Filtering using indicators
The dashboard view provides actionable insights by highlighting issues and opportunities related to Discovery, Hygiene, and Attack surface reduction. The same indicators are available in the Heatmap and Worldmap views. When you select a Thing (for example, an application), a passport view opens and displays a summary of the indicators.
In both views, you can select specific entries to filter indicators by business unit or area of focus.
You can also click on an individual indicator to open the Things view, where you’ll see a detailed list of related items such as applications, domains, devices or IP addresses, certificates, and cookies.
Discovery indicators
| Indicator | Description |
|---|---|
| External API | Application where an external API was discovered that is outside the organization. |
| Forbidden | Responsive application that always returns a 403 error. |
| Internal API | Application where an internal API was discovered that is internal to the organization. |
| Live application | Reachable application with status "online," "SSO," or "unauthorized." Other statuses can be considered as live applications. Also includes responsive applications on FQDNs with "Forbidden" or "Not found" status are also considered as live applications. |
| Not found | Responsive HTTP or HTTPS address (FQDN or IP) that always returns a 404 error. No available pages were found. |
| Parked Domain Applications | Responsive application hosted on a domain that is parked or for sale. |
| Redirecting | Responsive HTTP/HTTPS address (FQDN or IP) that redirects to another web application. |
| Refused | No connection could be made because the target machine actively refused it. |
| SSO | Application protected by a Single Sign-On (SSO) portal. Redirects to the SSO solution and cannot be accessed directly. |
| Third party | Application identified as belonging to a known software vendor, such as SaaS platforms or on-premise products. Veracode EASM covers a large number of solutions that could be CRMs, security equipment portals or file transfer solutions. |
| Unauthorized | Responsive application that always returns a 401 error, with no available way to authenticate. An application returning 401 error followed by realm authentication system is not considered unauthorised but rather an online application having a login form. This status is assigned to applications returning a 401 error without any ways to authenticate. |
Hygiene indicators
| Indicator | Description |
|---|---|
| Clear login form | Reference: CWE-319: Cleartext Transmission of Sensitive Information. Applications that transmit data over unencrypted connections are vulnerable to interception. Disclosing user data in this way can make incidents difficult to investigate due to obscured audit trails. Personally identifiable information (PII) can also be used for phishing attacks. |
| Cookie consent issue | The application issues cookies without requiring the user to accept them. Since May 2011, EU regulations require that users can refuse cookies that may affect their privacy. In the UK, this is reflected in the Privacy and Electronic Communications Regulations, commonly known as the Cookie Law. |
| Compromised applications | Using an application that has been part of a data breach poses risks such as unauthorized access, data theft, and identity fraud. This can lead to financial loss, exposure of sensitive data, and long-term damage to personal or organizational reputation. |
| CSP heading misconfiguration | Reference: CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting). The Content-Security-Policy header modifies how browsers render pages and protects against injections, including cross-site scripting (XSS). Incorrect settings can break website functionality. For example, blocking inline JavaScript will break any pages that rely on it. |
| Dangling DNS | Reference: CWE-16: Configuration Weakness in DNS Records. Dangling DNS occurs when DNS records point to non-existent or expired domains. Attackers can take over these domains and use them for phishing, malware distribution, or data collection. Regular DNS audits reduce this risk. |
| Deprecated SSL Cipher Category | Deprecated SSL ciphers are vulnerable to advanced cryptographic attacks that can decrypt or alter sensitive data. This undermines the confidentiality and integrity of communications and can allow attackers to access or manipulate information. |
| Deprecated SSL Protocol | Using deprecated SSL protocols exposes applications to attacks such as man-in-the-middle. Weak encryption makes it easier for attackers to decrypt sensitive data, compromising confidentiality and integrity. |
| Exposed database | Port scanning revealed a database access port exposed to the internet (MSQL, PostgreSQL, MS SQL). Exposing database ports increases the risk of unauthorized access and data breaches. |
| Exposed file-sharing server | Port scanning revealed a file-sharing service exposed to the internet (for example, FTP, SMB). Such exposure can allow attackers to steal or manipulate files. |
| Exposed remote access service | Port scanning revealed a remote access service exposed to the internet (for example, SSH, RDP). Attackers can exploit exposed services to gain unauthorized access to systems. |
| HREF misconfiguration | Invalid HREF references create broken links, reducing website credibility and harming user experience. They can also negatively affect SEO rankings and navigation, causing users to leave the site. |
| HSTS Header Misconfiguration | HTTP Strict Transport Security (HSTS) is a security policy that tells browsers to use HTTPS for all connections to a domain. Configuring HSTS helps prevent attacks such as SSL stripping, where an attacker forces a client to use unencrypted HTTP. Without HSTS, the client might not know the session is supposed to be encrypted. HSTS also protects against attacks that exploit mixed HTTP/HTTPS usage by manipulating redirection or unsecured pages. In environments without an HTTP server, an attacker on the same network could simulate one and trick users into opening a malicious URL through social engineering. |
| HTTP responsive IP | Web applications should not respond to client requests with an IP-based URL |
| Invalid certificate | Reference: CWE-295: Improper Certificate Validation. Invalid certificates expose user data to interception by third parties and enable man-in-the-middle attacks. Users may also abandon the application due to security warnings, leading to loss of trust, reduced adoption, and reputational damage for the organization. |
| Malicious Clone | Maliciously cloned applications often use spoofed, copycat, or typosquatting domains to trick users into visiting a malicious copy of a legitimate application. Users may unknowingly download malware from such clones, also known as “drive-by downloads”. |
| Missing CSP headers | Reference: CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting). The Content-Security-Policy header modifies how browsers render pages and protects against cross-site injections, including XSS. Incorrect values can break website functionality. For example, blocking inline JavaScript will disrupt any page that depends on it. |
| Missing HSTS Header | HTTP Strict Transport Security (HSTS) enforces HTTPS for all connections to a domain. Configuring HSTS prevents attacks such as SSL stripping, where an attacker forces a client to use unencrypted HTTP. It also protects against mixed HTTP/HTTPS usage that attackers can exploit through manipulated redirects or unsecured pages. Without HSTS, attackers in the same network could simulate an HTTP server and trick users into opening malicious URLs via social engineering. |
| Missing Referrer Policy Header | The Referrer-Policy header prevents cross-domain referrer leakage by controlling whether the origin URL is sent with requests. Without it, sensitive information in URLs can leak to external sites, reducing user privacy and exposing the application to data disclosure risks. |
| Missing X-Content Type Options Header | The X-Content-Type-Options header prevents browsers from MIME-sniffing a response body and interpreting it as a different content type. Without this header, older browsers such as Internet Explorer and Chrome may misinterpret responses, creating security risks. |
| Missing X-Frame Options Header | The X-Frame-Options header indicates whether a browser should allow a page to load in a frame, iframe, embed, or object. Without this header, sites are vulnerable to clickjacking attacks, where malicious sites embed the page to trick users into unintended actions. |
| Old components | Reference: OWASP A06:2021 – Vulnerable and Outdated Components. Outdated software components often contain publicly disclosed vulnerabilities. All components should be updated to their latest secure versions. |
| Privacy policy issue | Not having a privacy policy on a web application can lead to legal or regulatory noncompliance and potential fines. It also undermines user trust, since customers may worry about how their personal data is collected, used, and protected. |
| Referred Policy Header Misconfiguration | The Referrer-Policy header prevents cross-domain referrer leakage. Misconfigurations can allow URLs and sensitive information to leak to external sites, harming user privacy and site security. |
| Suspicious subdomain | Reference: CWE-16: Configuration and CWE-200: Information Exposure. Development or test environments should not be accessible to the public without authentication. Exposed subdomains can leak sensitive data or provide entry points for attackers. |
| Web server default page | Reference: CWE-200: Information Exposure. Many web and application servers ship with default welcome or information pages. These pages often reveal software type and version, which attackers can use to target known vulnerabilities. They may also expose details about the platform and hardware. |
| X-Content Type Options Header Misconfiguration | The X-Content-Type-Options header must be set correctly to prevent MIME-sniffing. Misconfiguration allows browsers to interpret content incorrectly, creating security risks similar to missing the header entirely. |
| X-Frame Options Header Misconfiguration | The X-Frame-Options header controls whether browsers can display a page in a frame, iframe, embed, or object. Misconfiguration can allow clickjacking attacks or inconsistent behavior across browsers when multiple headers are present. |
Attack surface reduction indicators
| Indicator | Description |
|---|---|
| Fix | Live application with an obvious hygiene misconfiguration to be fixed. Live applications where the recommended action is Protect or Remove are not listed here |
| Onboard | Live application not having any obvious hygiene misconfiguration to fix and not assigned to any security programs |
| Protect | Suspicious applications should have limited access (VPN, IP whitelist) |
| Remove | HTTP Responsive IP, web server default page or unexpected opened ports should be removed from exposure |
Certificate indicators
| Indicator | Description |
|---|---|
| Certificate weak key | The service was found to have used an SSL certificate chain that had been signed using a cryptographically weak hashing algorithm (e.g., MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing an attacker to masquerade as the affected service. Note that all SSL certificate chains signed with SHA-1 that expire after January 1st, 2017, are considered vulnerable. This is in accordance with Google's gradual sunsetting of the SHA-1 cryptographic hash algorithm. |
| Deprecated Signature Algorithm | Certificate signature algorithms such as MD2, MD4, MD5, or SHA1 are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing an attacker to masquerade as the affected service. |
| Expired | An expired SSL certificate can cause multiple problems such as a user's browser having no way to validate the server, meaning it cannot definitively determine if the website presenting the certificate is legitimate. This may result in a browser error declaring the connection as not secure and may effectively block the website on modern browsers. A site using HTTP Strict Transport Security (HSTS) will not allow the option to load the page despite this error due to it forcing secure connections. |
| Expiring (30 days) | An SSL certificate expiring within 30 days can cause problems similar to an expired certificate. A user's browser has no way to validate the server, meaning it cannot definitively determine if the website presenting the certificate is legitimate. This may result in a browser error declaring the connection as not secure. This can effectively block the website on modern browsers. A site using HTTP Strict Transport Security (HSTS) will not allow the option to load the page despite this error due to it forcing secure connections. |
| Revoked | A revoked digital certificate on an application indicates that it is no longer trusted due to identified security issues or compromises. This can result in access disruptions for users, potential vulnerabilities to unauthorised access or data interception, and damage to the application's credibility and reputation due to perceived security weaknesses. |
| Self-signed Certificate | An application or host was found to rely upon a self-signed certificate to secure communications. The application or host did not have an SSL certificate that was signed by a trusted certification authority. If the clients connecting to this service do not have an explicit trust for this certificate or certification authority, they will receive an SSL error. If users become accustomed to accepting SSL errors, it is more likely that an attacker performing a Man-in-the-Middle attack will go unnoticed. |
Domain indicators
| Indicator | Description |
|---|---|
| DNSSEC not implemented | A domain not using DNSSEC (Domain Name System Security Extensions) is vulnerable to various types of cyberattacks, such as DNS spoofing or cache poisoning, where attackers can redirect traffic to malicious websites without the users' knowledge. This can result in significant security risks, including data breaches, phishing attacks, and the interception of sensitive information. |
| Email Authentication Gap | The domain has a Mail Exchange (MX) record configured, allowing it to send and receive emails. However, the absence of DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) protocols creates a significant vulnerability. Without these authentication mechanisms, malicious actors can spoof emails that appear to originate from the domain, potentially leading to phishing attacks, fraudulent activities, or damage to the domain's reputation. This misconfiguration weakens email security and trust, making it easier for attackers to exploit the domain for impersonation purposes. |
| Email Disclosure | Publicly-available email addresses associated with a domain are vulnerable to spam, phishing attacks, and email spoofing, which can lead to security breaches and compromised personal information. These addresses can also be harvested by malicious actors for targeted attacks, increasing the risk of social engineering exploits and business email compromise scams. |
| Expired | An expired domain can be hijacked by malicious actors, leading to unauthorised control over associated services and email accounts. This can result in data breaches, phishing attacks, and the loss of business reputation and customer trust. |
| Expiring (30 days) | A domain that is near expiration risks being acquired by malicious actors who could use it for phishing attacks, distributing malware, or impersonating legitimate services. Additionally, the expiration could lead to disruption of services, loss of website visibility, and potential legal issues if critical business operations depend on the domain. |
| Insufficient SPF data | An incorrectly configured SPF (Sender Policy Framework) record for a domain can lead to legitimate emails being marked as spam or rejected, causing communication disruptions. Moreover, it weakens the domain's defence against email spoofing and phishing attacks, allowing malicious actors to send fraudulent emails that appear to originate from the trusted domain. |
| New Domain | The domain has been registered within the last 90 days. |
| Parked Domain | Domain found as parked by registrar. It’s not usable on the internet, as it’s considered as registered. Sometimes, it’s for sale. |
| Pending Deletion | A domain that is pending deletion faces risks such as loss of control and ownership, which can lead to service disruptions and loss of website functionality. Additionally, once deleted, the domain becomes available for registration by others, potentially enabling cyber squatters to exploit the previous domain's reputation or mislead its users. |
| Pending Renew | A domain registration in a pending state risks being vulnerable to hijacking or unauthorised changes before it is fully secured. This could lead to loss of control over the domain, disruption of services, and potential exploitation by malicious actors for phishing or malware distribution, impacting both business operations and reputation negatively. |
| Transfer Protection not enabled | The lack of domain transfer protections, such as domain locking or transfer authorisation codes, increases the risk of unauthorised domain transfers, where cybercriminals can hijack the domain. This can lead to loss of control over the domain, service disruptions, and potential misuse of the domain for malicious activities, damaging the brand's reputation and security. |
Network indicators
| Indicator | Description |
|---|---|
| Blacklisted IP | Public IP addresses appearing on a blacklist can lead to blocked communications, preventing access to essential services like email and websites. This can disrupt business operations, damage reputation, and necessitate time-consuming and costly remediation efforts to restore normal functionality. |
| IP Location | An IP address associated with a x-risk region may indicate increased likelihood of malicious activities originating from that location, such as cyberattacks, malware distribution, or phishing campaigns. Organisations may face higher risks of unauthorised access attempts, data breaches, and compromised network security when dealing with traffic from such regions, necessitating heightened vigilance and robust security measures to mitigate potential threats effectively. |