Defensive-use boundary: scan only domains the user owns or is authorized to assess. Start with passive DNS, TLS, and HTTP header checks, avoid intrusive testing, rate limit requests, and label every finding as configuration evidence rather than proof of compromise.
CyberShield Blueprint
Small business domain security scanner MVP.
CyberShield lets a business add a domain, run safe posture checks, receive a score, understand findings in plain language, and export a professional report.
MVP Goal
A clear score and the next fix
The first version should prove the workflow before adding billing, teams, scheduled scans, or AI explanations.
Core flow
Sign up, add domain, verify ownership, run scan, review score, open findings, download PDF report.
Dashboard pages
Overview, Domains, Scan Results, Findings, Reports, Recommendations, Settings, Team Members, Billing.
Demo-safe mode
Use fake domains like acme-demo.com, bluepeak-demo.io, and novamed-demo.net with seeded scan results for portfolio screenshots.
MVP Cut
Separate demo MVP from SaaS MVP
Demo MVP
No account required
Enter one authorized domain or choose seeded demo data, run passive checks, show score, show findings, and export a sample report.
SaaS MVP
Accounts and history
Add users, organizations, domain verification, scan history, finding status, saved reports, and team settings after the scoring model feels credible.
Do not build yet
Keep the first release narrow
Delay billing, white-label reports, Slack alerts, AI remediation, consultant dashboards, and compliance mapping until the core report is strong.
Checks
What the scanner should inspect first
Website
HTTPS and browser protections
HTTPS enabled, HTTP to HTTPS redirect, valid TLS certificate, expiration date, HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, secure cookies, mixed-content risk.
Domain spoofing resistance
SPF exists, SPF is not too permissive, one SPF record, DMARC exists, DMARC policy state, DKIM selector checks, MX records, MTA-STS, TLS-RPT, BIMI readiness, DNSSEC signal.
DNS
Hygiene and ownership clues
Exposed TXT records, suspicious old records, dangling CNAME candidates, missing CAA, wildcard DNS usage, stale verification records, and unexpected third-party includes.
Scoring
Simple enough for business owners
Transport protection, certificate validity, expiration, and redirect posture.
HSTS, CSP, clickjacking, MIME sniffing, referrer, permissions, and cookie posture.
SPF, DKIM, DMARC, MX, enforcement, and spoofing resistance.
CAA, DNSSEC signal, dangling records, wildcard risk, and stale records.
MTA-STS, TLS-RPT, BIMI readiness, scheduled scans, and alert readiness.
Example: Overall score 72/100, risk level Medium, main issues: missing DMARC enforcement, no Content Security Policy, and missing HSTS.
Finding Library
Reusable findings for the first release
High
Missing DMARC
Your domain does not have a DMARC record. This makes it easier for attackers to send fake emails that appear to come from your domain.
Fix: add a DMARC TXT record and start with monitoring mode: v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com
Medium
Weak DMARC policy
DMARC is configured but set to monitoring only. Move gradually from p=none to p=quarantine, then p=reject after legitimate senders are understood.
Medium
Missing HSTS
Your website does not tell browsers to always use HTTPS. Add Strict-Transport-Security: max-age=31536000; includeSubDomains after testing subdomains.
Medium
Missing CSP
A missing Content Security Policy can increase the impact of cross-site scripting. Start in report-only or narrow scope and test before enforcement.
Low / Medium
Missing frame protection
The site may be embedded inside another page. Add X-Frame-Options: DENY or CSP frame-ancestors 'none' where compatible.
High
Multiple SPF records
More than one SPF record can break SPF validation. Merge all SPF mechanisms into a single TXT record.
Critical
Expired TLS certificate
The certificate is expired or not yet valid. Visitors may see browser warnings and automated integrations may fail. Renew or replace the certificate.
Medium
Missing MX records
No mail exchanger records were found. If the domain sends or receives mail, confirm the mail provider setup and DNS zone.
Medium
Missing CAA record
The domain does not restrict which certificate authorities can issue certificates. Add CAA records that match the organization's certificate provider.
Medium
SPF too permissive
The SPF record uses broad mechanisms or too many includes. Review authorized senders and remove stale or unnecessary mail services.
Low / Medium
Missing MTA-STS
The domain has no visible MTA-STS policy. Consider MTA-STS after mail routing is stable to improve mail transport security.
Low / Medium
Missing TLS-RPT
The domain is not collecting TLS reporting data for mail delivery issues. Add TLS-RPT when the team can monitor reports.
Medium
Dangling CNAME candidate
A CNAME points to a service that may no longer be configured. Verify ownership in the third-party platform or remove the stale record.
Low
Wildcard DNS detected
Wildcard DNS can make asset inventory harder. Confirm it is intentional and documented before treating unknown hostnames as valid services.
Architecture
Build it as a serious SaaS, but ship the smallest proof first
Frontend
Next.js, TypeScript, Tailwind, shadcn/ui, accessible dashboard tables, PDF report preview, and clear finding states.
Backend
FastAPI or Django REST Framework with PostgreSQL, Redis, Celery workers, and S3-compatible report storage.
Worker flow
Create scan record, enqueue job, run DNS/HTTP/TLS/email checks, write scan checks, generate findings, calculate score, mark scan complete.
Reports
Generate executive and technical PDF sections with summary, score, key risks, fix roadmap, raw evidence, and disclaimer.
Data Model
Tables for the MVP
Identity
users, organizations, organization_members.
Domains
domains with organization_id, domain_name, verification_status, verification_token, created_at, updated_at.
Scans
scans with domain_id, scan_type, status, overall_score, started_at, completed_at, created_at.
Evidence
scan_checks with check_key, check_name, category, status, severity, score_impact, raw_result.
Findings
findings with title, severity, category, description, business_impact, recommendation, status.
Reports
reports and notifications for generated PDFs, alerts, unread messages, and scan events.
API
Endpoints that match the user journey
Auth
POST /api/auth/register, /login, /logout, /forgot-password.
Organizations
GET /api/organizations, POST /api/organizations, GET/PATCH /api/organizations/:id.
Domains
GET /api/domains, POST /api/domains, GET/DELETE /api/domains/:id, POST /api/domains/:id/verify.
Scans and reports
POST /api/domains/:id/scans, GET /api/domains/:id/scans, GET /api/scans/:id, GET /api/scans/:id/findings, POST /api/scans/:id/report.
Roadmap
Phased growth without overbuilding
1MVPAuth, domain, manual scan, website headers, SPF, DMARC, MX, score, findings, PDF.
2SaaSScheduled scans, email alerts, history, teams, finding status, branding.
3AdvancedDKIM, TLS deep checks, DNSSEC, CAA, BIMI, MTA-STS, TLS-RPT, AI explanations.
4PlatformClient management, policies, incident checklists, compliance mapping, API access.
Build-first recommendation: start with unauthenticated demo scanning plus seeded reports, then add accounts and persistent scan history once the scoring and findings feel trustworthy.