northwind.com June 2026 · Real client, anonymized
Get your Security Mirror · $495Get Mirror

Security Mirror

Outside-In Security Assessment

A real assessment, shown in full. We removed the company name and its hostnames. Nothing else. That is the discretion you would get too.

Critical Priority

One critical exposure, an actively-exploited software vulnerability running on your public edge, is open to anyone scanning today and needs a verified fix this week. Beneath it, five exploitable security gaps (open DNS records, unencrypted mail ports, and exposed source maps) sit on a two-week clock, and one customer-visible service error (broken certificates) is on a same-week patch. All visible to any underwriter, enterprise buyer, or investor who looks.

1
Critical
5
High
26
Attention
6
Healthy
2
Maturity

40 distinct findings  ·  574 checks across 24 internet-facing assets  ·  1 critical + 1 customer-visible item on a this-week fix

Tighter than industry default · methodology
Raw scanner severity
7 Critical  ·  6 High  ·  19 Attention
After exploitability check
1 Critical  ·  5 High  ·  26 Attention

Most outside-in scanners inherit the inflation of CVSS scoring, a finding with a high CVSS gets flagged Critical regardless of whether anyone has a working exploit. We require a verified working exploit path (CISA KEV listing, public exploit, or high EPSS) AND a severe outcome class for any Critical or High. Six of the seven raw "criticals" were unweaponized CVEs or non-compromise-class findings and dropped to their honest tier, one survived, with a verified exploit path AND a severe outcome, and stays Critical. Every raw finding is still in the report below, rated honestly. Less noise, more signal.

Critical
Exposed AND a working exploit path AND severe outcome (system compromise, data breach, identity hijack).
Fix this week
High
Exposed AND a working exploit path AND moderate outcome (recon, credential theft, partial access).
Fix within 2 weeks
Attention
No exploit path, hardening gap, latent risk, or broken-but-not-exploited service. (Customer-visible breakage gets a one-week override.)
Fix within 1 month
Healthy
Control verified working. We checked and it passed.
No action
Maturity
Engineering quality or maintenance item. Not a security risk.
Backlog

Where you stand

Four questions every outside reviewer asks about you. Each category reflects its single worst finding, never an average.

Break-In Risk
Could an attacker get into our systems?
High
Unencrypted legacy mail ports are open to the internet, and three subdomains show visitors a customer-visible browser security warning today. No public database or unauthenticated admin path was found.
0 Critical 2 High 16 Attention 3 Healthy
Known Vulnerabilities
Are we running software with known flaws?
Critical
Your public edge runs a version with an actively-exploited, CISA KEV-listed vulnerability (the Critical finding). Also present: an outdated front-end library and moderate server-software issues, none actively exploited.
1 Critical 2 High 2 Attention 0 Healthy
Data Exposure
Is our data or infrastructure map leaking?
High
Parts of your front-end source code and internal addresses are downloadable through exposed source maps (the High finding), and DNS hands out a full inventory of every system you run. Cloud storage is verified private.
0 Critical 1 High 1 Attention 1 Healthy
Impersonation Risk
Could someone convincingly pretend to be us?
Attention
Email identity enforcement is active and working. Secondary controls, DNSSEC and MTA-STS, are unsigned and can be tightened across several zones.
0 Critical 0 High 7 Attention 2 Healthy

Your internet-facing perimeter

24 assets checked. Each shows its single worst active finding; the 16 with one are listed here.

AssetOwnerStatusWorst finding
api.northwind.comNetwork OpsCriticalRuns software with a publicly known, exploited flaw (CISA KEV)
app.northwind.comNetwork OpsCriticalRuns software with a publicly known, exploited flaw (CISA KEV)
connect.northwind.comNetwork OpsCriticalRuns software with a publicly known, exploited flaw (CISA KEV)
portal.northwind.comNetwork OpsCriticalRuns software with a publicly known, exploited flaw (CISA KEV)
gateway.northwind.comNetwork OpsCriticalRuns software with a publicly known, exploited flaw (CISA KEV)
www.northwind.comEngineeringHighSource maps expose front-end code and internal addresses
northwind.comDNS AdminHighAnyone can download a full map of your systems
email.northwind.comDNS AdminHighExposed on the public DNS map
isend.northwind.comNetwork OpsHighUnencrypted mail port open to the internet
mail.northwind.comNetwork OpsHighUnencrypted mail port open to the internet
archive.northwind.comDNS AdminAttentionDNS answers are not cryptographically signed
blog.northwind.comDNS AdminAttentionDNS answers are not cryptographically signed
careers.northwind.comDevOpsAttentionCustomer-visible TLS warning, fix this week
docs.northwind.comDevOpsAttentionMissing browser-protection headers
object-store · cloudCloud AdminHealthyStorage bucket verified private ✓
northwind · code repoEngineeringHealthySource repositories verified private ✓

Priority findings

The items to act on first: one critical exposure (Critical · this week), the exploitable security gaps (High · 2 weeks: open DNS, unencrypted mail, exposed source maps), and one customer-visible service error (Attention severity but on a fix-this-week override).

This week · critical exposure
Your edge server runs an actively-exploited vulnerability
Critical · this weekV1, Verified
The version banner on your public edge server matches a vulnerability on CISA's Known Exploited Vulnerabilities list, a working exploit is public and attackers are using it in the wild right now. This is the rare CVE that earns a Critical: exposed, weaponized, and tied to a system-compromise outcome.
www.northwind.com  ·  Server version matches a CISA KEV-listed CVE
The fix
Patch the edge server to the current release this week. If a patch window isn't immediately available, place the affected service behind your WAF with a virtual-patch rule as an interim control.
Owner: Infrastructure · ~2 hours Fix this week · critical
This week · customer-visible
Three subdomains show visitors a "not secure" warning
Attention · this weekV1, Verified
The TLS certificates for three subdomains are invalid, either the certificate doesn't cover the subdomain, or the TLS handshake fails entirely. Severity is Attention because no exploit is involved; the override puts it on a this-week deadline because customers see the warning today.
blog.northwind.com  ·  Certificate SAN omits subdomain, name-mismatch
email.northwind.com  ·  TLS handshake failed before completion
docs.northwind.com  ·  Non-compliant TLS negotiation response
The fix
Reissue valid TLS certificates covering all three subdomains, and correct the protocol configuration error on docs so each completes a clean HTTPS handshake.
Owner: DevOps · ~1–2 hours Fix this week · customer-visible
Within 2 weeks · exploitable security gaps
Anyone can download a full map of your systems
High · 2 weeksV1, Verified
Your DNS servers respond to unauthenticated zone-transfer (AXFR) requests with a complete list of every subdomain and service you operate. This took the scanner three seconds. An outside reviewer reads it as a ready-made blueprint and a red flag that basic controls are absent.
northwind.com  ·  Unauthenticated AXFR returned the full zone
email.northwind.com  ·  Same misconfiguration confirmed
jobs.northwind.com  ·  Same misconfiguration confirmed
The fix
Restrict AXFR/IXFR zone transfers on your authoritative nameservers to authorized secondary nameservers only. One setting, applied to three zones.
Owner: DNS Admin · ~30 minutes Fix within 2 weeks
Legacy mail ports are open to the internet without encryption
High · 2 weeksV1, Verified
Ports 110 and 143, old email protocols, accept public TCP connections without encryption. Anyone signing in sends credentials across the internet in plain text, and exposed login ports invite automated credential-harvesting.
www.northwind.com  ·  Port 110 accepted public TCP connection
support.northwind.com  ·  Port 143 accepted public TCP connection
The fix
Block ports 110 and 143 at the perimeter firewall. If mail access is required, allow only the encrypted equivalents, ports 993 and 995, on the dedicated mail server only.
Owner: Network Operations · ~1 hour Fix within 2 weeks
Parts of your source code are downloadable from the browser
High · 2 weeksV1, Verified
Your front-end ships its source maps to the public. Anyone can reconstruct parts of your application code and read the internal URLs, API paths, and service names baked into it. An outside reviewer reads it as a blueprint of how you are built.
www.northwind.com  ·  Source maps served publicly with internal addresses
The fix
Stop publishing source maps to production, or restrict them to authenticated internal use only. One build-config change.
Owner: Frontend · ~30 minutes Fix within 2 weeks
The remaining Attention items, missing browser headers, DNS signing, email tightening, and an outdated library, are on a one-month track in the full fix plan below.

Full fix plan

Grouped by when to act. Severity drives the deadline (Critical = this week, High = 2 weeks, Attention = 1 month). Customer-visible service breakage gets a one-week override even at Attention severity.

This week, critical · 1 critical exposure · 1 action
Patch the actively-exploited edge-server CVE
Update to the current release; if no patch window, virtual-patch behind the WAF as an interim control.
Owner: InfrastructureKnown Vulnerabilities
This week
This week, customer-visible · 3 customer-visible service errors · 1 action
Fix broken TLS certificates
Reissue valid TLS for blog and email; correct the protocol error on docs. Customers see the warning today.
Owner: DevOpsBreak-In Risk
This week
Within 2 weeks · exploitable security gaps · 3 actions
Restrict DNS zone transfers
Limit AXFR/IXFR to authorized secondary nameservers only.
Owner: DNS AdminData Exposure
2 weeks
Close unencrypted legacy mail ports
Block ports 110/143 at the firewall; keep only encrypted 993/995 on the mail server.
Owner: Network OperationsBreak-In Risk
2 weeks
Stop publishing source maps to production
Disable source-map output in the production build, or gate it behind authentication.
Owner: FrontendData Exposure
2 weeks
Within 1 month · 24 hardening items · 8 actions
Add browser-protection headers
CSP, HSTS, X-Content-Type-Options across www, jobs, staging (3 items).
Owner: FrontendBreak-In Risk
1 month
Switch on the web application firewall
Enable the WAF on the CDN or edge account you already pay for.
Owner: Security AdminBreak-In Risk
1 month
Suppress server version banner · review open ports
Mask the version string on docs; close any non-standard ports not in use.
Owner: DevOpsBreak-In Risk
1 month
Upgrade jQuery to 3.7.1+
Current 3.5.1 carries known weaknesses.
Owner: FrontendKnown Vulnerabilities
1 month
Update Apache web server
Current release; disable unused modules. Moderate CVEs only, none actively exploited.
Owner: InfrastructureKnown Vulnerabilities
1 month
Enable DNSSEC
Sign your DNS zones at the registrar.
Owner: DNS AdminImpersonation Risk
1 month
Tighten email records
Set SPF to hard fail (-all); publish MTA-STS and TLS-RPT records (3 items).
Owner: IT / DNSImpersonation Risk
1 month
Backlog · 2 maturity notes · no security deadline
Replace deprecated Moment.js
Maintenance item, not a security risk.
Owner: Frontend
Backlog
Trim large JavaScript bundles
Page-speed and SEO improvement, not a security one.
Owner: Frontend
Backlog
Want these closed, not just listed? Our remediation team pairs with your engineers to implement and verify the High items, fixed scope, fixed price.

Technical appendix

Scan completed June 2026  ·  574 checks · 24 assets · 40 produced signal  ·  engine v2.4  ·  completed in 4.6s

For your CTO or technical reviewer. Every finding above traces directly to scanner evidence below.

Scope. Unauthenticated outside-in interactions with public-facing systems only. No credentials, no internal access. Active checks, port connections, TLS handshakes, DNS zone-transfer requests, cloud-storage access attempts, against public endpoints only.

Confidence. V1, scanner directly exercised it. V2, strong external signature. V3, absence of expected signal (undetected ≠ absent).
AssetCheckSignal / EvidenceConfidence
www.northwind.comSOURCEMAP_EXPOSEDPublic source maps reveal front-end code and internal addressesV1
www.northwind.comCVE_KEV_EXPLOITEDServer version matches a CISA KEV-listed CVE with a public exploitV1
northwind.comDNS_ZONE_TRANSFERUnauthenticated AXFR returned the full zoneV1
www, support, blogOPEN_MAIL_PORTPorts 110 and 143 accepted public TCP connectionsV1
blog.northwind.comBROKEN_TLSCertificate SAN omits subdomain; name-mismatch on handshakeV1
email.northwind.comBROKEN_TLSTLS handshake failed before completionV1
all 16 checks
AssetCheckSignal / EvidenceConfidence
docs.northwind.comBROKEN_TLSNon-compliant TLS negotiation responseV1
email, jobs subdomainsDNS_ZONE_TRANSFERSame misconfiguration on two further zonesV1
www.northwind.comMISSING_CSPNo Content-Security-Policy header observedV1
docs.northwind.comBANNER_LEAKServer response returns version string in cleartextV1
support.northwind.comOUTDATED_JQUERYScript files reference jQuery 3.5.1V1
northwind.comSPF_SOFTFAILSPF uses ~all; DMARC separately enforcedV1
northwind.comDNSSEC_DISABLEDNo DNSSEC signature records on the zoneV1
object-store · cloudSECURE_STORAGEUnauthenticated access returns HTTP 403, verified lockedV1
Apache hostSOFTWARE_VULN_CVEVersion banner matched to moderate CVEs; none CISA KEV-listedV2
Edge / all domainsWAF_SIGNAL_ABSENTProbe completed with no WAF block, absence of signal, not proof of absenceV3
Two findings cannot be fully confirmed from outside (WAF check, CVE version-banner match). A 30-minute walkthrough with your team confirms or clears them, complimentary.
What this scan can't tell you

The outside view has a limit.

This report covers everything visible from the public internet. But the risks that tend to cause the most damage are inside, in your cloud configuration, your access controls, your employees' habits. Those require authorized access. Here's what we couldn't see:

Are your employees' credentials for sale right now?

Dark-web credential exposure, leaked passwords, active breach data, requires dedicated threat-intelligence feeds. Not visible from the outside.

Who has admin access to your systems, and should they?

Access-control reviews need internal access. Overprivileged accounts and former employees with still-active credentials are invisible from outside.

Is your cloud configuration really what your team thinks it is?

We confirmed your storage bucket is locked from the outside. What we cannot see: misconfigured IAM roles, over-permissive security groups, missing logging, all require an authorized cloud-configuration review.

What vulnerabilities exist inside your applications?

Authenticated scanning surfaces logic flaws, injection vulnerabilities, and broken access controls that are invisible to anyone without a login.

An authorized inside-out assessment typically surfaces 2–3× more findings than the outside view alone. But the outside-in view is what your underwriter, customer, or acquirer sees first. That's where to start.

Get your report →
Real assessment · client anonymized

This is the shape of your report.

Yours in 24 hours. A full outside-in assessment of your own company, prioritized and exactly this thorough.

Get your Security Mirror · $495 →

Delivered in 24 hours  ·  No internal access required  ·  No surprises.

SECURITY MIRROR  ·  INTUITIONAI.CO  ·  CONFIDENTIAL