MVP boundary: the demo scanner should run passive checks only, show evidence, and avoid implying compromise, legal compliance, or authorization to scan domains the user does not control.
CyberShield Checklist
A build checklist for the first useful scanner demo.
Use this as the implementation scope for CyberShield before adding accounts, billing, scheduling, Slack alerts, or consultant dashboards.
Checklist
Ship these before anything else
Input
Domain form
Validate domain format, block URL paths, explain authorization, and offer seeded demo domains.
DNS
Lookup layer
Resolve A/AAAA, MX, TXT, CAA, DMARC, SPF, and basic CNAME evidence with raw result display.
Website
HTTP and HTTPS
Check HTTPS availability, redirect behavior, TLS certificate dates, and response headers.
Headers
Browser protections
Check HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and secure cookies.
Mail auth
Check SPF existence, multiple SPF records, permissive mechanisms, DMARC existence, DMARC policy, MX records, MTA-STS, and TLS-RPT.
Scoring
Weighted score
Calculate HTTPS/TLS, security headers, email security, DNS hygiene, and monitoring scores with clear explanations.
Findings
Issue cards
Each finding needs severity, business impact, technical evidence, recommendation, status, and raw proof.
Report
Export or preview
Generate an executive summary, score breakdown, top risks, technical appendix, and disclaimer.
States
Empty and failed scans
Handle invalid domain, DNS failure, HTTPS timeout, partial results, demo mode, and unavailable checks.
Do Not Build Yet
Keep scope from ballooning
Useful for SaaS MVP, not required for the first demo report.
Needs persistent domains, alerts, and history first.
Add after finding templates are accurate and safely caveated.
Only after scan value and report quality are obvious.
Definition of done: one fake domain and one authorized real domain can produce a readable score, findings, and report without manual editing.