain and activate it.","knownExploitedVulnCount":0,"checkID":"domain_registry_dns_resolution_hold","category":"domain","controlCheckID":"IM.DS.DO.TG","passTitle":"Domain free of registry DNS resolution hold","passDescription":"Domain is not under a DNS resolution hold with the registry itself.","passGroupDescription":"No domains are under a DNS resolution hold with the registry itself.","failTitle":"Domain under Registry DNS resolution hold","failDescription":"Domain is under a DNS resolution hold with the registry pending issues that must be resolved.","remediation":"Ensure domain is not under a DNS resolution hold with the registry.","issue":"Impacted domains have issues that needs to be resolved. While unresolved, these domains will not be active in the DNS.","recommendation":"The domain name owner will need to talk to their registry for more information and remediation advice.","defaultSeverity":2,"categoryTotalCost":1,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.2"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Registered domains can have domain name status codes (EPP codes) that describe certain attributes of the domain. The domain status code of serverHold means that the registry is preventing the domain from becoming active. This status is used when there is a problem with the domain information that must be resolved before approval.","RiskDetails":"Domains in the serverHold status are not active and will not resolve on the internet. Services relying on these domains will be inaccessible during this time.","RecommendedRemediation":"One possible issue that can cause this status is if the incorrect name server information has been provided to the registrar. However, the registrar must be contacted to determine what the problem is and what information is necessary to remove the code from the domain and activate it."},{"id":"domain_prohibited_from_renewal_at_registry","pass":true,"meta":"serverRenewProhibited: not set","vendorOnly":false,"expected":[{"property":"Domain > Prohibited from Renewal at Registry","value":"serverRenewProhibited: not set"}],"actual":[{"property":"Domain > Prohibited from Renewal at Registry","value":"serverRenewProhibited: not set"}],"severity":1,"cloudscanCategory":"dns","prevCloudscanCategory":"brand_protect","title":"Domain renewal not prohibited by registry","description":"Domain is not prohibited from renewal at the registry itself.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Registered domains can have domain name status codes (EPP codes) that describe certain attributes of the domain. The domain status code of serverRenewProhibited indicates that the registry operator will not allow your domain’s registrar to renew the domain. This is an uncommon status that is usually only utilized during legal disputes or when the domain is subject to deletion.","riskDetails":"Domains in the serverRenewProhibited status will not be eligible for renewal by the current domain owner. This means that at the end of the active period, the domain will enter the deletion process and be put back on the market.","recommendedRemediation":"This status often indicates a problem with the domain that needs to be addressed with the registrar. To renew this domain, the registrar must request that the registry remove this code from the domain. This process may take some time to complete.","knownExploitedVulnCount":0,"checkID":"domain_prohibited_from_renewal_at_registry","category":"domain","controlCheckID":"IM.DS.DO.RA","passTitle":"Domain renewal not prohibited by registry","passDescription":"Domain is not prohibited from renewal at the registry itself.","passGroupDescription":"No domains are prohibited from renewal at the registry itself.","failTitle":"Domain renewal prohibited by registry","failDescription":"Domain is prohibited from renewal at the registry itself. Often, this status indicates an issue with your domain that needs to be addressed promptly. You should contact your registrar to request more information and resolve the issue.","remediation":"Ensure serverRenewProhibited is not set with the registry.","issue":"Impacted domains can't be renewed due to a problem with the registry itself. This often indicates an issue with a domain that needs to be addressed as soon as possible.","recommendation":"The domain name owner will need to contact their domain name registrar and request more information and resolve the issue(s) relating to the identified domains.","defaultSeverity":1,"categoryTotalCost":1,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.2"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Registered domains can have domain name status codes (EPP codes) that describe certain attributes of the domain. The domain status code of serverRenewProhibited indicates that the registry operator will not allow your domain’s registrar to renew the domain. This is an uncommon status that is usually only utilized during legal disputes or when the domain is subject to deletion.","RiskDetails":"Domains in the serverRenewProhibited status will not be eligible for renewal by the current domain owner. This means that at the end of the active period, the domain will enter the deletion process and be put back on the market.","RecommendedRemediation":"This status often indicates a problem with the domain that needs to be addressed with the registrar. To renew this domain, the registrar must request that the registry remove this code from the domain. This process may take some time to complete."}],"email_sec_v2":[{"id":"dmarc_policy_none","pass":true,"meta":"v=DMARC1;p=reject;rua=mailto:dmarc_rua@emaildefense.proofpoint.com,mailto:dmarcaggregate@ttec.com,mailto:zhbfi4h2@ag.dmarcian.com;ruf=mailto:dmarc_ruf@emaildefense.proofpoint.com,mailto:zhbfi4h2@fr.dmarcian.com;ri=3600;fo=1;","vendorOnly":false,"expected":[{"property":"DNS > DMARC","value":"v=DMARC1; p=reject; ..."}],"actual":[{"property":"DNS > DMARC","value":"v=DMARC1;p=reject;rua=mailto:dmarc_rua@emaildefense.proofpoint.com,mailto:dmarcaggregate@ttec.com,mailto:zhbfi4h2@ag.dmarcian.com;ruf=mailto:dmarc_ruf@emaildefense.proofpoint.com,mailto:zhbfi4h2@fr.dmarcian.com;ri=3600;fo=1;"}],"severity":4,"cloudscanCategory":"email_sec_v2","prevCloudscanCategory":"email_sec","title":"DMARC policy is not p=none","description":"DMARC reject policy provides the most effective protection against fraudulent emails being sent from a domain.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email security feature that works in conjunction with Sender Policy Framework (SPF) and/or DomainKeys Identified Mail (DKIM) to ensure that messages actually originate from the organizations claimed in the From: address. It does this by “aligning” the From: address with either the SPF or DKIM policy in the sender domain. If a message’s From: address does not align with either of these policies, DMARC offers options on how to handle the message, including delivering it, quarantining it and blocking it altogether.","riskDetails":"One of the most common phishing techniques is called email spoofing. Spoofing is when a malicious actor rewrites their email headers to make it seem as if the message is coming from a different, legitimate email domain. DMARC helps prevent spoofing by authenticating the From: address to the sender’s domain. However, if DMARC is configured to use p=none, it means that the fraudulent messages are still delivered to their recipients and therefore no protection is actually in place.","recommendedRemediation":"The p= value in DMARC provides instructions on what to do with an email that fails DMARC alignment. The p= value should ultimately be set to reject for best security; however, p=quarantine can be used temporarily to monitor DMARC behavior and ensure false positives are not being quarantined. Once this monitoring is complete, the p= value should be set to reject. This helps prevent fraudulent email from reaching end users.","knownExploitedVulnCount":0,"checkID":"dmarc_policy_none","category":"email","controlCheckID":"IM.ES.EA.KA","passTitle":"DMARC policy is not p=none","passDescription":"DMARC reject policy provides the most effective protection against fraudulent emails being sent from a domain.","passGroupDescription":"All applicable sites have a DMARC reject policy enforced. This provides the most effective protection against fraudulent emails being sent from a domain.","failTitle":"DMARC policy is p=none","failDescription":"DMARC policy is p=none. This provides no protection against fraudulent emails. The DMARC policy should be migrated to p=quarantine, and eventually p=reject.","remediation":"Set DMARC policy to p=quarantine, and then p=reject.","issue":"We've detected domains that have their DMARC policy set to p=none. This provides no protection against fraudulent emails as it indicates that no specific action should be taken regarding the delivery of fraudulent messages.","recommendation":"The DMARC policy should be set to p=quarantine and email deliverability should be monitored for unintended consequences, such as legitimate email being sent to spam. Once the domain owner is sure nothing is wrong, they should change to p=reject.","defaultSeverity":4,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email security feature that works in conjunction with Sender Policy Framework (SPF) and/or DomainKeys Identified Mail (DKIM) to ensure that messages actually originate from the organizations claimed in the From: address. It does this by “aligning” the From: address with either the SPF or DKIM policy in the sender domain. If a message’s From: address does not align with either of these policies, DMARC offers options on how to handle the message, including delivering it, quarantining it and blocking it altogether.","RiskDetails":"One of the most common phishing techniques is called email spoofing. Spoofing is when a malicious actor rewrites their email headers to make it seem as if the message is coming from a different, legitimate email domain. DMARC helps prevent spoofing by authenticating the From: address to the sender’s domain. However, if DMARC is configured to use p=none, it means that the fraudulent messages are still delivered to their recipients and therefore no protection is actually in place.","RecommendedRemediation":"The p= value in DMARC provides instructions on what to do with an email that fails DMARC alignment. The p= value should ultimately be set to reject for best security; however, p=quarantine can be used temporarily to monitor DMARC behavior and ensure false positives are not being quarantined. Once this monitoring is complete, the p= value should be set to reject. This helps prevent fraudulent email from reaching end users."},{"id":"dmarc_enabled","pass":true,"meta":"v=DMARC1;p=reject;rua=mailto:dmarc_rua@emaildefense.proofpoint.com,mailto:dmarcaggregate@ttec.com,mailto:zhbfi4h2@ag.dmarcian.com;ruf=mailto:dmarc_ruf@emaildefense.proofpoint.com,mailto:zhbfi4h2@fr.dmarcian.com;ri=3600;fo=1;","vendorOnly":false,"expected":[{"property":"DNS > DMARC","value":"v=DMARC1; p=reject; ..."}],"actual":[{"property":"DNS > DMARC","value":"v=DMARC1;p=reject;rua=mailto:dmarc_rua@emaildefense.proofpoint.com,mailto:dmarcaggregate@ttec.com,mailto:zhbfi4h2@ag.dmarcian.com;ruf=mailto:dmarc_ruf@emaildefense.proofpoint.com,mailto:zhbfi4h2@fr.dmarcian.com;ri=3600;fo=1;"}],"severity":4,"cloudscanCategory":"email_sec_v2","prevCloudscanCategory":"email_sec","title":"DMARC policy exists","description":"DMARC protects against fraudulent emails being sent from a domain.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email security feature that works in conjunction with Sender Policy Framework (SPF) and/or DomainKeys Identified Mail (DKIM) to ensure that messages actually originate from the organizations claimed in the From: address. It does this by “aligning” the From: address with either the SPF or DKIM policy in the sender domain. If a message’s From: address does not align with either of these policies, DMARC offers options on how to handle the message, including delivering it, quarantining it and blocking it altogether.","riskDetails":"One of the most common phishing techniques is called email spoofing. Spoofing is when a malicious actor rewrites their email headers to make it seem as if the message is coming from a different, legitimate email domain. Users are much more likely to fall for phishing scams when the From: address appears legitimate. Phishing scams usually involve the harvesting of credentials and other information from victims who are directed to malicious websites. DMARC helps prevent spoofing by authenticating the From: address to the sender’s domain.","recommendedRemediation":"DMARC should be established on the email domain. To establish DMARC, you must already have SPF and/or DKIM in place on the email domain. Once one or both of those are ready, a TXT record named _DMARC should be created in DNS. There are several parameters for the _DMARC record, but the most important are to specify v=DMARC1; rua=yourpreferredaddress@yourdomain.com; and p= none, quarantine or reject. The v= value is constant. The rua= value allows you to specify the address to receive reports from DMARC. The p= value provides instructions on what to do with an email that fails DMARC alignment. The p= value should ultimately be set to reject for best security; however, the other options may be introduced first to ensure no false positives are being picked up by the DMARC policy.","knownExploitedVulnCount":0,"checkID":"dmarc_enabled","category":"email","controlCheckID":"IM.ES.EA.DQ","passTitle":"DMARC policy exists","passDescription":"DMARC protects against fraudulent emails being sent from a domain.","passGroupDescription":"All applicable sites have a DMARC policy deployed.","failTitle":"DMARC policy not found","failDescription":"DMARC policy was not found. This makes it easier for attackers to send email from this domain. A DMARC policy should be deployed for this domain.","remediation":"Add DMARC record.","issue":"We didn't find a DMARC policy associated with some domains. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise (BEC) attacks, phishing emails, email scams and other email threats.","recommendation":"The domain owner needs to add a DMARC policy to these domains. This will provide a mechanism to authenticate the domain in the From header based on their SPF and DKIM records.","defaultSeverity":4,"categoryTotalCost":7,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email security feature that works in conjunction with Sender Policy Framework (SPF) and/or DomainKeys Identified Mail (DKIM) to ensure that messages actually originate from the organizations claimed in the From: address. It does this by “aligning” the From: address with either the SPF or DKIM policy in the sender domain. If a message’s From: address does not align with either of these policies, DMARC offers options on how to handle the message, including delivering it, quarantining it and blocking it altogether.","RiskDetails":"One of the most common phishing techniques is called email spoofing. Spoofing is when a malicious actor rewrites their email headers to make it seem as if the message is coming from a different, legitimate email domain. Users are much more likely to fall for phishing scams when the From: address appears legitimate. Phishing scams usually involve the harvesting of credentials and other information from victims who are directed to malicious websites. DMARC helps prevent spoofing by authenticating the From: address to the sender’s domain.","RecommendedRemediation":"DMARC should be established on the email domain. To establish DMARC, you must already have SPF and/or DKIM in place on the email domain. Once one or both of those are ready, a TXT record named _DMARC should be created in DNS. There are several parameters for the _DMARC record, but the most important are to specify v=DMARC1; rua=yourpreferredaddress@yourdomain.com; and p= none, quarantine or reject. The v= value is constant. The rua= value allows you to specify the address to receive reports from DMARC. The p= value provides instructions on what to do with an email that fails DMARC alignment. The p= value should ultimately be set to reject for best security; however, the other options may be introduced first to ensure no false positives are being picked up by the DMARC policy."},{"id":"spf_filter_check","pass":true,"meta":"contains -all","vendorOnly":false,"expected":[{"property":"DNS > SPF > Filter","value":"contains -all"}],"actual":[{"property":"DNS > SPF > Filter","value":"contains -all"}],"severity":4,"cloudscanCategory":"email_sec_v2","prevCloudscanCategory":"email_sec","title":"Strict SPF filtering - not using +all","description":"Sender Policy Framework (SPF) record strictly enforces specific domains allowed to send email on its behalf.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Sender Policy Framework, or SPF, is a standard for specifying which domains and IP addresses can send email from a given domain. When SPF records are securely configured, email clients can validate that the sender is authorized to send mail from that domain and can filter out unwanted or malicious mail impersonating an organization. The +all mechanism is an instruction in an SPF record that tells mail recipients that any server can send mail on behalf of the sending domain, which opens this domain up to impersonation via email.","riskDetails":"Email security is vital to preventing phishing attacks, malware delivery, and protecting against brand abuse. SPF records are one of the foundational tools for preventing those attacks. While the +all mechanism is a valid directive, it is overly permissive and does not prevent attackers from impersonating a domain. The + mechanism indicates that mail send from this source should \"pass\" the SPF check done by the recipient. The \"all\" mechanism applies the \"pass\" rule to all domains and IPs, meaning that anyone, including attackers, can send email on behalf of this domain.","recommendedRemediation":"The SPF record for the domain should be configured to only allow specified systems under your organization's control to send mail on behalf of the domain. Any other sender should receive a \"fail\" response from the SPF check and thus block content from unauthorized domains. Through your DNS provider you should be able to find and update the SPF record for the domain. The \"+all\" mechanism should be changed to \"-all\" to hard fail all mail sent from unauthorized systems. If the domain is used to send mail and no IP addresses or domains specified yet, those should be added before the \"-all\" mechanism.","knownExploitedVulnCount":0,"checkID":"spf_filter_check","category":"email","controlCheckID":"IM.ES.EA.ZW","passTitle":"Strict SPF filtering - not using +all","passDescription":"Sender Policy Framework (SPF) record strictly enforces specific domains allowed to send email on its behalf.","passGroupDescription":"All applicable sites have a strict Sender Policy Framework (SPF) record.","failTitle":"SPF policy uses +all","failDescription":"Sender Policy Framework (SPF) record is too permissive as to which domains are allowed to send email on the domain's behalf. This record should not contain a +all mechanism, as this allows all hosts to send email posing as this domain.","remediation":"Use '-all' in SPF record.","issue":"We've identified domains with Sender Policy Framework (SPF) records that are too permissive (+all). This could result in fraudulent email being sent on the domain's behalf.","recommendation":"Change the SPF records associated with these domains and remove the +all mechanism. We recommend using '-all' in your SPF records.","defaultSeverity":4,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Sender Policy Framework, or SPF, is a standard for specifying which domains and IP addresses can send email from a given domain. When SPF records are securely configured, email clients can validate that the sender is authorized to send mail from that domain and can filter out unwanted or malicious mail impersonating an organization. The +all mechanism is an instruction in an SPF record that tells mail recipients that any server can send mail on behalf of the sending domain, which opens this domain up to impersonation via email.","RiskDetails":"Email security is vital to preventing phishing attacks, malware delivery, and protecting against brand abuse. SPF records are one of the foundational tools for preventing those attacks. While the +all mechanism is a valid directive, it is overly permissive and does not prevent attackers from impersonating a domain. The + mechanism indicates that mail send from this source should \"pass\" the SPF check done by the recipient. The \"all\" mechanism applies the \"pass\" rule to all domains and IPs, meaning that anyone, including attackers, can send email on behalf of this domain.","RecommendedRemediation":"The SPF record for the domain should be configured to only allow specified systems under your organization's control to send mail on behalf of the domain. Any other sender should receive a \"fail\" response from the SPF check and thus block content from unauthorized domains. Through your DNS provider you should be able to find and update the SPF record for the domain. The \"+all\" mechanism should be changed to \"-all\" to hard fail all mail sent from unauthorized systems. If the domain is used to send mail and no IP addresses or domains specified yet, those should be added before the \"-all\" mechanism."},{"id":"spf_syntax_check","pass":true,"meta":"passes simple syntax check","vendorOnly":false,"expected":[{"property":"DNS > SPF > Syntax","value":"passes simple syntax check"}],"actual":[{"property":"DNS > SPF > Syntax","value":"passes simple syntax check"}],"severity":3,"cloudscanCategory":"email_sec_v2","prevCloudscanCategory":"email_sec","title":"SPF syntax correct","description":"Sender Policy Framework (SPF) record passes basic syntax checks.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"SPF (Sender Policy Framework) is a protocol used to protect against email spoofing, spam and phishing. An SPF syntax error occurs when the SPF record in a domain's DNS configuration is malformed, preventing the SPF mechanism from functioning properly.","riskDetails":"This type of error can cause email delivery failures, since email receivers may reject emails that appear to be from an unauthorized source due to incorrect SPF information. Additionally, an SPF syntax error can also make an email system more vulnerable to phishing and spam, since spammers can potentially send messages that appear to be from the affected domain.","recommendedRemediation":"To remediate an SPF syntax error, review the SPF record for your domain and correct any issues. The record can be validated using online tools or test emails. Finally, update the domain's DNS with the corrected SPF record. DNS propagation may take some time. Regular review of the SPF record is important to ensure that it remains effective in preventing email spoofing and protecting against phishing and spam. Update the record if changes are made to your email infrastructure.","knownExploitedVulnCount":0,"checkID":"spf_syntax_check","category":"email","controlCheckID":"IM.ES.EA.UQ","passTitle":"SPF syntax correct","passDescription":"Sender Policy Framework (SPF) record passes basic syntax checks.","passGroupDescription":"All applicable sites have Sender Policy Framework (SPF) records that pass a basic syntax check.","failTitle":"SPF syntax error","failDescription":"Sender Policy Framework (SPF) record fails a basic syntax check. Records with syntax errors result in the protection mechanisms associated with SPF not being enforced. To be properly protected the SPF record syntax errors should be corrected.","remediation":"Fix SPF record syntax.","issue":"Impacted domains have a Sender Policy Framework (SPF) record that has failed a basic syntax check.  Records with syntax errors result in the protection mechanisms associated with SPF not being enforced.","recommendation":"To be properly protected the SPF record syntax errors should be corrected. SPF records always start with the v= element. This indicates the SPF version that is used. One or more terms will follow the version indicator. These define the rules for which hosts are allowed to send mail from the domain, or provide additional information for processing the SPF record.","defaultSeverity":3,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"SPF (Sender Policy Framework) is a protocol used to protect against email spoofing, spam and phishing. An SPF syntax error occurs when the SPF record in a domain's DNS configuration is malformed, preventing the SPF mechanism from functioning properly.","RiskDetails":"This type of error can cause email delivery failures, since email receivers may reject emails that appear to be from an unauthorized source due to incorrect SPF information. Additionally, an SPF syntax error can also make an email system more vulnerable to phishing and spam, since spammers can potentially send messages that appear to be from the affected domain.","RecommendedRemediation":"To remediate an SPF syntax error, review the SPF record for your domain and correct any issues. The record can be validated using online tools or test emails. Finally, update the domain's DNS with the corrected SPF record. DNS propagation may take some time. Regular review of the SPF record is important to ensure that it remains effective in preventing email spoofing and protecting against phishing and spam. Update the record if changes are made to your email infrastructure."},{"id":"dmarc_policy_percent","pass":true,"meta":"v=DMARC1;p=reject;rua=mailto:dmarc_rua@emaildefense.proofpoint.com,mailto:dmarcaggregate@ttec.com,mailto:zhbfi4h2@ag.dmarcian.com;ruf=mailto:dmarc_ruf@emaildefense.proofpoint.com,mailto:zhbfi4h2@fr.dmarcian.com;ri=3600;fo=1;","vendorOnly":false,"expected":[{"property":"DNS > DMARC","value":"v=DMARC1; p=reject; pct=100..."}],"actual":[{"property":"DNS > DMARC","value":"v=DMARC1;p=reject;rua=mailto:dmarc_rua@emaildefense.proofpoint.com,mailto:dmarcaggregate@ttec.com,mailto:zhbfi4h2@ag.dmarcian.com;ruf=mailto:dmarc_ruf@emaildefense.proofpoint.com,mailto:zhbfi4h2@fr.dmarcian.com;ri=3600;fo=1;"}],"severity":2,"cloudscanCategory":"email_sec_v2","prevCloudscanCategory":"email_sec","title":"DMARC policy percentage is default","description":"DMARC policy percentage is set to default 100%, ensuring all mail is covered by the policy.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email security feature that works in conjunction with Sender Policy Framework (SPF) and/or DomainKeys Identified Mail (DKIM) to ensure that messages actually originate from the organizations claimed in the From: address. It does this by “aligning” the From: address with either the SPF or DKIM policy in the sender domain. If a message’s From: address does not align with either of these policies, DMARC offers options on how to handle the message, including delivering it, quarantining it and blocking it altogether. DMARC has a parameter called “pct=” that can specify what percentage of emails should be controlled by the DMARC failure actions. This means that if pct=25, only ¼ of the email that fails DMARC alignment will be subject to quarantine or rejection.","riskDetails":"One of the most common phishing techniques is called email spoofing. Spoofing is when a malicious actor rewrites their email headers to make it seem as if the message is coming from a different, legitimate email domain. DMARC helps prevent spoofing by authenticating the From: address to the sender’s domain. When the pct= parameter is set to less than 100%, some amount of fraudulent email is passing through the system, increasing the likelihood of phishing attempts with spoofed From: addresses reaching end users.","recommendedRemediation":"The pct= parameter of DMARC should be set to 100. This is done by ensuring “pct=100” is present in the _DMARC TXT record in the relevant DNS domain.The only reason to use a partial pct= value is for a staged rollout of DMARC, so as to minimally disrupt mail flow in the case of an overly strict policy. In production, only a pct=100 value provides the protection against fraudulent email that DMARC is designed to offer.","knownExploitedVulnCount":0,"checkID":"dmarc_policy_percent","category":"email","controlCheckID":"IM.ES.EA.NQ","passTitle":"DMARC policy percentage is default","passDescription":"DMARC policy percentage is set to default 100%, ensuring all mail is covered by the policy.","passGroupDescription":"All applicable sites have a DMARC policy percentage set to the default 100%. This ensures all mail is covered by the policy.","failTitle":"DMARC policy percentage is less than 100%","failDescription":"DMARC policy percentage is less than 100%. The pct tag should be removed or set to 100 to ensure the policy is applied to all mail.","remediation":"Set DMARC policy percentage to 100%.","issue":"We've detected DMARC policies which have their percentage set to less than 100%. This means that the DMARC policy will not apply to all emails.","recommendation":"The pct tag should be removed or set to 100 to ensure the policy is applied to all email.","defaultSeverity":2,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email security feature that works in conjunction with Sender Policy Framework (SPF) and/or DomainKeys Identified Mail (DKIM) to ensure that messages actually originate from the organizations claimed in the From: address. It does this by “aligning” the From: address with either the SPF or DKIM policy in the sender domain. If a message’s From: address does not align with either of these policies, DMARC offers options on how to handle the message, including delivering it, quarantining it and blocking it altogether. DMARC has a parameter called “pct=” that can specify what percentage of emails should be controlled by the DMARC failure actions. This means that if pct=25, only ¼ of the email that fails DMARC alignment will be subject to quarantine or rejection.","RiskDetails":"One of the most common phishing techniques is called email spoofing. Spoofing is when a malicious actor rewrites their email headers to make it seem as if the message is coming from a different, legitimate email domain. DMARC helps prevent spoofing by authenticating the From: address to the sender’s domain. When the pct= parameter is set to less than 100%, some amount of fraudulent email is passing through the system, increasing the likelihood of phishing attempts with spoofed From: addresses reaching end users.","RecommendedRemediation":"The pct= parameter of DMARC should be set to 100. This is done by ensuring “pct=100” is present in the _DMARC TXT record in the relevant DNS domain.The only reason to use a partial pct= value is for a staged rollout of DMARC, so as to minimally disrupt mail flow in the case of an overly strict policy. In production, only a pct=100 value provides the protection against fraudulent email that DMARC is designed to offer."},{"id":"spf_ptr_mechanism","pass":true,"meta":"SPF record does not contain a ptr mechanism","vendorOnly":false,"expected":[{"property":"DNS > SPF > ptr","value":"SPF record does not contain a ptr mechanism"}],"actual":[{"property":"DNS > SPF > ptr","value":"SPF record does not contain a ptr mechanism"}],"severity":2,"cloudscanCategory":"email_sec_v2","prevCloudscanCategory":"email_sec","title":"SPF ptr mechanism not used","description":"Sender Policy Framework (SPF) record does not include the ptr mechanism.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"An SPF (Sender Policy Framework) PTR (Pointer) mechanism is used in email authentication to detect and prevent email spoofing. The SPF PTR mechanism compares the domain name of the sending email address to the IP address of the server that sent the email, to ensure that the email was indeed sent from the domain it claims to be sent from.","riskDetails":"The SPF PTR mechanism relies on looking up a domain to check if it resolves to an SPF allowed IP address. This can be easily faked by someone who creates a fraudulent DNS record in their domain. This can allow unauthorized individuals to send emails that appear to come from a trusted domain, leading to the recipient being misled or giving sensitive information to an unauthorized source.","recommendedRemediation":"SPF should only rely on authorized IP addresses and domains. The PTR mechanism should be disabled. It is also recommended to implement a DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy in conjunction with SPF. This allows domain owners to monitor the authentication of emails sent from their domain and to take action against any unauthorized activity. In addition, it is important to regularly review and update the SPF record to ensure that it accurately reflects the authorized mail servers for the domain.","knownExploitedVulnCount":0,"checkID":"spf_ptr_mechanism","category":"email","controlCheckID":"IM.ES.EA.VG","passTitle":"SPF ptr mechanism not used","passDescription":"Sender Policy Framework (SPF) record does not include the ptr mechanism.","passGroupDescription":"All applicable sites that have an SPF record do not include the ptr mechanism.","failTitle":"SPF ptr mechanism used","failDescription":"Sender Policy Framework (SPF) record contains the ptr mechanism. This mechanism is intended to be used temporarily to check that a domain resolves to itself via a known IP address. This should not be used permanently as it puts unnecessary burden on DNS servers and some mail checkers may drop the SPF record if this mechanism is found.","remediation":"Remove ptr mechanism from SPF record.","issue":"The impacted domains have Sender Policy Framework (SPF) records that contain the 'ptr' mechanism. This mechanism is intended to be used temporarily to check that a domain resolves itself via a known IP address. This should not be used permanently as it puts unnecessary burden on DNS servers and some mail servers may drop the SPF record.","recommendation":"The domain owner should remove the ‘ptr’ from all SPF records to ensure that mail servers do not drop the SPF records associated with the domain.","defaultSeverity":2,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"An SPF (Sender Policy Framework) PTR (Pointer) mechanism is used in email authentication to detect and prevent email spoofing. The SPF PTR mechanism compares the domain name of the sending email address to the IP address of the server that sent the email, to ensure that the email was indeed sent from the domain it claims to be sent from.","RiskDetails":"The SPF PTR mechanism relies on looking up a domain to check if it resolves to an SPF allowed IP address. This can be easily faked by someone who creates a fraudulent DNS record in their domain. This can allow unauthorized individuals to send emails that appear to come from a trusted domain, leading to the recipient being misled or giving sensitive information to an unauthorized source.","RecommendedRemediation":"SPF should only rely on authorized IP addresses and domains. The PTR mechanism should be disabled. It is also recommended to implement a DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy in conjunction with SPF. This allows domain owners to monitor the authentication of emails sent from their domain and to take action against any unauthorized activity. In addition, it is important to regularly review and update the SPF record to ensure that it accurately reflects the authorized mail servers for the domain."}],"ip_domain_reputation":[{"id":"suspected_malware_provider","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Google Safe Browsing > Malware","value":"false"}],"actual":[{"property":"Google Safe Browsing > Malware","value":"false"}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"Not a suspected malware provider","description":"This website does not appear to contain malicious code.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["www.ttec.com"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"This page has appeared in Google Safe Browsing's list of sites suspected of distributing malware. Safe Browsing is a service that Google's security team built to identify unsafe websites and notify users and website owners of potential harm.","riskDetails":"Domains are flagged for suspected malware distribution when other users report suspicious activity making use of the domain. In the case of malware pages, this indicates that either an attacker or insider are making use of the domain to distribute malware to other users. ","recommendedRemediation":"","knownExploitedVulnCount":0,"checkID":"suspected_malware_provider","category":"malware","controlCheckID":"IM.IP.MA.UQ","passTitle":"Not a suspected malware provider","passDescription":"This website does not appear to contain malicious code.","passGroupDescription":"No websites appear to contain malicious code.","failTitle":"Suspected malware provider","failDescription":"This website may contain malicious code. The website should be checked and any malicious code removed.","remediation":"Check sites and remove malicious code.","issue":"Websites may contain malicious code (malware). Malware is any program or file that is harmful to a computer user. Types of malware include computer viruses, worms, Trojan horses, spyware, adware and ransomware.","recommendation":"The owner of the identified domains needs to check the website for malicious code. If any malicious code is found, it needs to be removed as soon as possible.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"This page has appeared in Google Safe Browsing's list of sites suspected of distributing malware. Safe Browsing is a service that Google's security team built to identify unsafe websites and notify users and website owners of potential harm.","RiskDetails":"Domains are flagged for suspected malware distribution when other users report suspicious activity making use of the domain. In the case of malware pages, this indicates that either an attacker or insider are making use of the domain to distribute malware to other users. ","RecommendedRemediation":""},{"id":"botnet_active","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Botnet Activity","value":"false"}],"actual":[{"property":"Botnet Activity","value":""}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of botnet activity in the last 30 days","description":"This IP/domain has not been reported as a source of botnet activity in the last 30 days.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Hosts observed communicating with botnet infrastructure may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","riskDetails":"Hosts that are infected with botnet malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation.","recommendedRemediation":"If a host is suspected of botnet activity, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"botnet_active","category":"malware","controlCheckID":"IM.IP.MA.KA","passTitle":"No reports of botnet activity in the last 30 days","passDescription":"This IP/domain has not been reported as a source of botnet activity in the last 30 days.","passGroupDescription":"No IPs/domains have been reported as a source of botnet activity in the last 30 days.","failTitle":"Suspected of botnet activity","failDescription":"This IP/domain has been reported as a source of botnet activity in the last 30 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove offending software.","issue":"IPs/domains have been reported for botnet activity in the last 30 days. These reports may affect the reputation of the IP/domain and be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Hosts observed communicating with botnet infrastructure may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","RiskDetails":"Hosts that are infected with botnet malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation.","RecommendedRemediation":"If a host is suspected of botnet activity, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"brute_force_login_active","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Unsolicited Communication > Brute Force Login Attempt","value":"false"}],"actual":[{"property":"Unsolicited Communication > Brute Force Login Attempt","value":""}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of brute force login attempts in the last 30 days","description":"This IP/domain did not appear on any list of IPs and domains known to perform brute force login attempts in the last 30 days.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"As part of gaininig initial access, attackers use compromised hosts to attempt brute force logins to other hosts. Using compromised hosts for this activity allows the attacker to disguise their presence.","riskDetails":"A host that has been observed attempting brute force logins may be compromised by an attacker. Even if that is not the case, this behavior may cause the domain or IP to be added to a blocklist to prevent future login attempts.","recommendedRemediation":"If a host has been reported for attempted brute force logins, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"brute_force_login_active","category":"malware","controlCheckID":"IM.IP.MA.VG","passTitle":"No reports of brute force login attempts in the last 30 days","passDescription":"This IP/domain did not appear on any list of IPs and domains known to perform brute force login attempts in the last 30 days.","passGroupDescription":"No IPs/domains appeared on any list of IPs and domains known to perform brute force login attempts in the last 30 days.","failTitle":"Suspected of brute force login attempt","failDescription":"This IP/domain has appeared on a list of IPs and domains reported for performing brute force login attempts in the last 30 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove offending software.","issue":"IPs/domains have been reported for brute force login attempts in the last 30 days. These reports can affect the reputation of the IP/domain and may be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"As part of gaininig initial access, attackers use compromised hosts to attempt brute force logins to other hosts. Using compromised hosts for this activity allows the attacker to disguise their presence.","RiskDetails":"A host that has been observed attempting brute force logins may be compromised by an attacker. Even if that is not the case, this behavior may cause the domain or IP to be added to a blocklist to prevent future login attempts.","RecommendedRemediation":"If a host has been reported for attempted brute force logins, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"malware_server_active","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Malware Server","value":"false"}],"actual":[{"property":"Malware Server","value":""}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of malware distribution in the last 30 days","description":"This IP/domain has been reported for distributing malware in the last 30 days.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Hosts observed distributing malware may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","riskDetails":"Hosts that are used for distributing malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","recommendedRemediation":"If a host is suspected of distributing malware, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"malware_server_active","category":"malware","controlCheckID":"IM.IP.MA.KW","passTitle":"No reports of malware distribution in the last 30 days","passDescription":"This IP/domain has been reported for distributing malware in the last 30 days.","passGroupDescription":"No IPs/domains have been reported for distributing malware in the last 30 days.","failTitle":"Suspected of distributing malware","failDescription":"This IP/domain has been reported for distributing malware in the last 30 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove offending software.","issue":"IPs/domains have been reported for distributing malware in the last 30 days. These reports may affect the reputation of the IP/domain and be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Hosts observed distributing malware may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","RiskDetails":"Hosts that are used for distributing malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","RecommendedRemediation":"If a host is suspected of distributing malware, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"unsolicited_scanning_active","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Unsolicited Communication > Scanning","value":"false"}],"actual":[{"property":"Unsolicited Communication > Scanning","value":""}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of unsolicited scanning in the last 30 days","description":"This IP/domain has not been reported for performing unsolicited scanning in the last 30 days.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"As part of reconnaissance activity, attackers will use compromised hosts to scan other hosts with the aim of discovering possible attack methods. This scanning activity can be detected by patterns in the requests sent, and the host performing the unwanted scanning is then reported to shared blocklists.","riskDetails":"There may be other reasons for a host to perform unsolicited scanning, but this behavior can indicate that the host is compromised and running malware responsible for the scanning. The presence of the host on blocklists for scanning may result in it being blocked by other users even if the activity is not the result of malware.","recommendedRemediation":"If a host has been reported for unsolicited scanning, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"unsolicited_scanning_active","category":"malware","controlCheckID":"IM.IP.MA.XG","passTitle":"No reports of unsolicited scanning in the last 30 days","passDescription":"This IP/domain has not been reported for performing unsolicited scanning in the last 30 days.","passGroupDescription":"No IPs/domains have been reported for performing unsolicited scanning in the last 30 days.","failTitle":"Suspected of unsolicited scanning","failDescription":"This IP/domain has been reported for performing unsolicited scanning in the last 30 days. The server should be checked to ensure this behavior is intentional and not the result of malware.","remediation":"Check IP/domain for offending software.","issue":"IPs/domains have have been reported for performing unsolicited scanning in the last 30 days. This behavior could affect the reputation of the IP/domain and be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"As part of reconnaissance activity, attackers will use compromised hosts to scan other hosts with the aim of discovering possible attack methods. This scanning activity can be detected by patterns in the requests sent, and the host performing the unwanted scanning is then reported to shared blocklists.","RiskDetails":"There may be other reasons for a host to perform unsolicited scanning, but this behavior can indicate that the host is compromised and running malware responsible for the scanning. The presence of the host on blocklists for scanning may result in it being blocked by other users even if the activity is not the result of malware.","RecommendedRemediation":"If a host has been reported for unsolicited scanning, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"suspected_unwanted_software","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Google Safe Browsing > Unwanted Software","value":"false"}],"actual":[{"property":"Google Safe Browsing > Unwanted Software","value":"false"}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"Not suspected of unwanted software","description":"This website does not appear to be attempting to install unwanted software.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["www.ttec.com"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"This page has appeared in Google Safe Browsing's list of sites suspected of distributing unwanted software. Unwanted software is less malicious than malware but takes advantage of the end user's compute resources to launch unwanted advertisements and other nuisances. Safe Browsing is a service that Google's security team built to identify unsafe websites and notify users and website owners of potential harm.","riskDetails":"Domains are flagged for being suspected of unwanted software when other users report suspicious activity making use of the domain. In the case of unwanted software pages, this indicates that either an attacker or insider are making use of the domain to distribute such software to other users. ","recommendedRemediation":"","knownExploitedVulnCount":0,"checkID":"suspected_unwanted_software","category":"malware","controlCheckID":"IM.IP.MA.ZW","passTitle":"Not suspected of unwanted software","passDescription":"This website does not appear to be attempting to install unwanted software.","passGroupDescription":"No websites appear to attempt to install unwanted software.","failTitle":"Suspected of unwanted software","failDescription":"This website may be attempting to install unwanted software. The website should be checked and any offending code removed.","remediation":"Check sites and remove unwanted software.","issue":"Websites may be attempting to install unwanted software on the end-users computer. This is often referred to as grayware, unwanted applications or files that are not classified as malware.","recommendation":"The owner of the identified domains needs to check for any unwanted software and remove any offending code as required.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"This page has appeared in Google Safe Browsing's list of sites suspected of distributing unwanted software. Unwanted software is less malicious than malware but takes advantage of the end user's compute resources to launch unwanted advertisements and other nuisances. Safe Browsing is a service that Google's security team built to identify unsafe websites and notify users and website owners of potential harm.","RiskDetails":"Domains are flagged for being suspected of unwanted software when other users report suspicious activity making use of the domain. In the case of unwanted software pages, this indicates that either an attacker or insider are making use of the domain to distribute such software to other users. ","RecommendedRemediation":""},{"id":"suspected_phishing_page","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Google Safe Browsing > Phishing","value":"false"}],"actual":[{"property":"Google Safe Browsing > Phishing","value":"false"}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"Not a suspected phishing page","description":"This site does not appear to be a forgery or imitation of another website.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["www.ttec.com"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"This page has appeared in Google Safe Browsing's list of sites suspected of being used for phishing. Safe Browsing is a service that Google's security team built to identify unsafe websites and notify users and website owners of potential harm.","riskDetails":"Domains are flagged for suspected phishing when other users report suspicious activity making use of the domain. In the case of phishing pages, this indicates that either an attacker or insider are making use of the domain to send emails that other users have marked as phishing attempts.","recommendedRemediation":"Access to the domain and its mail records should be reviewed to understand whether it has been compromised and used in phishing campaigns. If the site is not maintained, decommissioning it or its mail records may be the easiest way to prevent future abuse. If the site has been identified for phishing in error, the classification should be appealed with Google.","knownExploitedVulnCount":0,"checkID":"suspected_phishing_page","category":"malware","controlCheckID":"IM.IP.MA.PA","passTitle":"Not a suspected phishing page","passDescription":"This site does not appear to be a forgery or imitation of another website.","passGroupDescription":"No sites are suspected of forgery or imitating other websites.","failTitle":"Suspected phishing page","failDescription":"This site may be a forgery or imitation of another website. The site should be checked, and remediated if it is a phishing site.","remediation":"Check sites and remove phishing code.","issue":"Websites have been identified as potential phishing pages, which may be attempting to steal users' personal information or credit card details.","recommendation":"The owner of the identified domains needs to check the website for forgery or signs of imitation. If any issues are found, they will need to be remediated as soon as possible to mitigate this risk.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"This page has appeared in Google Safe Browsing's list of sites suspected of being used for phishing. Safe Browsing is a service that Google's security team built to identify unsafe websites and notify users and website owners of potential harm.","RiskDetails":"Domains are flagged for suspected phishing when other users report suspicious activity making use of the domain. In the case of phishing pages, this indicates that either an attacker or insider are making use of the domain to send emails that other users have marked as phishing attempts.","RecommendedRemediation":"Access to the domain and its mail records should be reviewed to understand whether it has been compromised and used in phishing campaigns. If the site is not maintained, decommissioning it or its mail records may be the easiest way to prevent future abuse. If the site has been identified for phishing in error, the classification should be appealed with Google."},{"id":"phishing_site_active","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Phishing Site","value":"false"}],"actual":[{"property":"Phishing Site","value":""}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of phishing activity in the last 30 days","description":"This IP/domain has not been reported as a phishing site in the last 30 days.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Hosts suspected of phishing may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","riskDetails":"Hosts that are reported as phishing sites may be compromised in whole or part. Ownership of the domain may have lapsed, allowing attackers to take it over. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","recommendedRemediation":"If a host is suspected of being a phishing site, investigate the host to determine whether it has been compromised. Reviewing the current and historical site content should help show whether it has been modified to operate as a phishing site. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"phishing_site_active","category":"malware","controlCheckID":"IM.IP.MA.EA","passTitle":"No reports of phishing activity in the last 30 days","passDescription":"This IP/domain has not been reported as a phishing site in the last 30 days.","passGroupDescription":"No IPs/domains have been reported as a phishing site in the last 30 days.","failTitle":"Suspected phishing site","failDescription":"This IP/domain has been reported as a phishing site in the last 30 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove phishing code.","issue":"IPs/domains have been reported for phishing sites in the last 30 days. These sites may be compromised and under the control of threat actors.","recommendation":"The owner of the identified IP/domains needs to check for any unwanted software and remove any phishing code.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Hosts suspected of phishing may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","RiskDetails":"Hosts that are reported as phishing sites may be compromised in whole or part. Ownership of the domain may have lapsed, allowing attackers to take it over. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","RecommendedRemediation":"If a host is suspected of being a phishing site, investigate the host to determine whether it has been compromised. Reviewing the current and historical site content should help show whether it has been modified to operate as a phishing site. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"botnet_inactive","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Botnet Activity","value":"false"}],"actual":[{"property":"Botnet Activity","value":""}],"severity":1,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of botnet activity in the last 90 days","description":"This IP/domain has not been reported as a source of botnet activity in the last 90 days.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Hosts observed communicating with botnet infrastructure may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","riskDetails":"Hosts that are infected with botnet malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation.","recommendedRemediation":"If a host is suspected of botnet activity, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"botnet_inactive","category":"malware","controlCheckID":"IM.IP.MA.TG","passTitle":"No reports of botnet activity in the last 90 days","passDescription":"This IP/domain has not been reported as a source of botnet activity in the last 90 days.","passGroupDescription":"No IPs/domains have been reported as a source of botnet activity in the last 90 days.","failTitle":"Suspected of botnet activity in last 90 days","failDescription":"This IP/domain appeared on a list of IPs and domains known as source botnet activity in the last 90 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove offending software.","issue":"IPs/domains have been reported for botnet activity in the last 90 days. These reports may affect the reputation of the IP/domain and be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Hosts observed communicating with botnet infrastructure may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","RiskDetails":"Hosts that are infected with botnet malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation.","RecommendedRemediation":"If a host is suspected of botnet activity, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"brute_force_login_inactive","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Unsolicited Communication > Brute Force Login Attempt","value":"false"}],"actual":[{"property":"Unsolicited Communication > Brute Force Login Attempt","value":""}],"severity":1,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of brute force login attempts in the last 90 days","description":"This IP/domain did not appear on any list of IPs and domains known to perform brute force login attempts in the last 90 days.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"As part of gaininig initial access, attackers use compromised hosts to attempt brute force logins to other hosts. Using compromised hosts for this activity allows the attacker to disguise their presence. Hosts observed attempting logins in the last 90 days may be compromised or on blocklists.","riskDetails":"A host that has been observed attempting brute force logins may be compromised by an attacker. Even if that is not the case, this behavior may cause the domain or IP to be added to a blocklist to prevent future login attempts.","recommendedRemediation":"If a host has been reported for attempted brute force logins, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"brute_force_login_inactive","category":"malware","controlCheckID":"IM.IP.MA.DQ","passTitle":"No reports of brute force login attempts in the last 90 days","passDescription":"This IP/domain did not appear on any list of IPs and domains known to perform brute force login attempts in the last 90 days.","passGroupDescription":"No IPs/domains appeared on any list of IPs and domains known to perform brute force login attempts in the last 90 days.","failTitle":"Suspected of brute force login attempt in the last 90 days","failDescription":"This IP/domain has appeared on a list of IPs and domains reported for performing brute force login attempts in the last 90 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove offending software.","issue":"IPs/domains have been reported for brute force login attempts in the last 90 days. These reports can affect the reputation of the IP/domain and may be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"As part of gaininig initial access, attackers use compromised hosts to attempt brute force logins to other hosts. Using compromised hosts for this activity allows the attacker to disguise their presence. Hosts observed attempting logins in the last 90 days may be compromised or on blocklists.","RiskDetails":"A host that has been observed attempting brute force logins may be compromised by an attacker. Even if that is not the case, this behavior may cause the domain or IP to be added to a blocklist to prevent future login attempts.","RecommendedRemediation":"If a host has been reported for attempted brute force logins, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"malware_server_inactive","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Malware Server","value":"false"}],"actual":[{"property":"Malware Server","value":""}],"severity":1,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of malware distribution in the last 90 days","description":"This IP/domain has been reported for distributing malware in the last 90 days.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Hosts observed distributing malware may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","riskDetails":"Hosts that have recently been used for distributing malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","recommendedRemediation":"If a host is suspected of distributing malware, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"malware_server_inactive","category":"malware","controlCheckID":"IM.IP.MA.QG","passTitle":"No reports of malware distribution in the last 90 days","passDescription":"This IP/domain has been reported for distributing malware in the last 90 days.","passGroupDescription":"No IPs/domains have been reported for distributing malware in the last 90 days.","failTitle":"Suspected of distributing malware in last 90 days","failDescription":"This IP/domain has been reported for distributing malware in the last 90 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove offending software.","issue":"IPs/domains have been reported for distributing malware in the last 90 days. These reports may affect the reputation of the IP/domain and be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Hosts observed distributing malware may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","RiskDetails":"Hosts that have recently been used for distributing malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","RecommendedRemediation":"If a host is suspected of distributing malware, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"unsolicited_scanning_inactive","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Unsolicited Communication > Scanning","value":"false"}],"actual":[{"property":"Unsolicited Communication > Scanning","value":""}],"severity":1,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of unsolicited scanning in the last 90 days","description":"This IP/domain has not been reported for performing unsolicited scanning in the last 90 days.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"As part of reconnaissance activity, attackers will use compromised hosts to scan other hosts with the aim of discovering possible attack methods. Reports of unsolicited scanning in the last 90 days may indicate the host is infected or has been placed on blocklists that will affect availability.","riskDetails":"There may be other reasons for a host to perform unsolicited scanning, but this behavior can indicate that the host is compromised and running malware responsible for the scanning. The presence of the host on blocklists for scanning may result in it being blocked by other users even if the activity is not the result of malware.","recommendedRemediation":"If a host has been reported for unsolicited scanning, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"unsolicited_scanning_inactive","category":"malware","controlCheckID":"IM.IP.MA.AA","passTitle":"No reports of unsolicited scanning in the last 90 days","passDescription":"This IP/domain has not been reported for performing unsolicited scanning in the last 90 days.","passGroupDescription":"No IPs/domains have been reported for performing unsolicited scanning in the last 90 days.","failTitle":"Suspected of unsolicited scanning in last 90 days","failDescription":"This IP/domain has been reported for performing unsolicited scanning in the last 90 days. The server should be checked to ensure this behavior is intentional and not the result of malware.","remediation":"Check IP/domain for offending software.","issue":"IPs/domains have have been reported for performing unsolicited scanning in the last 90 days. This behavior could affect the reputation of the IP/domain and be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"As part of reconnaissance activity, attackers will use compromised hosts to scan other hosts with the aim of discovering possible attack methods. Reports of unsolicited scanning in the last 90 days may indicate the host is infected or has been placed on blocklists that will affect availability.","RiskDetails":"There may be other reasons for a host to perform unsolicited scanning, but this behavior can indicate that the host is compromised and running malware responsible for the scanning. The presence of the host on blocklists for scanning may result in it being blocked by other users even if the activity is not the result of malware.","RecommendedRemediation":"If a host has been reported for unsolicited scanning, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"phishing_site_inactive","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Phishing Site","value":"false"}],"actual":[{"property":"Phishing Site","value":""}],"severity":1,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of phishing activity in the last 90 days","description":"This IP/domain has not been reported as a phishing site in the last 90 days.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Hosts suspected of phishing may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","riskDetails":"Hosts that have been reported as phishing sites may be compromised in whole or part. Ownership of the domain may have lapsed, allowing attackers to take it over. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","recommendedRemediation":"If a host is suspected of being a phishing site, investigate the host to determine whether it has been compromised. Reviewing the current and historical site content should help show whether it has been modified to operate as a phishing site. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"phishing_site_inactive","category":"malware","controlCheckID":"IM.IP.MA.LG","passTitle":"No reports of phishing activity in the last 90 days","passDescription":"This IP/domain has not been reported as a phishing site in the last 90 days.","passGroupDescription":"No IPs/domains have been reported as a phishing site in the last 90 days.","failTitle":"Suspected phishing site in last 90 days","failDescription":"This IP/domain has been reported as a phishing site in the last 90 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove phishing code.","issue":"IPs/domains have been reported for phishing sites in the last 90 days. These sites may be compromised and under the control of threat actors.","recommendation":"The owner of the identified IP/domains needs to check for any unwanted software and remove any phishing code.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Hosts suspected of phishing may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","RiskDetails":"Hosts that have been reported as phishing sites may be compromised in whole or part. Ownership of the domain may have lapsed, allowing attackers to take it over. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","RecommendedRemediation":"If a host is suspected of being a phishing site, investigate the host to determine whether it has been compromised. Reviewing the current and historical site content should help show whether it has been modified to operate as a phishing site. If the host is behaving as expected, contact the blocklist owner to have the host removed."}],"network_sec_v2":[{"id":"open_port","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Ports > Ports Open","value":"[all ports closed]"}],"actual":[{"property":"Ports > Ports Open","value":"[all ports closed]"}],"severity":3,"cloudscanCategory":"network_sec_v2","prevCloudscanCategory":"network_sec","title":"No ports are open","description":"No open ports were detected.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"","riskDetails":"","recommendedRemediation":"","knownExploitedVulnCount":0}],"patch_management":[{"id":"verified_vuln:CVE-2014-0160","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Vulnerabilities > CVE-2014-0160","value":"[not vulnerable]"}],"actual":[{"property":"Vulnerabilities > CVE-2014-0160","value":"[not vulnerable]"}],"severity":3,"cloudscanCategory":"patch_management","prevCloudscanCategory":"website_sec","title":"Not vulnerable to CVE-2014-0160 (Heartbleed)","description":"A bug in OpenSSL's implementation of the TLS heartbeat extension allows access to portions of memory on the targeted host e.g. cryptographic keys and passwords.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"","riskDetails":"","recommendedRemediation":"","knownExploitedVulnCount":1,"isVerifiedVuln":true},{"id":"verified_vuln:CVE-2014-3566","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Vulnerabilities > CVE-2014-3566","value":"[not vulnerable]"}],"actual":[{"property":"Vulnerabilities > CVE-2014-3566","value":"[not vulnerable]"}],"severity":3,"cloudscanCategory":"patch_management","prevCloudscanCategory":"website_sec","title":"Not vulnerable to CVE-2014-3566 (POODLE)","description":"The server does not support SSLv3, and is not vulnerable to the POODLE attack.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"","riskDetails":"","recommendedRemediation":"","knownExploitedVulnCount":0,"isVerifiedVuln":true},{"id":"verified_vuln:CVE-2015-0204","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Vulnerabilities > CVE-2015-0204","value":"[not vulnerable]"}],"actual":[{"property":"Vulnerabilities > CVE-2015-0204","value":"[not vulnerable]"}],"severity":3,"cloudscanCategory":"patch_management","prevCloudscanCategory":"website_sec","title":"Not vulnerable to CVE-2015-0204 (FREAK)","description":"The server does not offer RSA_EXPORT cipher suites, so clients are not vulnerable to the FREAK attack.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"","riskDetails":"","recommendedRemediation":"","knownExploitedVulnCount":0,"isVerifiedVuln":true},{"id":"verified_vuln:CVE-2015-4000","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Vulnerabilities > CVE-2015-4000","value":"[not vulnerable]"}],"actual":[{"property":"Vulnerabilities > CVE-2015-4000","value":"[not vulnerable]"}],"severity":3,"cloudscanCategory":"patch_management","prevCloudscanCategory":"website_sec","title":"Not vulnerable to CVE-2015-4000 (Logjam)","description":"The server is using strong Diffie-Hellman parameters and is not vulnerable to the Logjam attack.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"","riskDetails":"","recommendedRemediation":"","knownExploitedVulnCount":0,"isVerifiedVuln":true}],"website_sec_v2":[{"id":"server_information_header","pass":true,"meta":"Pantheon, nginx","vendorOnly":false,"expected":[{"property":"Headers > server","value":"[does not contain version number]"}],"actual":[{"property":"Headers > server","value":"Pantheon, nginx"}],"severity":3,"cloudscanCategory":"website_sec_v2","prevCloudscanCategory":"website_sec","title":"Server information header not exposed","description":"Ensuring the server information header is not exposed reduces the ability of attackers to exploit certain vulnerabilities.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com:443","ttec.com:80","www.ttec.com:443","www.ttec.com:80"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"HTTP response headers pass additional information about the web server being contacted to the client contacting it. Such information can include the age of cached information, any redirection targets, and descriptions of currently running software. These headers are configured on the server, and depending on the platform, may contain default values for these fields. The Server header is specifically used to describe the type and version of web server software, e.g. Server: Apache/2.4.1 (Unix).","riskDetails":"Some technologies populate the Server header by default. If the Server header is exposed, the risk of an attack on the system is increased. The exposed information specifies the type and version of software currently running. This can be used by malicious actors to pinpoint vulnerabilities in the server, especially on systems running older versions of software. These headers can be harvested programmatically since they are offered publicly, making it easy to discover systems with populated headers across the internet.","recommendedRemediation":"The Server header should be removed, blanked out or minimized. The method for doing so differs based on technology. In IIS, a URL rewrite rule can be used to replace the server header with a blank string. In Apache, however, the Server header cannot be blanked out, but can be configured to display only “Apache” by setting “ServerTokens Prod” in the Apache config file. Monitoring or auditing of exposed headers on all systems is recommended to ensure information about servers is not being shared.","knownExploitedVulnCount":0,"checkID":"server_information_header","category":"discovery","controlCheckID":"IM.WS.MI.VG","passTitle":"Server information header not exposed","passDescription":"Ensuring the server information header is not exposed reduces the ability of attackers to exploit certain vulnerabilities.","passGroupDescription":"No sites are exposing unnecessary server header information.","failTitle":"Server information header exposed","failDescription":"Exposing information about the server version increases the ability of attackers to exploit certain vulnerabilities. The website configuration should be changed to prevent version information being revealed in the 'server' header.","remediation":"Remove 'server' header.","issue":"The web server information of the impacted websites is exposed. Exposing information about the server version increases the ability of attackers to exploit known vulnerabilities.","recommendation":"Configure these websites to prevent version information from being revealed by removing the 'Server' header. This reduces the chance of attackers successfully exploiting known vulnerabilities.","defaultSeverity":3,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"HTTP response headers pass additional information about the web server being contacted to the client contacting it. Such information can include the age of cached information, any redirection targets, and descriptions of currently running software. These headers are configured on the server, and depending on the platform, may contain default values for these fields. The Server header is specifically used to describe the type and version of web server software, e.g. Server: Apache/2.4.1 (Unix).","RiskDetails":"Some technologies populate the Server header by default. If the Server header is exposed, the risk of an attack on the system is increased. The exposed information specifies the type and version of software currently running. This can be used by malicious actors to pinpoint vulnerabilities in the server, especially on systems running older versions of software. These headers can be harvested programmatically since they are offered publicly, making it easy to discover systems with populated headers across the internet.","RecommendedRemediation":"The Server header should be removed, blanked out or minimized. The method for doing so differs based on technology. In IIS, a URL rewrite rule can be used to replace the server header with a blank string. In Apache, however, the Server header cannot be blanked out, but can be configured to display only “Apache” by setting “ServerTokens Prod” in the Apache config file. Monitoring or auditing of exposed headers on all systems is recommended to ensure information about servers is not being shared."},{"id":"x_powered_by_header","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Headers > x-powered-by","value":"[not set]"}],"actual":[{"property":"Headers > x-powered-by","value":"[not set]"}],"severity":3,"cloudscanCategory":"website_sec_v2","prevCloudscanCategory":"website_sec","title":"X-Powered-By header not exposed","description":"Information about specific technology used on the server is obscured.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com:443","ttec.com:80","www.ttec.com:443","www.ttec.com:80"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"HTTP response headers pass additional information about the web server being contacted to the client contacting it. Such information can include the age of cached information, any redirection targets, and descriptions of currently running software. These headers are configured on the server, and depending on the platform, may contain default values for these fields. The X-Powered-By header is specifically used to describe technologies in use on the server, such as the type and version of web server software or PHP.","riskDetails":"Some technologies populate the X-Powered-By header by default. If the X-Powered-By header is exposed, the risk of an attack on the server is increased. The exposed information often specifies the type and version of software currently running. This can be used by malicious actors to pinpoint vulnerabilities in the server, especially on systems running older versions of software. These headers can be harvested programmatically since they are offered publicly, making it easy to discover systems with populated headers across the internet.","recommendedRemediation":"The X-Powered-By header should be removed. The specific process for this varies by technology. PHP versions can often be found in the X-Powered-By field. This can be disabled by switching “expose_php” to OFF in php.ini. In Microsoft IIS, the header can be removed under HTTP Response Headers in the GUI. Monitoring or auditing of exposed headers on all systems is recommended to ensure information about servers is not being shared.","knownExploitedVulnCount":0,"checkID":"x_powered_by_header","category":"discovery","controlCheckID":"IM.WS.MI.PA","passTitle":"X-Powered-By header not exposed","passDescription":"Information about specific technology used on the server is obscured.","passGroupDescription":"No sites are exposing the X-Powered-By header.","failTitle":"X-Powered-By header exposed","failDescription":"The X-Powered-By header reveals information about specific technology used on the server. This information can be used to exploit vulnerabilities. The server configuration should be changed to remove this header.","remediation":"Remove X-Powered-By header.","issue":"We've found websites that have their X-Powered-By header exposed. This header reveals information about the specific technology used to run the website which could be used to find known vulnerabilities that can be exploited.","recommendation":"The website needs to stop exposing the X-Powered-By header. This reduces the risk that an attacker will be able to find an exploitable vulnerability in the software running the website.","defaultSeverity":3,"categoryTotalCost":4,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"HTTP response headers pass additional information about the web server being contacted to the client contacting it. Such information can include the age of cached information, any redirection targets, and descriptions of currently running software. These headers are configured on the server, and depending on the platform, may contain default values for these fields. The X-Powered-By header is specifically used to describe technologies in use on the server, such as the type and version of web server software or PHP.","RiskDetails":"Some technologies populate the X-Powered-By header by default. If the X-Powered-By header is exposed, the risk of an attack on the server is increased. The exposed information often specifies the type and version of software currently running. This can be used by malicious actors to pinpoint vulnerabilities in the server, especially on systems running older versions of software. These headers can be harvested programmatically since they are offered publicly, making it easy to discover systems with populated headers across the internet.","RecommendedRemediation":"The X-Powered-By header should be removed. The specific process for this varies by technology. PHP versions can often be found in the X-Powered-By field. This can be disabled by switching “expose_php” to OFF in php.ini. In Microsoft IIS, the header can be removed under HTTP Response Headers in the GUI. Monitoring or auditing of exposed headers on all systems is recommended to ensure information about servers is not being shared."},{"id":"content_security_policy_header_insecure_active_v2","pass":true,"meta":"default-src 'self' https://*.wistia.com https://*.wistia.net; child-src 'self'; connect-src 'self' https://*.google-analytics.com https://*.google.com https://*.googletagmanager.com https://*.litix.io https://*.wistia.com https://*.wistia.net https://*.algolia.net aorta.clickagy.com hemsync.clickagy.com https://www2.ttec.com https://pagead2.googlesyndication.com https://www.googleadservices.com https://px.ads.linkedin.com https://js.zi-scripts.com https://ws.zoominfo.com https://privacyportal.onetrust.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://fbo-b.flippingbook.com https://online.flippingbook.com https://d17lvj5xn8sco6.cloudfront.net https://*.doubleclick.net https://pi.pardot.com https://www.google.com https://google.com https://www.facebook.com https://*.clarity.ms https://c.bing.com https://*.sentry-cdn.com/; font-src 'self' data: https://fonts.gstatic.com https://*.wistia.com https://*.wistia.net https://cdnjs.cloudflare.com; frame-src 'self' https://www.googletagmanager.com https://*.doubleclick.net https://js.driftt.com https://widget.drift.com https://fast.wistia.com https://fast.wistia.net hemsync.clickagy.com https://insight.adsrvr.org https://www2.ttec.com https://online.flippingbook.com https://match.adsrvr.org https://listen.qualtrics.com; img-src 'self' data: https://www.ttec.com https://www.googletagmanager.com https://googleads.g.doubleclick.net https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com https://*.googletagmanager.com https://*.doubleclick.net https://www.google.com https://google.com https://*.wistia.com https://*.wistia.net https://cdn.cookielaw.org https://px.ads.linkedin.com https://ade.googlesyndication.com https://www.linkedin.com https://fonts.gstatic.com https://online.flippingbook.com https://d17lvj5xn8sco6.cloudfront.net https://pagead2.googlesyndication.com https://www.googleadservices.com https://connect.facebook.net https://www.facebook.com https://*.clarity.ms https://c.bing.com; media-src 'self' blob: data: https://*.wistia.com https://*.wistia.net; object-src 'none'; script-src 'self' cdn.jsdelivr.net cdnjs.cloudflare.com https://cdnjs.cloudflare.com https://unpkg.com mdbootstrap.com 'nonce-<nonce_value>'; script-src-elem 'self' https://googletagmanager.com https://www.googletagmanager.com https://tagmanager.google.com https://*.googletagmanager.com https://www.googleadservices.com https://*.doubleclick.net https://www.google.com https://js.driftt.com https://widget.drift.com https://*.wistia.com https://*.wistia.net https://src.litix.io https://js.zi-scripts.com https://tags.clickagy.com https://www2.ttec.com https://snap.licdn.com/ https://www.gstatic.com https://ws-assets.zoominfo.com https://pagead2.googlesyndication.com https://js.adsrvr.org/ https://privacyportal.onetrust.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://online.flippingbook.com https://d33i2vgywgme2s.cloudfront.net https://js.sentry-cdn.com https://pi.pardot.com https://googleads.g.doubleclick.net https://connect.facebook.net https://*.clarity.ms https://c.bing.com https://*.sentry-cdn.com/ cdn.jsdelivr.net cdnjs.cloudflare.com https://cdnjs.cloudflare.com https://unpkg.com mdbootstrap.com 'nonce-<nonce_value>'; style-src 'self' 'unsafe-inline' https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com https://fast.wistia.com https://privacyportal.onetrust.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://www.googletagmanager.com cdn.jsdelivr.net cdnjs.cloudflare.com fonts.googleapis.com https://cdnjs.cloudflare.com https://unpkg.com mdbootstrap.com use.fontawesome.com; worker-src 'self' blob:; base-uri 'self'; form-action 'self'; frame-ancestors 'self'","vendorOnly":false,"expected":[{"property":"Headers > content-security-policy","value":"[no insecure active sources]"}],"actual":[{"property":"Headers > content-security-policy","value":"default-src 'self' https://*.wistia.com https://*.wistia.net; child-src 'self'; connect-src 'self' https://*.google-analytics.com https://*.google.com https://*.googletagmanager.com https://*.litix.io https://*.wistia.com https://*.wistia.net https://*.algolia.net aorta.clickagy.com hemsync.clickagy.com https://www2.ttec.com https://pagead2.googlesyndication.com https://www.googleadservices.com https://px.ads.linkedin.com https://js.zi-scripts.com https://ws.zoominfo.com https://privacyportal.onetrust.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://fbo-b.flippingbook.com https://online.flippingbook.com https://d17lvj5xn8sco6.cloudfront.net https://*.doubleclick.net https://pi.pardot.com https://www.google.com https://google.com https://www.facebook.com https://*.clarity.ms https://c.bing.com https://*.sentry-cdn.com/; font-src 'self' data: https://fonts.gstatic.com https://*.wistia.com https://*.wistia.net https://cdnjs.cloudflare.com; frame-src 'self' https://www.googletagmanager.com https://*.doubleclick.net https://js.driftt.com https://widget.drift.com https://fast.wistia.com https://fast.wistia.net hemsync.clickagy.com https://insight.adsrvr.org https://www2.ttec.com https://online.flippingbook.com https://match.adsrvr.org https://listen.qualtrics.com; img-src 'self' data: https://www.ttec.com https://www.googletagmanager.com https://googleads.g.doubleclick.net https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com https://*.googletagmanager.com https://*.doubleclick.net https://www.google.com https://google.com https://*.wistia.com https://*.wistia.net https://cdn.cookielaw.org https://px.ads.linkedin.com https://ade.googlesyndication.com https://www.linkedin.com https://fonts.gstatic.com https://online.flippingbook.com https://d17lvj5xn8sco6.cloudfront.net https://pagead2.googlesyndication.com https://www.googleadservices.com https://connect.facebook.net https://www.facebook.com https://*.clarity.ms https://c.bing.com; media-src 'self' blob: data: https://*.wistia.com https://*.wistia.net; object-src 'none'; script-src 'self' cdn.jsdelivr.net cdnjs.cloudflare.com https://cdnjs.cloudflare.com https://unpkg.com mdbootstrap.com 'nonce-<nonce_value>'; script-src-elem 'self' https://googletagmanager.com https://www.googletagmanager.com https://tagmanager.google.com https://*.googletagmanager.com https://www.googleadservices.com https://*.doubleclick.net https://www.google.com https://js.driftt.com https://widget.drift.com https://*.wistia.com https://*.wistia.net https://src.litix.io https://js.zi-scripts.com https://tags.clickagy.com https://www2.ttec.com https://snap.licdn.com/ https://www.gstatic.com https://ws-assets.zoominfo.com https://pagead2.googlesyndication.com https://js.adsrvr.org/ https://privacyportal.onetrust.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://online.flippingbook.com https://d33i2vgywgme2s.cloudfront.net https://js.sentry-cdn.com https://pi.pardot.com https://googleads.g.doubleclick.net https://connect.facebook.net https://*.clarity.ms https://c.bing.com https://*.sentry-cdn.com/ cdn.jsdelivr.net cdnjs.cloudflare.com https://cdnjs.cloudflare.com https://unpkg.com mdbootstrap.com 'nonce-<nonce_value>'; style-src 'self' 'unsafe-inline' https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com https://fast.wistia.com https://privacyportal.onetrust.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://www.googletagmanager.com cdn.jsdelivr.net cdnjs.cloudflare.com fonts.googleapis.com https://cdnjs.cloudflare.com https://unpkg.com mdbootstrap.com use.fontawesome.com; worker-src 'self' blob:; base-uri 'self'; form-action 'self'; frame-ancestors 'self'"}],"severity":3,"cloudscanCategory":"website_sec_v2","prevCloudscanCategory":"website_sec","title":"CSP implemented without insecure active sources","description":"The Content Security Policy does not allow any insecure active sources.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["www.ttec.com:443"],"none":false,"noneReason":null,"prevProvisionalID":"content_security_policy_header_insecure_active","summary":"The Content Security Policy (CSP) for this site allows \"style\" and \"script-src\" content types to be loaded from origins without HTTPS.","riskDetails":"Content Security Policies are a set of directives to protect the integrity of content being loaded on a website in order to stop cross site scripting attacks. If executable content like the script and style types are loaded from non-HTTPS sources, however, an adversary in the middle could intercept and modify that content.","recommendedRemediation":"Update the CSP to require an HTTPS origin for style and script-src content.","knownExploitedVulnCount":0,"checkID":"content_security_policy_header_insecure_active_v2","category":"xss","controlCheckID":"IM.WS.CJ.XG","passTitle":"CSP implemented without insecure active sources","passDescription":"The Content Security Policy does not allow any insecure active sources.","passGroupDescription":"All websites have a Content Security Policy that does not allow any insecure active sources.","failTitle":"CSP allows insecure active sources","failDescription":"The Content Security Policy on this site allows insecure active content.","remediation":"Configure the Content Security Policy to disallow HTTP as a source for active content.","issue":"Impacted domains do not have a Content Security Policy implemented securely and are allowing insecure active content.","recommendation":"The Content Security Policy for this website should only allow secure sources for active content.","defaultSeverity":3,"categoryTotalCost":2,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.20"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"The Content Security Policy (CSP) for this site allows \"style\" and \"script-src\" content types to be loaded from origins without HTTPS.","RiskDetails":"Content Security Policies are a set of directives to protect the integrity of content being loaded on a website in order to stop cross site scripting attacks. If executable content like the script and style types are loaded from non-HTTPS sources, however, an adversary in the middle could intercept and modify that content.","RecommendedRemediation":"Update the CSP to require an HTTPS origin for style and script-src content."},{"id":"content_security_policy_header_unsafe_v2","pass":true,"meta":"default-src 'self' https://*.wistia.com https://*.wistia.net; child-src 'self'; connect-src 'self' https://*.google-analytics.com https://*.google.com https://*.googletagmanager.com https://*.litix.io https://*.wistia.com https://*.wistia.net https://*.algolia.net aorta.clickagy.com hemsync.clickagy.com https://www2.ttec.com https://pagead2.googlesyndication.com https://www.googleadservices.com https://px.ads.linkedin.com https://js.zi-scripts.com https://ws.zoominfo.com https://privacyportal.onetrust.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://fbo-b.flippingbook.com https://online.flippingbook.com https://d17lvj5xn8sco6.cloudfront.net https://*.doubleclick.net https://pi.pardot.com https://www.google.com https://google.com https://www.facebook.com https://*.clarity.ms https://c.bing.com https://*.sentry-cdn.com/; font-src 'self' data: https://fonts.gstatic.com https://*.wistia.com https://*.wistia.net https://cdnjs.cloudflare.com; frame-src 'self' https://www.googletagmanager.com https://*.doubleclick.net https://js.driftt.com https://widget.drift.com https://fast.wistia.com https://fast.wistia.net hemsync.clickagy.com https://insight.adsrvr.org https://www2.ttec.com https://online.flippingbook.com https://match.adsrvr.org https://listen.qualtrics.com; img-src 'self' data: https://www.ttec.com https://www.googletagmanager.com https://googleads.g.doubleclick.net https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com https://*.googletagmanager.com https://*.doubleclick.net https://www.google.com https://google.com https://*.wistia.com https://*.wistia.net https://cdn.cookielaw.org https://px.ads.linkedin.com https://ade.googlesyndication.com https://www.linkedin.com https://fonts.gstatic.com https://online.flippingbook.com https://d17lvj5xn8sco6.cloudfront.net https://pagead2.googlesyndication.com https://www.googleadservices.com https://connect.facebook.net https://www.facebook.com https://*.clarity.ms https://c.bing.com; media-src 'self' blob: data: https://*.wistia.com https://*.wistia.net; object-src 'none'; script-src 'self' cdn.jsdelivr.net cdnjs.cloudflare.com https://cdnjs.cloudflare.com https://unpkg.com mdbootstrap.com 'nonce-<nonce_value>'; script-src-elem 'self' https://googletagmanager.com https://www.googletagmanager.com https://tagmanager.google.com https://*.googletagmanager.com https://www.googleadservices.com https://*.doubleclick.net https://www.google.com https://js.driftt.com https://widget.drift.com https://*.wistia.com https://*.wistia.net https://src.litix.io https://js.zi-scripts.com https://tags.clickagy.com https://www2.ttec.com https://snap.licdn.com/ https://www.gstatic.com https://ws-assets.zoominfo.com https://pagead2.googlesyndication.com https://js.adsrvr.org/ https://privacyportal.onetrust.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://online.flippingbook.com https://d33i2vgywgme2s.cloudfront.net https://js.sentry-cdn.com https://pi.pardot.com https://googleads.g.doubleclick.net https://connect.facebook.net https://*.clarity.ms https://c.bing.com https://*.sentry-cdn.com/ cdn.jsdelivr.net cdnjs.cloudflare.com https://cdnjs.cloudflare.com https://unpkg.com mdbootstrap.com 'nonce-<nonce_value>'; style-src 'self' 'unsafe-inline' https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com https://fast.wistia.com https://privacyportal.onetrust.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://www.googletagmanager.com cdn.jsdelivr.net cdnjs.cloudflare.com fonts.googleapis.com https://cdnjs.cloudflare.com https://unpkg.com mdbootstrap.com use.fontawesome.com; worker-src 'self' blob:; base-uri 'self'; form-action 'self'; frame-ancestors 'self'","vendorOnly":false,"expected":[{"property":"Headers > content-security-policy","value":"[implemented safely]"}],"actual":[{"property":"Headers > content-security-policy","value":"default-src 'self' https://*.wistia.com https://*.wistia.net; child-src 'self'; connect-src 'self' https://*.google-analytics.com https://*.google.com https://*.googletagmanager.com https://*.litix.io https://*.wistia.com https://*.wistia.net https://*.algolia.net aorta.clickagy.com hemsync.clickagy.com https://www2.ttec.com https://pagead2.googlesyndication.com https://www.googleadservices.com https://px.ads.linkedin.com https://js.zi-scripts.com https://ws.zoominfo.com https://privacyportal.onetrust.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://fbo-b.flippingbook.com https://online.flippingbook.com https://d17lvj5xn8sco6.cloudfront.net https://*.doubleclick.net https://pi.pardot.com https://www.google.com https://google.com https://www.facebook.com https://*.clarity.ms https://c.bing.com https://*.sentry-cdn.com/; font-src 'self' data: https://fonts.gstatic.com https://*.wistia.com https://*.wistia.net https://cdnjs.cloudflare.com; frame-src 'self' https://www.googletagmanager.com https://*.doubleclick.net https://js.driftt.com https://widget.drift.com https://fast.wistia.com https://fast.wistia.net hemsync.clickagy.com https://insight.adsrvr.org https://www2.ttec.com https://online.flippingbook.com https://match.adsrvr.org https://listen.qualtrics.com; img-src 'self' data: https://www.ttec.com https://www.googletagmanager.com https://googleads.g.doubleclick.net https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com https://*.googletagmanager.com https://*.doubleclick.net https://www.google.com https://google.com https://*.wistia.com https://*.wistia.net https://cdn.cookielaw.org https://px.ads.linkedin.com https://ade.googlesyndication.com https://www.linkedin.com https://fonts.gstatic.com https://online.flippingbook.com https://d17lvj5xn8sco6.cloudfront.net https://pagead2.googlesyndication.com https://www.googleadservices.com https://connect.facebook.net https://www.facebook.com https://*.clarity.ms https://c.bing.com; media-src 'self' blob: data: https://*.wistia.com https://*.wistia.net; object-src 'none'; script-src 'self' cdn.jsdelivr.net cdnjs.cloudflare.com https://cdnjs.cloudflare.com https://unpkg.com mdbootstrap.com 'nonce-<nonce_value>'; script-src-elem 'self' https://googletagmanager.com https://www.googletagmanager.com https://tagmanager.google.com https://*.googletagmanager.com https://www.googleadservices.com https://*.doubleclick.net https://www.google.com https://js.driftt.com https://widget.drift.com https://*.wistia.com https://*.wistia.net https://src.litix.io https://js.zi-scripts.com https://tags.clickagy.com https://www2.ttec.com https://snap.licdn.com/ https://www.gstatic.com https://ws-assets.zoominfo.com https://pagead2.googlesyndication.com https://js.adsrvr.org/ https://privacyportal.onetrust.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://online.flippingbook.com https://d33i2vgywgme2s.cloudfront.net https://js.sentry-cdn.com https://pi.pardot.com https://googleads.g.doubleclick.net https://connect.facebook.net https://*.clarity.ms https://c.bing.com https://*.sentry-cdn.com/ cdn.jsdelivr.net cdnjs.cloudflare.com https://cdnjs.cloudflare.com https://unpkg.com mdbootstrap.com 'nonce-<nonce_value>'; style-src 'self' 'unsafe-inline' https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com https://fast.wistia.com https://privacyportal.onetrust.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://www.googletagmanager.com cdn.jsdelivr.net cdnjs.cloudflare.com fonts.googleapis.com https://cdnjs.cloudflare.com https://unpkg.com mdbootstrap.com use.fontawesome.com; worker-src 'self' blob:; base-uri 'self'; form-action 'self'; frame-ancestors 'self'"}],"severity":3,"cloudscanCategory":"website_sec_v2","prevCloudscanCategory":"website_sec","title":"CSP implemented without broad sources","description":"A Content Security Policy is implemented to help protect against XSS and clickjacking attacks.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["www.ttec.com:443"],"none":false,"noneReason":null,"prevProvisionalID":"content_security_policy_header_unsafe","summary":"A Content-Security-Policy (CSP) header defines directives for what resources can be used by the site as a measure to prevent cross site scripting attacks. The implementation of the CSP for this site uses a directive that potentially allows unsafe content.","riskDetails":"The CSP is implemented but meets one of these criteria that potentially allow unwanted scripts to be executed: including \"unsafe-inline\" without the use of a nonce or hash to ensure the script being executed is approved; overly broad sources such as \"https:\" inside \"object-src\" or \"script-src\"; or not restricting the sources for \"object-src\" or \"script-src.\" These unsafe conditions could allow an attacker to execute a cross site scripting attack by launching scripts from one of those locations.","recommendedRemediation":"To remediate the unsafe conditions in the CSP, identify which of the conditions in the risk details applies. If possible, remove unsafe-inline scripts, or add a hash or nonce to validate its integrity. Review the \"object-src\" and \"script-src\" directives and include specific trusted origins.","knownExploitedVulnCount":0,"checkID":"content_security_policy_header_unsafe_v2","category":"xss","controlCheckID":"IM.WS.CJ.ZW","passTitle":"CSP implemented without broad sources","passDescription":"A Content Security Policy is implemented to help protect against XSS and clickjacking attacks.","passGroupDescription":"All websites have a Content Security Policy implemented.","failTitle":"CSP implemented unsafely","failDescription":"The Content Security Policy may not restrict sources appropriately, or may contain 'unsafe-inline' without the use of a nonce or hash. This increases the risk of XSS attacks.","remediation":"Use a nonce or hash with 'unsafe-inline' and restrict any excessively broad or missing sources.","issue":"Impacted domains do not have a Content Security Policy implemented safely. This increases the risk of XSS attacks.","recommendation":"The Content Security Policy for this website should use a nonce or hash with 'unsafe-inline' and restrict appropriate sources.","defaultSeverity":3,"categoryTotalCost":4,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.20"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"A Content-Security-Policy (CSP) header defines directives for what resources can be used by the site as a measure to prevent cross site scripting attacks. The implementation of the CSP for this site uses a directive that potentially allows unsafe content.","RiskDetails":"The CSP is implemented but meets one of these criteria that potentially allow unwanted scripts to be executed: including \"unsafe-inline\" without the use of a nonce or hash to ensure the script being executed is approved; overly broad sources such as \"https:\" inside \"object-src\" or \"script-src\"; or not restricting the sources for \"object-src\" or \"script-src.\" These unsafe conditions could allow an attacker to execute a cross site scripting attack by launching scripts from one of those locations.","RecommendedRemediation":"To remediate the unsafe conditions in the CSP, identify which of the conditions in the risk details applies. If possible, remove unsafe-inline scripts, or add a hash or nonce to validate its integrity. Review the \"object-src\" and \"script-src\" directives and include specific trusted origins."},{"id":"referrer_policy_header_v2","pass":true,"meta":"strict-origin-when-cross-origin","vendorOnly":false,"expected":[{"property":"Headers > referrer-policy","value":"[not unsafe-url]"}],"actual":[{"property":"Headers > referrer-policy","value":"strict-origin-when-cross-origin"}],"severity":2,"cloudscanCategory":"website_sec_v2","prevCloudscanCategory":"website_sec","title":"Referrer policy is not unsafe-url","description":"The website's Referrer Policy is not configured to allow unsafe information to be sent in the referrer header.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com:443","ttec.com:80","www.ttec.com:443","www.ttec.com:80"],"none":false,"noneReason":null,"prevProvisionalID":"referrer_policy_header","summary":"The Referrer header controls how much information is sent to another site owner when the website links to that site. Providing sufficiently sanitized information to other websites can be done safely, but the \"unsafe\" referrer policy allows excessive information to be passed that may affect the privacy and security of users of your site.","riskDetails":"W3.org writes: \"The policy’s name doesn’t lie; it is unsafe. This policy will leak origins and paths from TLS-protected resources to insecure origins. Carefully consider the impact of setting such a policy for potentially sensitive documents.\" The risk is that links to http origins will still include the full URL, potentially leaking data included in the URL to an insecure origin.","recommendedRemediation":"Remove the \"unsafe-url\" directive from the Referrer header.","knownExploitedVulnCount":0,"checkID":"referrer_policy_header_v2","category":"discovery","controlCheckID":"IM.WS.MI.ZW","passTitle":"Referrer policy is not unsafe-url","passDescription":"The website's Referrer Policy is not configured to allow unsafe information to be sent in the referrer header.","passGroupDescription":"No websites have an unsafe Referrer Policy.","failTitle":"Referrer Policy is unsafe-url","failDescription":"The full URL (stripped of parameters) is sent in the referrer header when performing same-origin or cross-origin requests. This can expose sensitive information.","remediation":"Set Referrer-Policy to a value other than unsafe-url.","issue":"Impacted domains send the full URL (stripped of parameters) in the referrer header when performing same-origin or cross-origin requests.","recommendation":"The website needs to set the Referrer Policy to a value other than unsafe-url. This will prevent potentially sensitive information from being sent in the referrer header.","defaultSeverity":2,"categoryTotalCost":1,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.20"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"The Referrer header controls how much information is sent to another site owner when the website links to that site. Providing sufficiently sanitized information to other websites can be done safely, but the \"unsafe\" referrer policy allows excessive information to be passed that may affect the privacy and security of users of your site.","RiskDetails":"W3.org writes: \"The policy’s name doesn’t lie; it is unsafe. This policy will leak origins and paths from TLS-protected resources to insecure origins. Carefully consider the impact of setting such a policy for potentially sensitive documents.\" The risk is that links to http origins will still include the full URL, potentially leaking data included in the URL to an insecure origin.","RecommendedRemediation":"Remove the \"unsafe-url\" directive from the Referrer header."},{"id":"asp_net_version_header","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Headers > x-aspnet-version","value":"[not set]"}],"actual":[{"property":"Headers > x-aspnet-version","value":"[not set]"}],"severity":2,"cloudscanCategory":"website_sec_v2","prevCloudscanCategory":"website_sec","title":"ASP.NET version header not exposing specific ASP.net version","description":"Ensuring the ASP.NET version header is not exposing a specific version makes it harder for attackers to exploit certain vulnerabilities.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com:443","ttec.com:80","www.ttec.com:443","www.ttec.com:80"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"HTTP response headers pass additional information about the web server being contacted to the client contacting it. Such information can include the age of cached information, any redirection targets, and descriptions of currently running software. Default installations of Microsoft IIS web servers often include an HTTP response header called X-AspNet-Version. This can contain the version of ASP.NET that is currently running.","riskDetails":"An exposed ASP.NET version drastically narrows the attack vector for the server and allows malicious actors to immediately begin probing specific ASP.NET and IIS vulnerabilities for that version. Because this header is created by default on most IIS installations, the information is often exposed unbeknownst to the system’s administrators.","recommendedRemediation":"The entire X-AspNet-Version header should be removed. It can be found and removed under HTTP Response Headers in the IIS GUI. Just clearing the value of the header is not enough. Even the presence of the X-AspNet-Version header reveals that some version of ASP.NET and likely IIS is running on the server. Monitoring or auditing of exposed headers on all systems is recommended to ensure information about servers is not being shared.","knownExploitedVulnCount":0,"checkID":"asp_net_version_header","category":"discovery","controlCheckID":"IM.WS.MI.AA","passTitle":"ASP.NET version header not exposing specific ASP.net version","passDescription":"Ensuring the ASP.NET version header is not exposing a specific version makes it harder for attackers to exploit certain vulnerabilities.","passGroupDescription":"No sites detected to expose specific ASP.NET versions in headers.","failTitle":"Specific ASP.NET version exposed via header","failDescription":"Exposing a specific ASP.NET version in the ASP.NET version header makes it easier for attackers to exploit certain vulnerabilities. The website configuration should be changed to remove this header completely.","remediation":"Remove x-aspnet-version header.","issue":"The impacted websites are exposing the specific ASP.NET version they use in the ASP.NET version header. This makes it far easier for attackers to exploit certain vulnerabilities.","recommendation":"Configure the identified websites so they don’t expose the X-AspNet-Version header. This minimizes the risk of an attacker finding an exploit in the website.","defaultSeverity":2,"categoryTotalCost":3,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"HTTP response headers pass additional information about the web server being contacted to the client contacting it. Such information can include the age of cached information, any redirection targets, and descriptions of currently running software. Default installations of Microsoft IIS web servers often include an HTTP response header called X-AspNet-Version. This can contain the version of ASP.NET that is currently running.","RiskDetails":"An exposed ASP.NET version drastically narrows the attack vector for the server and allows malicious actors to immediately begin probing specific ASP.NET and IIS vulnerabilities for that version. Because this header is created by default on most IIS installations, the information is often exposed unbeknownst to the system’s administrators.","RecommendedRemediation":"The entire X-AspNet-Version header should be removed. It can be found and removed under HTTP Response Headers in the IIS GUI. Just clearing the value of the header is not enough. Even the presence of the X-AspNet-Version header reveals that some version of ASP.NET and likely IIS is running on the server. Monitoring or auditing of exposed headers on all systems is recommended to ensure information about servers is not being shared."},{"id":"asp_net_header","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Headers > x-aspnet-version present","value":"[not present]"}],"actual":[{"property":"Headers > x-aspnet-version present","value":"[not present]"}],"severity":2,"cloudscanCategory":"website_sec_v2","prevCloudscanCategory":"website_sec","title":"ASP.NET version header not exposed","description":"Ensuring the ASP.NET version header is not exposed makes it harder for attackers to exploit certain vulnerabilities.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com:443","ttec.com:80","www.ttec.com:443","www.ttec.com:80"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"HTTP response headers pass additional information about the web server being contacted to the client contacting it. Such information can include the age of cached information, any redirection targets, and descriptions of currently running software. Default installations of Microsoft IIS web servers often include an HTTP response header called X-AspNet-Version. This can contain the version of ASP.NET that is currently running.","riskDetails":"Even if it is not populated, the presence of the X-AspNet-Version header reveals that IIS is running on the system. This drastically narrows the attack vector for the server and allows malicious actors to begin probing known IIS vulnerabilities immediately. Because this header is created by default on most IIS installations, the information is often exposed unbeknownst to the system’s administrators.","recommendedRemediation":"The X-AspNet-Version header should be removed. It can be found and removed under HTTP Response Headers in the IIS GUI. Monitoring or auditing of exposed headers on all systems is recommended to ensure information about servers is not being shared.","knownExploitedVulnCount":0,"checkID":"asp_net_header","category":"discovery","controlCheckID":"IM.WS.MI.XG","passTitle":"ASP.NET version header not exposed","passDescription":"Ensuring the ASP.NET version header is not exposed makes it harder for attackers to exploit certain vulnerabilities.","passGroupDescription":"No sites detected to expose ASP.NET headers.","failTitle":"Use of ASP.NET exposed via header","failDescription":"Exposing the ASP.NET version header indicates that the site is built with ASP.NET, which makes it easier for attackers to exploit certain vulnerabilities. The website configuration should be changed to remove this header.","remediation":"Remove x-aspnet-version header.","issue":"We've found websites that expose the ASP.NET version header which indicates that the site is built with ASP.NET. This makes it easier for attackers to exploit certain vulnerabilities.","recommendation":"Configure the identified websites so they don’t expose the X-AspNet-Version header. This minimizes the risk of an attacker finding an exploit in the website.","defaultSeverity":2,"categoryTotalCost":2,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"HTTP response headers pass additional information about the web server being contacted to the client contacting it. Such information can include the age of cached information, any redirection targets, and descriptions of currently running software. Default installations of Microsoft IIS web servers often include an HTTP response header called X-AspNet-Version. This can contain the version of ASP.NET that is currently running.","RiskDetails":"Even if it is not populated, the presence of the X-AspNet-Version header reveals that IIS is running on the system. This drastically narrows the attack vector for the server and allows malicious actors to begin probing known IIS vulnerabilities immediately. Because this header is created by default on most IIS installations, the information is often exposed unbeknownst to the system’s administrators.","RecommendedRemediation":"The X-AspNet-Version header should be removed. It can be found and removed under HTTP Response Headers in the IIS GUI. Monitoring or auditing of exposed headers on all systems is recommended to ensure information about servers is not being shared."},{"id":"content_security_policy_header_insecure_passive_v2","pass":true,"meta":"default-src 'self' https://*.wistia.com https://*.wistia.net; child-src 'self'; connect-src 'self' https://*.google-analytics.com https://*.google.com https://*.googletagmanager.com https://*.litix.io https://*.wistia.com https://*.wistia.net https://*.algolia.net aorta.clickagy.com hemsync.clickagy.com https://www2.ttec.com https://pagead2.googlesyndication.com https://www.googleadservices.com https://px.ads.linkedin.com https://js.zi-scripts.com https://ws.zoominfo.com https://privacyportal.onetrust.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://fbo-b.flippingbook.com https://online.flippingbook.com https://d17lvj5xn8sco6.cloudfront.net https://*.doubleclick.net https://pi.pardot.com https://www.google.com https://google.com https://www.facebook.com https://*.clarity.ms https://c.bing.com https://*.sentry-cdn.com/; font-src 'self' data: https://fonts.gstatic.com https://*.wistia.com https://*.wistia.net https://cdnjs.cloudflare.com; frame-src 'self' https://www.googletagmanager.com https://*.doubleclick.net https://js.driftt.com https://widget.drift.com https://fast.wistia.com https://fast.wistia.net hemsync.clickagy.com https://insight.adsrvr.org https://www2.ttec.com https://online.flippingbook.com https://match.adsrvr.org https://listen.qualtrics.com; img-src 'self' data: https://www.ttec.com https://www.googletagmanager.com https://googleads.g.doubleclick.net https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com https://*.googletagmanager.com https://*.doubleclick.net https://www.google.com https://google.com https://*.wistia.com https://*.wistia.net https://cdn.cookielaw.org https://px.ads.linkedin.com https://ade.googlesyndication.com https://www.linkedin.com https://fonts.gstatic.com https://online.flippingbook.com https://d17lvj5xn8sco6.cloudfront.net https://pagead2.googlesyndication.com https://www.googleadservices.com https://connect.facebook.net https://www.facebook.com https://*.clarity.ms https://c.bing.com; media-src 'self' blob: data: https://*.wistia.com https://*.wistia.net; object-src 'none'; script-src 'self' cdn.jsdelivr.net cdnjs.cloudflare.com https://cdnjs.cloudflare.com https://unpkg.com mdbootstrap.com 'nonce-<nonce_value>'; script-src-elem 'self' https://googletagmanager.com https://www.googletagmanager.com https://tagmanager.google.com https://*.googletagmanager.com https://www.googleadservices.com https://*.doubleclick.net https://www.google.com https://js.driftt.com https://widget.drift.com https://*.wistia.com https://*.wistia.net https://src.litix.io https://js.zi-scripts.com https://tags.clickagy.com https://www2.ttec.com https://snap.licdn.com/ https://www.gstatic.com https://ws-assets.zoominfo.com https://pagead2.googlesyndication.com https://js.adsrvr.org/ https://privacyportal.onetrust.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://online.flippingbook.com https://d33i2vgywgme2s.cloudfront.net https://js.sentry-cdn.com https://pi.pardot.com https://googleads.g.doubleclick.net https://connect.facebook.net https://*.clarity.ms https://c.bing.com https://*.sentry-cdn.com/ cdn.jsdelivr.net cdnjs.cloudflare.com https://cdnjs.cloudflare.com https://unpkg.com mdbootstrap.com 'nonce-<nonce_value>'; style-src 'self' 'unsafe-inline' https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com https://fast.wistia.com https://privacyportal.onetrust.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://www.googletagmanager.com cdn.jsdelivr.net cdnjs.cloudflare.com fonts.googleapis.com https://cdnjs.cloudflare.com https://unpkg.com mdbootstrap.com use.fontawesome.com; worker-src 'self' blob:; base-uri 'self'; form-action 'self'; frame-ancestors 'self'","vendorOnly":false,"expected":[{"property":"Headers > content-security-policy","value":"[no insecure passive sources]"}],"actual":[{"property":"Headers > content-security-policy","value":"default-src 'self' https://*.wistia.com https://*.wistia.net; child-src 'self'; connect-src 'self' https://*.google-analytics.com https://*.google.com https://*.googletagmanager.com https://*.litix.io https://*.wistia.com https://*.wistia.net https://*.algolia.net aorta.clickagy.com hemsync.clickagy.com https://www2.ttec.com https://pagead2.googlesyndication.com https://www.googleadservices.com https://px.ads.linkedin.com https://js.zi-scripts.com https://ws.zoominfo.com https://privacyportal.onetrust.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://fbo-b.flippingbook.com https://online.flippingbook.com https://d17lvj5xn8sco6.cloudfront.net https://*.doubleclick.net https://pi.pardot.com https://www.google.com https://google.com https://www.facebook.com https://*.clarity.ms https://c.bing.com https://*.sentry-cdn.com/; font-src 'self' data: https://fonts.gstatic.com https://*.wistia.com https://*.wistia.net https://cdnjs.cloudflare.com; frame-src 'self' https://www.googletagmanager.com https://*.doubleclick.net https://js.driftt.com https://widget.drift.com https://fast.wistia.com https://fast.wistia.net hemsync.clickagy.com https://insight.adsrvr.org https://www2.ttec.com https://online.flippingbook.com https://match.adsrvr.org https://listen.qualtrics.com; img-src 'self' data: https://www.ttec.com https://www.googletagmanager.com https://googleads.g.doubleclick.net https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com https://*.googletagmanager.com https://*.doubleclick.net https://www.google.com https://google.com https://*.wistia.com https://*.wistia.net https://cdn.cookielaw.org https://px.ads.linkedin.com https://ade.googlesyndication.com https://www.linkedin.com https://fonts.gstatic.com https://online.flippingbook.com https://d17lvj5xn8sco6.cloudfront.net https://pagead2.googlesyndication.com https://www.googleadservices.com https://connect.facebook.net https://www.facebook.com https://*.clarity.ms https://c.bing.com; media-src 'self' blob: data: https://*.wistia.com https://*.wistia.net; object-src 'none'; script-src 'self' cdn.jsdelivr.net cdnjs.cloudflare.com https://cdnjs.cloudflare.com https://unpkg.com mdbootstrap.com 'nonce-<nonce_value>'; script-src-elem 'self' https://googletagmanager.com https://www.googletagmanager.com https://tagmanager.google.com https://*.googletagmanager.com https://www.googleadservices.com https://*.doubleclick.net https://www.google.com https://js.driftt.com https://widget.drift.com https://*.wistia.com https://*.wistia.net https://src.litix.io https://js.zi-scripts.com https://tags.clickagy.com https://www2.ttec.com https://snap.licdn.com/ https://www.gstatic.com https://ws-assets.zoominfo.com https://pagead2.googlesyndication.com https://js.adsrvr.org/ https://privacyportal.onetrust.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://online.flippingbook.com https://d33i2vgywgme2s.cloudfront.net https://js.sentry-cdn.com https://pi.pardot.com https://googleads.g.doubleclick.net https://connect.facebook.net https://*.clarity.ms https://c.bing.com https://*.sentry-cdn.com/ cdn.jsdelivr.net cdnjs.cloudflare.com https://cdnjs.cloudflare.com https://unpkg.com mdbootstrap.com 'nonce-<nonce_value>'; style-src 'self' 'unsafe-inline' https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com https://fast.wistia.com https://privacyportal.onetrust.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://www.googletagmanager.com cdn.jsdelivr.net cdnjs.cloudflare.com fonts.googleapis.com https://cdnjs.cloudflare.com https://unpkg.com mdbootstrap.com use.fontawesome.com; worker-src 'self' blob:; base-uri 'self'; form-action 'self'; frame-ancestors 'self'"}],"severity":2,"cloudscanCategory":"website_sec_v2","prevCloudscanCategory":"website_sec","title":"CSP implemented without insecure passive sources","description":"The Content Security Policy does not allow any insecure passive (img/media) sources.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["www.ttec.com:443"],"none":false,"noneReason":null,"prevProvisionalID":"content_security_policy_header_insecure_passive","summary":"The Content Security Policy (CSP) for this site allows non-executable content types like images and text/html to be loaded from origins without HTTPS.","riskDetails":"Content Security Policies are a set of directives to protect the integrity of content being loaded on a website in order to stop cross site scripting attacks. If content is loaded from non-HTTPS sources, however, an adversary in the middle could intercept and modify that content. For passive content like text/html, the adversary may be able to modify the page display but not execute a script.","recommendedRemediation":"Update the CSP to require an HTTPS origin for all content.","knownExploitedVulnCount":0,"checkID":"content_security_policy_header_insecure_passive_v2","category":"xss","controlCheckID":"IM.WS.CJ.AA","passTitle":"CSP implemented without insecure passive sources","passDescription":"The Content Security Policy does not allow any insecure passive (img/media) sources.","passGroupDescription":"All websites have a Content Security Policy that does not allow any insecure passive (img/media) sources.","failTitle":"CSP allows insecure passive sources","failDescription":"The Content Security Policy on this site allows insecure passive content.","remediation":"Configure the Content Security Policy to disallow HTTP as a source for passive content.","issue":"Impacted domains do not have a Content Security Policy implemented securely and are allowing insecure passive content.","recommendation":"The Content Security Policy for this website should only allow secure sources for passive content.","defaultSeverity":2,"categoryTotalCost":1,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.20"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"The Content Security Policy (CSP) for this site allows non-executable content types like images and text/html to be loaded from origins without HTTPS.","RiskDetails":"Content Security Policies are a set of directives to protect the integrity of content being loaded on a website in order to stop cross site scripting attacks. If content is loaded from non-HTTPS sources, however, an adversary in the middle could intercept and modify that content. For passive content like text/html, the adversary may be able to modify the page display but not execute a script.","RecommendedRemediation":"Update the CSP to require an HTTPS origin for all content."},{"id":"content_security_policy_header_unsafe_eval_v2","pass":true,"meta":"default-src 'self' https://*.wistia.com https://*.wistia.net; child-src 'self'; connect-src 'self' https://*.google-analytics.com https://*.google.com https://*.googletagmanager.com https://*.litix.io https://*.wistia.com https://*.wistia.net https://*.algolia.net aorta.clickagy.com hemsync.clickagy.com https://www2.ttec.com https://pagead2.googlesyndication.com https://www.googleadservices.com https://px.ads.linkedin.com https://js.zi-scripts.com https://ws.zoominfo.com https://privacyportal.onetrust.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://fbo-b.flippingbook.com https://online.flippingbook.com https://d17lvj5xn8sco6.cloudfront.net https://*.doubleclick.net https://pi.pardot.com https://www.google.com https://google.com https://www.facebook.com https://*.clarity.ms https://c.bing.com https://*.sentry-cdn.com/; font-src 'self' data: https://fonts.gstatic.com https://*.wistia.com https://*.wistia.net https://cdnjs.cloudflare.com; frame-src 'self' https://www.googletagmanager.com https://*.doubleclick.net https://js.driftt.com https://widget.drift.com https://fast.wistia.com https://fast.wistia.net hemsync.clickagy.com https://insight.adsrvr.org https://www2.ttec.com https://online.flippingbook.com https://match.adsrvr.org https://listen.qualtrics.com; img-src 'self' data: https://www.ttec.com https://www.googletagmanager.com https://googleads.g.doubleclick.net https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com https://*.googletagmanager.com https://*.doubleclick.net https://www.google.com https://google.com https://*.wistia.com https://*.wistia.net https://cdn.cookielaw.org https://px.ads.linkedin.com https://ade.googlesyndication.com https://www.linkedin.com https://fonts.gstatic.com https://online.flippingbook.com https://d17lvj5xn8sco6.cloudfront.net https://pagead2.googlesyndication.com https://www.googleadservices.com https://connect.facebook.net https://www.facebook.com https://*.clarity.ms https://c.bing.com; media-src 'self' blob: data: https://*.wistia.com https://*.wistia.net; object-src 'none'; script-src 'self' cdn.jsdelivr.net cdnjs.cloudflare.com https://cdnjs.cloudflare.com https://unpkg.com mdbootstrap.com 'nonce-<nonce_value>'; script-src-elem 'self' https://googletagmanager.com https://www.googletagmanager.com https://tagmanager.google.com https://*.googletagmanager.com https://www.googleadservices.com https://*.doubleclick.net https://www.google.com https://js.driftt.com https://widget.drift.com https://*.wistia.com https://*.wistia.net https://src.litix.io https://js.zi-scripts.com https://tags.clickagy.com https://www2.ttec.com https://snap.licdn.com/ https://www.gstatic.com https://ws-assets.zoominfo.com https://pagead2.googlesyndication.com https://js.adsrvr.org/ https://privacyportal.onetrust.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://online.flippingbook.com https://d33i2vgywgme2s.cloudfront.net https://js.sentry-cdn.com https://pi.pardot.com https://googleads.g.doubleclick.net https://connect.facebook.net https://*.clarity.ms https://c.bing.com https://*.sentry-cdn.com/ cdn.jsdelivr.net cdnjs.cloudflare.com https://cdnjs.cloudflare.com https://unpkg.com mdbootstrap.com 'nonce-<nonce_value>'; style-src 'self' 'unsafe-inline' https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com https://fast.wistia.com https://privacyportal.onetrust.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://www.googletagmanager.com cdn.jsdelivr.net cdnjs.cloudflare.com fonts.googleapis.com https://cdnjs.cloudflare.com https://unpkg.com mdbootstrap.com use.fontawesome.com; worker-src 'self' blob:; base-uri 'self'; form-action 'self'; frame-ancestors 'self'","vendorOnly":false,"expected":[{"property":"Headers > content-security-policy","value":"[no unsafe-eval]"}],"actual":[{"property":"Headers > content-security-policy","value":"default-src 'self' https://*.wistia.com https://*.wistia.net; child-src 'self'; connect-src 'self' https://*.google-analytics.com https://*.google.com https://*.googletagmanager.com https://*.litix.io https://*.wistia.com https://*.wistia.net https://*.algolia.net aorta.clickagy.com hemsync.clickagy.com https://www2.ttec.com https://pagead2.googlesyndication.com https://www.googleadservices.com https://px.ads.linkedin.com https://js.zi-scripts.com https://ws.zoominfo.com https://privacyportal.onetrust.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://fbo-b.flippingbook.com https://online.flippingbook.com https://d17lvj5xn8sco6.cloudfront.net https://*.doubleclick.net https://pi.pardot.com https://www.google.com https://google.com https://www.facebook.com https://*.clarity.ms https://c.bing.com https://*.sentry-cdn.com/; font-src 'self' data: https://fonts.gstatic.com https://*.wistia.com https://*.wistia.net https://cdnjs.cloudflare.com; frame-src 'self' https://www.googletagmanager.com https://*.doubleclick.net https://js.driftt.com https://widget.drift.com https://fast.wistia.com https://fast.wistia.net hemsync.clickagy.com https://insight.adsrvr.org https://www2.ttec.com https://online.flippingbook.com https://match.adsrvr.org https://listen.qualtrics.com; img-src 'self' data: https://www.ttec.com https://www.googletagmanager.com https://googleads.g.doubleclick.net https://googletagmanager.com https://ssl.gstatic.com https://www.gstatic.com https://*.google-analytics.com https://*.googletagmanager.com https://*.doubleclick.net https://www.google.com https://google.com https://*.wistia.com https://*.wistia.net https://cdn.cookielaw.org https://px.ads.linkedin.com https://ade.googlesyndication.com https://www.linkedin.com https://fonts.gstatic.com https://online.flippingbook.com https://d17lvj5xn8sco6.cloudfront.net https://pagead2.googlesyndication.com https://www.googleadservices.com https://connect.facebook.net https://www.facebook.com https://*.clarity.ms https://c.bing.com; media-src 'self' blob: data: https://*.wistia.com https://*.wistia.net; object-src 'none'; script-src 'self' cdn.jsdelivr.net cdnjs.cloudflare.com https://cdnjs.cloudflare.com https://unpkg.com mdbootstrap.com 'nonce-<nonce_value>'; script-src-elem 'self' https://googletagmanager.com https://www.googletagmanager.com https://tagmanager.google.com https://*.googletagmanager.com https://www.googleadservices.com https://*.doubleclick.net https://www.google.com https://js.driftt.com https://widget.drift.com https://*.wistia.com https://*.wistia.net https://src.litix.io https://js.zi-scripts.com https://tags.clickagy.com https://www2.ttec.com https://snap.licdn.com/ https://www.gstatic.com https://ws-assets.zoominfo.com https://pagead2.googlesyndication.com https://js.adsrvr.org/ https://privacyportal.onetrust.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://online.flippingbook.com https://d33i2vgywgme2s.cloudfront.net https://js.sentry-cdn.com https://pi.pardot.com https://googleads.g.doubleclick.net https://connect.facebook.net https://*.clarity.ms https://c.bing.com https://*.sentry-cdn.com/ cdn.jsdelivr.net cdnjs.cloudflare.com https://cdnjs.cloudflare.com https://unpkg.com mdbootstrap.com 'nonce-<nonce_value>'; style-src 'self' 'unsafe-inline' https://googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com https://fast.wistia.com https://privacyportal.onetrust.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://www.googletagmanager.com cdn.jsdelivr.net cdnjs.cloudflare.com fonts.googleapis.com https://cdnjs.cloudflare.com https://unpkg.com mdbootstrap.com use.fontawesome.com; worker-src 'self' blob:; base-uri 'self'; form-action 'self'; frame-ancestors 'self'"}],"severity":2,"cloudscanCategory":"website_sec_v2","prevCloudscanCategory":"website_sec","title":"CSP implemented without unsafe-eval","description":"A Content Security Policy is implemented to help protect against XSS and clickjacking attacks.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["www.ttec.com:443"],"none":false,"noneReason":null,"prevProvisionalID":"content_security_policy_header_unsafe_eval","summary":"Including unsafe-eval in the CSP allows the use of eval() and similar functions like setTimeout() or setInterval() when they are used with string arguments. This essentially bypasses some of the protections offered by CSP, making the application more vulnerable to XSS attacks.","riskDetails":"Allowing unsafe-eval increases the risk of an attacker being able to execute arbitrary code on the page, particularly if they can inject or manipulate the code passed to eval().","recommendedRemediation":"Remove the unsafe-eval directive from your CSP. Refactor your code to eliminate the need for eval() and similar methods. Replace eval() with safer alternatives, such as JSON parsing methods, or refactor the code to avoid the need for dynamic code execution.","knownExploitedVulnCount":0,"checkID":"content_security_policy_header_unsafe_eval_v2","category":"xss","controlCheckID":"IM.WS.CJ.VG","passTitle":"CSP implemented without unsafe-eval","passDescription":"A Content Security Policy is implemented to help protect against XSS and clickjacking attacks.","passGroupDescription":"All websites have a Content Security Policy implemented without unsafe-eval","failTitle":"CSP contains unsafe-eval","failDescription":"The Content Security Policy is implemented with unsafe-eval, reducing protection against XSS attacks.","remediation":"Configure the Content Security Policy without unsafe-eval.","issue":"Impacted domains allow unsafe-eval in their Content Security Policy, reducing protection against XSS attacks.","recommendation":"The Content Security Policy for this website should use not allow unsafe-eval.","defaultSeverity":2,"categoryTotalCost":1,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.20"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Including unsafe-eval in the CSP allows the use of eval() and similar functions like setTimeout() or setInterval() when they are used with string arguments. This essentially bypasses some of the protections offered by CSP, making the application more vulnerable to XSS attacks.","RiskDetails":"Allowing unsafe-eval increases the risk of an attacker being able to execute arbitrary code on the page, particularly if they can inject or manipulate the code passed to eval().","RecommendedRemediation":"Remove the unsafe-eval directive from your CSP. Refactor your code to eliminate the need for eval() and similar methods. Replace eval() with safer alternatives, such as JSON parsing methods, or refactor the code to avoid the need for dynamic code execution."},{"id":"x_content_type_options_header_v2","pass":true,"meta":"nosniff","vendorOnly":false,"expected":[{"property":"Headers > x-content-type-options","value":"nosniff"}],"actual":[{"property":"Headers > x-content-type-options","value":"nosniff"}],"severity":2,"cloudscanCategory":"website_sec_v2","prevCloudscanCategory":"website_sec","title":"X-Content-Type-Options is not nosniff","description":"Browsers are prevented from interpreting files as a different MIME type to what is specified in the Content-Type HTTP header. This helps mitigate MIME confusion attacks.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["www.ttec.com:443"],"none":false,"noneReason":null,"prevProvisionalID":"x_content_type_options_header","summary":"The X-Content-Type-Options header is not set to \"nosniff,\" an option that prevents MIME type sniffing. This header ensures that the content types defined in the Content-Type header are used and not changed.","riskDetails":"Multipurpose Internet Mail Extension (MIME) content types are subject to content sniffing attacks, in which the attacker turns non-executable MIME types into executable MIME types. Without this option, an attacker may attempt cross-site scripting by uploading a non-executable content type (like an image) that contains script content that would be executed when another user accesses the file. The \"nosniff\" option ensures that content is only treated as an image and not script.","recommendedRemediation":"In the file that configures your server headers, add the header X-Content-Type-Options: nosniff. You should also ensure that the Content-Type is set correctly for the content you are expecting to server, and test that the site renders as desired after the change.","knownExploitedVulnCount":0,"checkID":"x_content_type_options_header_v2","category":"xss","controlCheckID":"IM.WS.MI.UQ","passTitle":"X-Content-Type-Options is not nosniff","passDescription":"Browsers are prevented from interpreting files as a different MIME type to what is specified in the Content-Type HTTP header. This helps mitigate MIME confusion attacks.","passGroupDescription":"All sites have set X-Content-Type-Options to nosniff","failTitle":"X-Content-Type-Options is not nosniff","failDescription":"Browsers may interpret files as a different MIME type than what is specified in the Content-Type HTTP header. This can lead to MIME confusion attacks.","remediation":"Set X-Content-Type-Options to nosniff","issue":"Impacted domains are not preventing MIME sniffing by setting the X-Content-Type-Options header to nosniff. This can lead to MIME confusion attacks.","recommendation":"The website needs to set the X-Content-Type-Options header to nosniff. This will prevent browsers from interpreting files as a different MIME type than what is specified in the Content-Type HTTP Header.","defaultSeverity":2,"categoryTotalCost":1,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.20"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"The X-Content-Type-Options header is not set to \"nosniff,\" an option that prevents MIME type sniffing. This header ensures that the content types defined in the Content-Type header are used and not changed.","RiskDetails":"Multipurpose Internet Mail Extension (MIME) content types are subject to content sniffing attacks, in which the attacker turns non-executable MIME types into executable MIME types. Without this option, an attacker may attempt cross-site scripting by uploading a non-executable content type (like an image) that contains script content that would be executed when another user accesses the file. The \"nosniff\" option ensures that content is only treated as an image and not script.","RecommendedRemediation":"In the file that configures your server headers, add the header X-Content-Type-Options: nosniff. You should also ensure that the Content-Type is set correctly for the content you are expecting to server, and test that the site renders as desired after the change."},{"id":"unmaintained_page","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Unmaintained Page","value":"[not detected]"}],"actual":[{"property":"Unmaintained Page","value":"[not detected]"}],"severity":1,"cloudscanCategory":"website_sec_v2","prevCloudscanCategory":"website_sec","title":"No unmaintained page detected","description":"The page appears to be maintained.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["ttec.com:443","ttec.com:80","www.ttec.com:443","www.ttec.com:80"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"The response from the page indicates that it is a default server page or otherwise not configured and maintained for use.","riskDetails":"Unmaintained assets increase the size of the attack surface and are more likely not to be continuously monitored and updated. These additional points on the attack surface give attackers more potential areas to target.","recommendedRemediation":"Sites that are not used should be decommisioned to reduce the attack surface. If the domain is hosting pages that are in use on some other URL and the index of the domain is not intended for the public, access should be removed.","knownExploitedVulnCount":0,"checkID":"unmaintained_page","category":"discovery","controlCheckID":"IM.WS.MI.DQ","passTitle":"No unmaintained page detected","passDescription":"The page appears to be maintained.","passGroupDescription":"All applicable sites appear to be maintained.","failTitle":"Unmaintained page detected","failDescription":"This domain appears to be unmaintained based on indicators like page content or status code. Unmaintained pages expand the attack surface for malicious actors.","remediation":"Review the page and decomission it if it is not active or maintained.","issue":"This domain appears to be unmaintained based on indicators like page content or status code. Unmaintained pages expand the attack surface for malicious actors.","recommendation":"Review the page and decomission it if it is not active or maintained.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.20"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"The response from the page indicates that it is a default server page or otherwise not configured and maintained for use.","RiskDetails":"Unmaintained assets increase the size of the attack surface and are more likely not to be continuously monitored and updated. These additional points on the attack surface give attackers more potential areas to target.","RecommendedRemediation":"Sites that are not used should be decommisioned to reduce the attack surface. If the domain is hosting pages that are in use on some other URL and the index of the domain is not intended for the public, access should be removed."}],"data_leakage":[{"id":"open_cloud_storage","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Open Cloud Storage","value":"[not detected]"}],"actual":[{"property":"Open Cloud Storage","value":"[not detected]"}],"severity":1,"cloudscanCategory":"data_leakage","prevCloudscanCategory":"website_sec","title":"No open cloud storage service detected","description":"No cloud storage service configured to allow anonymous file listing was detected.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["www.ttec.com:443"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"The index page of this domain is a cloud storage bucket that allows file listing. This configuration is a common cause of data leaks and can be avoided even for content intended to be shared publicly.","riskDetails":"Cloud storage configured to be listable at the bucket index provides unnecessary levels of reconnaissance to attackers and potentially exposes files that are meant to be confidential. The risk depends on what files are stored in the bucket but could lead to exposures of internal documents and PII.","recommendedRemediation":"If the bucket is hosting public content, the contents should be audited to ensure all files are intended to be public. Any private files should be moved to a separate bucket used only for private content. For public content, the bucket should be configured to disallow anonymous users to list the bucket contents, and only view resources when requested by the full path.","knownExploitedVulnCount":0,"checkID":"open_cloud_storage","category":"domain","controlCheckID":"IM.DL.FS.ZW","passTitle":"No open cloud storage service detected","passDescription":"No cloud storage service configured to allow anonymous file listing was detected.","passGroupDescription":"No applicable sites are cloud storage services configured to allow anonymous access.","failTitle":"Open cloud storage service detected","failDescription":"This domain contains a cloud storage service that allows anonymous access to its file listing. It may also allow anonymous access to its files.","remediation":"Review the cloud storage configuration and remove anonymous access where possible.","issue":"This domain contains a cloud storage service that allows anonymous access to its file listing. It may also allow anonymous access to its files.","recommendation":"Review the cloud storage configuration and remove anonymous access where possible.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":null,"ISO2022Controls":null,"NISTControls":null,"ExcludeFromHardcodedPassedRisks":false,"Summary":"The index page of this domain is a cloud storage bucket that allows file listing. This configuration is a common cause of data leaks and can be avoided even for content intended to be shared publicly.","RiskDetails":"Cloud storage configured to be listable at the bucket index provides unnecessary levels of reconnaissance to attackers and potentially exposes files that are meant to be confidential. The risk depends on what files are stored in the bucket but could lead to exposures of internal documents and PII.","RecommendedRemediation":"If the bucket is hosting public content, the contents should be audited to ensure all files are intended to be public. Any private files should be moved to a separate bucket used only for private content. For public content, the bucket should be configured to disallow anonymous users to list the bucket contents, and only view resources when requested by the full path."},{"id":"listable_dirs","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Domain Index","value":"[not a listable directory]"}],"actual":[{"property":"Domain Index","value":"[not a listable directory]"}],"severity":1,"cloudscanCategory":"data_leakage","prevCloudscanCategory":"website_sec","title":"Domain index is not a listable directory","description":"The domain index is not a listable directory.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":null,"sources":["www.ttec.com:443"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"The page content from the domain's index indicates it is a web directory that provides direct access to the listing of hosted files.","riskDetails":"File hosting and sharing on the web is typically done through some kind of interface other than a raw web directory. The presence of an unstyled web directory may indicate that these files are not intended for public access. If any files are uploaded to this directory that are intended to be private, they would be immediately exposed to public access.","recommendedRemediation":"Review the file listing to ensure that all publicly accessible files have non-sensitive content. If the files are intended to be accessed through a website with styling, remove anonymous access to list the web directory and only allow access to the files via the full URL.","knownExploitedVulnCount":0,"checkID":"listable_dirs","category":"discovery","controlCheckID":"IM.DL.FS.UQ","passTitle":"Domain index is not a listable directory","passDescription":"The domain index is not a listable directory.","passGroupDescription":"No applicable sites have a listable directory as their index.","failTitle":"Domain index is a listable directory","failDescription":"The domain index was detected as a listable directory. This can allow attackers to find files that were assumed to be private.","remediation":"Disable directory browsing in your server configuration.","issue":"The domain index was detected as a listable directory. This can allow attackers to find files that were assumed to be private.","recommendation":"Disable directory browsing in the configuration of the identified servers.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.20"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"The page content from the domain's index indicates it is a web directory that provides direct access to the listing of hosted files.","RiskDetails":"File hosting and sharing on the web is typically done through some kind of interface other than a raw web directory. The presence of an unstyled web directory may indicate that these files are not intended for public access. If any files are uploaded to this directory that are intended to be private, they would be immediately exposed to public access.","RecommendedRemediation":"Review the file listing to ensure that all publicly accessible files have non-sensitive content. If the files are intended to be accessed through a website with styling, remove anonymous access to list the web directory and only allow access to the files via the full URL."}]},"failed":{"data_leakage":[{"id":"infostealer_malware_detected_provisional","pass":false,"meta":"ma****on@ttec.com had their credentials leaked by Infostealer Malware for the website ht****ty.ttec.co****so.saml2 with the machine address 49.146.183.89 on date 11 Feb 2026 21:17 UTC","valueMetadata":{"resolvesAfter":"2026-05-12T21:17:12Z"},"vendorOnly":false,"expected":[{"property":"Infostealer malware detected","value":"[none found]"}],"actual":[{"property":"Infostealer malware detected","value":"ma****on@ttec.com had their credentials leaked by Infostealer Malware for the website ht****ty.ttec.co****so.saml2 with the machine address 49.146.183.89 on date 11 Feb 2026 21:17 UTC"}],"severity":5,"cloudscanCategory":"data_leakage","prevCloudscanCategory":"","title":"Infostealer malware detected (Provisional)","description":"Infostealer malware has been detected on systems associated with this organization, indicating a potential data breach.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":"2026-03-13T05:36:33.857185Z","sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Active infostealer malware detected, indicating a high risk of data leakage.","riskDetails":"A recent scan has identified an infostealer malware infection linked to this organisation's domain. This type of malware actively works to steal sensitive information from infected computers. This detection is considered a confirmed indicator of compromise and requires immediate attention to mitigate the risk of a significant data breach.","recommendedRemediation":"Isolate any compromised systems from the network to prevent the infostealer malware from spreading. A thorough forensic analysis should be conducted to identify the infostealer malware variant, its point of entry, and the extent of data exfiltration. Following the investigation, all affected passwords must be reset, and security measures enhanced to prevent reinfection. To resolve this risk in the UpGuard platform as an UpGuard customer, create a risk waiver that explains the mitigation steps taken or why the risk no longer applies. If you're responding to a remediation request, send a message back to the requester describing the steps taken or why the risk no longer exists.","knownExploitedVulnCount":0,"checkID":"infostealer_malware_detected_provisional","category":"malware","controlCheckID":"","passTitle":"No infostealer malware detected","passDescription":"Our scans have not found any evidence of infostealer malware infections associated with this organisation's domain.","passGroupDescription":"","failTitle":"Infostealer malware detected (Provisional)","failDescription":"Infostealer malware has been detected on systems associated with this organization, indicating a potential data breach.","remediation":"Investigate and remediate the source of the infostealer malware infection. Ensure all affected systems are cleaned and secured.","issue":"An infostealer malware infection has been detected on a machine associated with the organization. This poses a significant threat as infostealers are designed to capture and exfiltrate sensitive data, such as login credentials, financial details, and personal information. The presence of such malware is a strong indicator of a security compromise that could lead to widespread data loss and unauthorized access.","recommendation":"","defaultSeverity":5,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":null,"ISO2022Controls":null,"NISTControls":null,"ExcludeFromHardcodedPassedRisks":false,"Summary":"Active infostealer malware detected, indicating a high risk of data leakage.","RiskDetails":"A recent scan has identified an infostealer malware infection linked to this organisation's domain. This type of malware actively works to steal sensitive information from infected computers. This detection is considered a confirmed indicator of compromise and requires immediate attention to mitigate the risk of a significant data breach.","RecommendedRemediation":"Isolate any compromised systems from the network to prevent the infostealer malware from spreading. A thorough forensic analysis should be conducted to identify the infostealer malware variant, its point of entry, and the extent of data exfiltration. Following the investigation, all affected passwords must be reset, and security measures enhanced to prevent reinfection. To resolve this risk in the UpGuard platform as an UpGuard customer, create a risk waiver that explains the mitigation steps taken or why the risk no longer applies. If you're responding to a remediation request, send a message back to the requester describing the steps taken or why the risk no longer exists."}],"encryption":[{"id":"http_strict_transport_security","pass":false,"meta":"","vendorOnly":false,"expected":[{"property":"Headers > strict-transport-security","value":"[header set]"}],"actual":[{"property":"Headers > strict-transport-security","value":"[not set]"}],"severity":3,"cloudscanCategory":"encryption","prevCloudscanCategory":"website_sec","title":"HTTP Strict Transport Security (HSTS) not enforced","description":"Without HSTS enforced, people browsing this site are more susceptible to man-in-the-middle attacks. The server should be configured to support HSTS.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":"2023-02-15T11:49:37.180799Z","sources":["ttec.com:443"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. SSL/TLS uses the HTTPS protocol, so all client connections must be rerouted from HTTP to HTTPS when necessary. HTTP Strict Transport Security (HSTS) ensures that no HTTP connections will be allowed from the server. This forces the use of HTTPS, which maintains encryption at all times.","riskDetails":"Without HSTS, servers are still allowed to establish unencrypted connections on the HTTP protocol. This can open the door for unexpected and unseen circumstances where a client passes sensitive information in plain text. HTTP to HTTPS redirects can still pass sensitive information, such as credentials in the URL, in plain text. This opens a window for a man-in-the-middle (MITM) attack. Old links that were overlooked might still specify HTTP. Users might create their own browser bookmarks using HTTP. As long as HTTP connections are possible, the risk of data interception is present.","recommendedRemediation":"Enable HSTS on the server. This is done by including the Strict-Transport-Security header on the system. The “includeSubDomains” directive should be specified to ensure all subdomains on the system use HTTPS. Submit your domain to Google’s HSTS preload service. This preload list is included in most browsers and will automatically make all connections to the domain use an encrypted channel.","knownExploitedVulnCount":0,"checkID":"http_strict_transport_security","category":"ssl","controlCheckID":"IM.EN.ET.PA","passTitle":"HTTP Strict Transport Security (HSTS) enforced","passDescription":"With HSTS enforced, people browsing this site are less susceptible to man-in-the-middle attacks.","passGroupDescription":"No sites detected as having missing HSTS settings.","failTitle":"HTTP Strict Transport Security (HSTS) not enforced","failDescription":"Without HSTS enforced, people browsing this site are more susceptible to man-in-the-middle attacks. The server should be configured to support HSTS.","remediation":"Set the Strict-Transport-Security header.","issue":"Websites are not enforcing HTTP Strict Transport Security (HSTS). Without enforcing HSTS, visitors are susceptible to certain man-in-the-middle attacks.","recommendation":"Configure the website to enforce HSTS by setting up the Strict-Transport-Security header, which ensures browsers will only communicate over HTTPS.","defaultSeverity":3,"categoryTotalCost":8,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. SSL/TLS uses the HTTPS protocol, so all client connections must be rerouted from HTTP to HTTPS when necessary. HTTP Strict Transport Security (HSTS) ensures that no HTTP connections will be allowed from the server. This forces the use of HTTPS, which maintains encryption at all times.","RiskDetails":"Without HSTS, servers are still allowed to establish unencrypted connections on the HTTP protocol. This can open the door for unexpected and unseen circumstances where a client passes sensitive information in plain text. HTTP to HTTPS redirects can still pass sensitive information, such as credentials in the URL, in plain text. This opens a window for a man-in-the-middle (MITM) attack. Old links that were overlooked might still specify HTTP. Users might create their own browser bookmarks using HTTP. As long as HTTP connections are possible, the risk of data interception is present.","RecommendedRemediation":"Enable HSTS on the server. This is done by including the Strict-Transport-Security header on the system. The “includeSubDomains” directive should be specified to ensure all subdomains on the system use HTTPS. Submit your domain to Google’s HSTS preload service. This preload list is included in most browsers and will automatically make all connections to the domain use an encrypted channel."},{"id":"http_strict_transport_security_preload_list","pass":false,"meta":"","vendorOnly":false,"expected":[{"property":"HSTS Preload List","value":"[entry found]"}],"actual":[{"property":"HSTS Preload List","value":"[no entry found]"}],"severity":2,"cloudscanCategory":"encryption","prevCloudscanCategory":"website_sec","title":"Domain was not found on the HSTS preload list","description":"The domain was not found on the HSTS preload list. Users who visit the website for the first time will be vulnerable to MITM attacks. The requirements for inclusion on the preload list are specified by hstspreload.org.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":"2020-02-20T15:18:07.455515Z","sources":["www.ttec.com:443"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. SSL/TLS uses the HTTPS protocol, so all client connections must be rerouted from HTTP to HTTPS when necessary. HTTP Strict Transport Security (HSTS) ensures that no HTTP connections will be allowed from the server. This forces the use of HTTPS, which maintains encryption at all times. Google hosts an HSTS preload list that is used in most browsers. Domains on this list will automatically establish encrypted connections from the browser, giving them the best protection.","riskDetails":"If a domain is not on the preload list, browsers may still attempt to make unencrypted HTTP connections to systems in that domain. This can create a situation where credentials or other sensitive information is passed in plain text before being sent to HTTPS, for example if it is part of the initial connection URL. Because the HSTS preload list is already incorporated into most browsers, it provides a seamless way to ensure only HTTPS connections are used.","recommendedRemediation":"Add the domain to the preload list by following the steps at https://hstspreload.org. There are several prerequisites to approval, including the need for a valid certificate, an HTTP to HTTPS redirect and that all subdomains are served over HTTPS as well. Your HSTS header must also be properly configured, containing both the IncludeSubDomains and Preload directives.","knownExploitedVulnCount":0,"checkID":"http_strict_transport_security_preload_list","category":"ssl","controlCheckID":"IM.EN.ET.ZW","passTitle":"Domain is included on the HSTS preload list","passDescription":"Being included on the preload list gives the highest level of protection against MITM attacks for users of all major browsers.","passGroupDescription":"All domains are included on the HSTS preload list.","failTitle":"Domain was not found on the HSTS preload list","failDescription":"The domain was not found on the HSTS preload list. Users who visit the website for the first time will be vulnerable to MITM attacks. The requirements for inclusion on the preload list are specified by hstspreload.org.","remediation":"Follow the instructions given by hstspreload.org.","issue":"Impacted domains are not included on the HSTS preload list. New visitors are vulnerable to man-in-the-middle attacks as they will try to connect to the website through HTTP.","recommendation":"Follow the instructions set out on https://hstspreload.org. This ensures major browsers like Chrome, Firefox, Opera, Safari, IE11, and Edge always connect over HTTPS, mitigating man-in-the-middle risk.","defaultSeverity":2,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. SSL/TLS uses the HTTPS protocol, so all client connections must be rerouted from HTTP to HTTPS when necessary. HTTP Strict Transport Security (HSTS) ensures that no HTTP connections will be allowed from the server. This forces the use of HTTPS, which maintains encryption at all times. Google hosts an HSTS preload list that is used in most browsers. Domains on this list will automatically establish encrypted connections from the browser, giving them the best protection.","RiskDetails":"If a domain is not on the preload list, browsers may still attempt to make unencrypted HTTP connections to systems in that domain. This can create a situation where credentials or other sensitive information is passed in plain text before being sent to HTTPS, for example if it is part of the initial connection URL. Because the HSTS preload list is already incorporated into most browsers, it provides a seamless way to ensure only HTTPS connections are used.","RecommendedRemediation":"Add the domain to the preload list by following the steps at https://hstspreload.org. There are several prerequisites to approval, including the need for a valid certificate, an HTTP to HTTPS redirect and that all subdomains are served over HTTPS as well. Your HSTS header must also be properly configured, containing both the IncludeSubDomains and Preload directives."}],"dns":[{"id":"dnssec_enabled","pass":false,"meta":"","vendorOnly":false,"expected":[{"property":"DNSSEC enabled","value":"true"}],"actual":[{"property":"DNSSEC enabled","value":"false"}],"severity":2,"cloudscanCategory":"dns","prevCloudscanCategory":"network_sec","title":"DNSSEC not enabled","description":"DNSSEC records prevent third parties from forging the records that guarantee a domain's identity. DNSSEC should be configured for this domain.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":"2018-10-23T08:06:09.848Z","sources":["ttec.com"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Domain Name System (DNS) is the service that translates human-friendly names to IP addresses. When a URL is sent from the browser, it goes to a DNS server that references its database and returns an IP address for the browser to use. Domain Name System Security Extensions (DNSSEC) is an optional feature of DNS that authenticates (but does not encrypt) responses to DNS requests. DNSSEC uses certificates to ensure only authorized DNS translations are returned to a client.","riskDetails":"Without DNSSEC, domains are much more susceptible to DNS poisoning attacks. DNS poisoning is when a malicious actor manipulates the response to a DNS request in order to point the client to an IP address of their choosing. This allows them to then impersonate a valid website and capture any credentials or sensitive information given by the client.","recommendedRemediation":"Enable DNSSEC on the domain. This is a three step process that involves creating the necessary DNSSEC records in your domain, activating DNSSEC at your domain registrar and enabling DNSSEC signature validation on all DNS servers. The specifics of each step vary depending on the platforms and vendors in play.","knownExploitedVulnCount":0,"checkID":"dnssec_enabled","category":"dns","controlCheckID":"IM.DS.DA.PA","passTitle":"DNSSEC enabled","passDescription":"DNSSEC records prevent third parties from forging the records that guarantee a domain's identity.","passGroupDescription":"All applicable sites have DNSSEC enabled.","failTitle":"DNSSEC not enabled","failDescription":"DNSSEC records prevent third parties from forging the records that guarantee a domain's identity. DNSSEC should be configured for this domain.","remediation":"Configure DNSSEC for domain.","issue":"We've detected that DNSSEC is missing from some domains. DNSSEC provides DNS resolvers origin authentication of DNS data, authenticated denial of existence and data integrity but not availability or confidentiality.","recommendation":"The domain owner should turn on DNSSEC for all domains. This can generally be done at their domain name registrar.","defaultSeverity":2,"categoryTotalCost":2,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.2"],"ISO2022Controls":["8.20"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Domain Name System (DNS) is the service that translates human-friendly names to IP addresses. When a URL is sent from the browser, it goes to a DNS server that references its database and returns an IP address for the browser to use. Domain Name System Security Extensions (DNSSEC) is an optional feature of DNS that authenticates (but does not encrypt) responses to DNS requests. DNSSEC uses certificates to ensure only authorized DNS translations are returned to a client.","RiskDetails":"Without DNSSEC, domains are much more susceptible to DNS poisoning attacks. DNS poisoning is when a malicious actor manipulates the response to a DNS request in order to point the client to an IP address of their choosing. This allows them to then impersonate a valid website and capture any credentials or sensitive information given by the client.","RecommendedRemediation":"Enable DNSSEC on the domain. This is a three step process that involves creating the necessary DNSSEC records in your domain, activating DNSSEC at your domain registrar and enabling DNSSEC signature validation on all DNS servers. The specifics of each step vary depending on the platforms and vendors in play."},{"id":"domain_registrar_deletion_protection","pass":false,"meta":"clientDeleteProhibited:not enabled, serverDeleteProhibited:not enabled","vendorOnly":false,"expected":[{"property":"Domain > Registrar Deletion Protection","value":"clientDeleteProhibited or serverDeleteProhibited: set"}],"actual":[{"property":"Domain > Registrar Deletion Protection","value":"clientDeleteProhibited:not enabled, serverDeleteProhibited:not enabled"}],"severity":2,"cloudscanCategory":"dns","prevCloudscanCategory":"brand_protect","title":"Domain registrar or registry deletion protection not enabled","description":"Domain is not protected from unsolicited deletion requests with the registrar or registry. The domain should have clientDeleteProhibited or serverDeleteProhibited set.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":"2018-10-23T08:06:09.848Z","sources":["ttec.com"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Domain deletion protection is a DNS setting that prevents ownership of the domain from being deleted until the owner has disabled this setting. It is a DNS security mechanism intended to make it harder for an attacker to make unauthorized modifications to domain ownership.","riskDetails":"Attackers may attempt to hijack domains or disrupt their availability by impersonating the domain's owner and deleting domain data. ","recommendedRemediation":"Look up the whois information for the domain either using the CLI or an online tool. It should have a Domain Status of \"serverDeleteProhibited\" or \"clientDeleteProhibited.\" Log into your domain registrar's site. Navigate to the settings for this domain. You should have an option to enable this setting and save the configuration.","knownExploitedVulnCount":0,"checkID":"domain_registrar_deletion_protection","category":"domain","controlCheckID":"IM.DS.DO.XG","passTitle":"Domain registrar or registry deletion protection enabled","passDescription":"Domain is protected from unsolicited deletion requests with the registrar or registry.","passGroupDescription":"No domains detected as being susceptible to unsolicited deletion requests.","failTitle":"Domain registrar or registry deletion protection not enabled","failDescription":"Domain is not protected from unsolicited deletion requests with the registrar or registry. The domain should have clientDeleteProhibited or serverDeleteProhibited set.","remediation":"Set clientDeleteProhibited or serverDeleteProhibited with the registrar/registry.","issue":"Impacted domains are not protected from unsolicited deletion requests. This means the domain could be deleted by a third-party via social engineering.","recommendation":"Contact the domain name registrar and enact status restriction clientDeleteProhibited which prevents the unauthorized deletion of the domain.","defaultSeverity":2,"categoryTotalCost":1,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.2"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Domain deletion protection is a DNS setting that prevents ownership of the domain from being deleted until the owner has disabled this setting. It is a DNS security mechanism intended to make it harder for an attacker to make unauthorized modifications to domain ownership.","RiskDetails":"Attackers may attempt to hijack domains or disrupt their availability by impersonating the domain's owner and deleting domain data. ","RecommendedRemediation":"Look up the whois information for the domain either using the CLI or an online tool. It should have a Domain Status of \"serverDeleteProhibited\" or \"clientDeleteProhibited.\" Log into your domain registrar's site. Navigate to the settings for this domain. You should have an option to enable this setting and save the configuration."},{"id":"domain_registrar_update_protection","pass":false,"meta":"clientUpdateProhibited:not enabled, serverUpdateProhibited:not enabled","vendorOnly":false,"expected":[{"property":"Domain > Registrar Update Protection","value":"clientUpdateProhibited: set or serverUpdateProhibited: set"}],"actual":[{"property":"Domain > Registrar Update Protection","value":"clientUpdateProhibited:not enabled, serverUpdateProhibited:not enabled"}],"severity":2,"cloudscanCategory":"dns","prevCloudscanCategory":"brand_protect","title":"Domain registrar or registry update protection not enabled","description":"Domain is not protected from unsolicited update requests with the registrar or registry. The domain should have clientUpdateProhibited or serverUpdateProhibited set.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":"2018-10-23T08:06:09.848Z","sources":["ttec.com"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Domain update protection is a DNS setting that prevents updates to the ownership of the domain until the owner has disabled this setting. It is a DNS security mechanism intended to make it harder for an attacker to make unauthorized modifications to domain ownership through social engineering. ","riskDetails":"Attackers may attempt to hijack domains by impersonating the domain's owner and modifying domain ownership data. ","recommendedRemediation":"Look up the whois information for the domain either using the CLI or an online tool. It should have a Domain Status of \"serverUpdateProhibited\" or \"clientUpdateProhibited.\" Log into your domain registrar's site. Navigate to the settings for this domain. You should have an option to enable this setting and save the configuration.","knownExploitedVulnCount":0,"checkID":"domain_registrar_update_protection","category":"domain","controlCheckID":"IM.DS.DO.AA","passTitle":"Domain registrar or registry update protection enabled","passDescription":"Domain is protected from unsolicited update requests with the registrar or registry.","passGroupDescription":"No domains detected as being susceptible to unsolicited update requests.","failTitle":"Domain registrar or registry update protection not enabled","failDescription":"Domain is not protected from unsolicited update requests with the registrar or registry. The domain should have clientUpdateProhibited or serverUpdateProhibited set.","remediation":"Set clientUpdateProhibited or serverUpdateProhibited with the registrar/registry.","issue":"Some domains aren’t protected from unsolicited update requests. This means the domain’s DNS records could be changed by a third-party via social engineering.","recommendation":"Ask the domain name registrar to enact status restriction clientUpdateProhibited which prevents unauthorized updates to the domain.","defaultSeverity":2,"categoryTotalCost":1,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.2"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Domain update protection is a DNS setting that prevents updates to the ownership of the domain until the owner has disabled this setting. It is a DNS security mechanism intended to make it harder for an attacker to make unauthorized modifications to domain ownership through social engineering. ","RiskDetails":"Attackers may attempt to hijack domains by impersonating the domain's owner and modifying domain ownership data. ","RecommendedRemediation":"Look up the whois information for the domain either using the CLI or an online tool. It should have a Domain Status of \"serverUpdateProhibited\" or \"clientUpdateProhibited.\" Log into your domain registrar's site. Navigate to the settings for this domain. You should have an option to enable this setting and save the configuration."},{"id":"caa_enabled","pass":false,"meta":"","vendorOnly":false,"expected":[{"property":"CAA","value":"[set]"}],"actual":[{"property":"CAA","value":"[not set]"}],"severity":1,"cloudscanCategory":"dns","prevCloudscanCategory":"website_sec","title":"CAA not enabled","description":"The domain does not contain a valid Certification Authority Authorization (CAA) record. A CAA record indicates which Certificate Authorities (CAs) are authorized to issue certificates for a domain.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":"2022-11-24T23:43:40.373153Z","sources":["ttec.com","www.ttec.com"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Certificate Authority Authorization (CAA) is a security mechanism that allows domain owners to specify which Certificate Authorities (CAs) are permitted to issue SSL/TLS certificates for their domain. The CAA policy is enforced through DNS (Domain Name System) records, providing an extra layer of security against unauthorized certificate issuance.","riskDetails":"When a Certificate Authority receives a certificate request for a domain, it is required to check the domain's CAA records before issuing the certificate. Without a CAA, it is possible to have certificates issued for a domain by an unapproved certificate authority.","recommendedRemediation":"CAA is implemented as a DNS resource record (type CAA). Domain owners add CAA records to their DNS zone file, specifying which CAs are allowed to issue certificates for that domain. To allow Let's Encrypt to issue certificates, the record would look like: example.com.  IN  CAA  0 issue \"letsencrypt.org\".","knownExploitedVulnCount":0,"checkID":"caa_enabled","category":"ssl","controlCheckID":"IM.DS.CA.PA","passTitle":"CAA enabled","passDescription":"The domain contains a valid Certification Authority Authorization (CAA) record. A CAA record indicates which Certificate Authorities (CAs) are authorized to issue certificates for a domain.","passGroupDescription":"All applicable sites contain a valid Certification Authority Authorization (CAA) record. A CAA record indicates which Certificate Authorities (CAs) are authorized to issue certificates for a domain.","failTitle":"CAA not enabled","failDescription":"The domain does not contain a valid Certification Authority Authorization (CAA) record. A CAA record indicates which Certificate Authorities (CAs) are authorized to issue certificates for a domain.","remediation":"Where possible, specify the Certificate Authorities that are authorized to issue certificates for this domain in a CAA DNS record.","issue":"The domain does not contain a valid CAA record.","recommendation":"Where possible, specify the Certificate Authorities that are authorized to issue certificates for this domain in a CAA DNS record.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.20"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Certificate Authority Authorization (CAA) is a security mechanism that allows domain owners to specify which Certificate Authorities (CAs) are permitted to issue SSL/TLS certificates for their domain. The CAA policy is enforced through DNS (Domain Name System) records, providing an extra layer of security against unauthorized certificate issuance.","RiskDetails":"When a Certificate Authority receives a certificate request for a domain, it is required to check the domain's CAA records before issuing the certificate. Without a CAA, it is possible to have certificates issued for a domain by an unapproved certificate authority.","RecommendedRemediation":"CAA is implemented as a DNS resource record (type CAA). Domain owners add CAA records to their DNS zone file, specifying which CAs are allowed to issue certificates for that domain. To allow Let's Encrypt to issue certificates, the record would look like: example.com.  IN  CAA  0 issue \"letsencrypt.org\"."}],"operational_risk":[{"id":"ai_detected","pass":false,"meta":"Figma (https://figma.com)","vendorOnly":false,"expected":[{"property":"Artificial Intelligence (AI) system usage","value":"[none found]"}],"actual":[{"property":"Artificial Intelligence (AI) system usage","value":"Figma (https://figma.com)"}],"severity":1,"cloudscanCategory":"operational_risk","prevCloudscanCategory":"","title":"Artificial Intelligence (AI) system usage detected","description":"The use of AI systems can pose risks if not managed appropriately.","checkedAt":"2026-04-02T22:30:16.2454Z","dateDetected":"2026-03-25T05:42:55.201484Z","sources":["ttec.com"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Usage of AI systems can pose data security vulnerabilities, show unpredictable behaviours and have biases in outputs if not managed appropriately.","riskDetails":"Determine the potential risk to your organization by checking the extent of AI system usage and any security controls that are in place.","recommendedRemediation":"Ensure appropriate security controls and AI system usage standards are in place by requesting the vendor complete the UpGuard AI-Risk Essentials questionnaire.","knownExploitedVulnCount":0,"checkID":"ai_detected","category":"tracking","controlCheckID":"","passTitle":"","passDescription":"","passGroupDescription":"","failTitle":"Artificial Intelligence (AI) system usage detected","failDescription":"The use of AI systems can pose risks if not managed appropriately.","remediation":"","issue":"","recommendation":"","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":null,"ISO2022Controls":null,"NISTControls":null,"ExcludeFromHardcodedPassedRisks":false,"Summary":"Usage of AI systems can pose data security vulnerabilities, show unpredictable behaviours and have biases in outputs if not managed appropriately.","RiskDetails":"Determine the potential risk to your organization by checking the extent of AI system usage and any security controls that are in place.","RecommendedRemediation":"Ensure appropriate security controls and AI system usage standards are in place by requesting the vendor complete the UpGuard AI-Risk Essentials questionnaire."}]},"cstarScore":827,"publicScore":811,"vendorName":"TTEC","name":"TTEC","display_name":"TTEC","vendorId":4715309617905664,"business":{"employees":65000,"revenue":2444000000},"address":{"city":"Greenwood Village","state":"CO","country":"United States","countryCode":"US"},"ceo":{"name":"Kenneth D. Tuchman","imgUrl":"https://media.glassdoor.com/people/sqll/5944/teletech-kenneth-d-tuchman.png","approvalRating":79},"primaryHostname":"ttec.com"}