Example Report | SurfaceMapper

Example Report

See a real SurfaceMapper report (redacted).

Download Sample PDF

SurfaceMapper report — executive snapshot showing KPI tiles, exposure composition donut chart, findings by severity chart, and mitigating controls table

Report Structure

Executive summary and headline risk score
External asset inventory (domains, IPs, ports, web endpoints)
Risk-scored findings with evidence and remediation
Screenshots of exposed admin interfaces
Email security posture (SPF, DMARC, DKIM)
CVE correlation and IP reputation results
Exposure drift tracking against prior scan
Risk matrix and scoring rationale appendix

Risk Summary Snapshot

23

Domains

18

IPs

12

Live hosts

31

Open ports

10

Web endpoints

3

Breached emails

2

Email security issues

9

Key findings

Example Findings

Severity	Finding	Why it matters	Recommended action
High	Risky network service publicly reachable	A database or management service (e.g. Redis, RDP) accepts connections from the internet, enabling direct brute force and exploitation attempts.	Restrict access by source IP. Place behind a VPN or bastion. Disable if not required.
High	IP address listed on Spamhaus XBL	The Exploits Block List indicates the IP was observed sending botnet or exploit traffic — a strong indicator of host compromise.	Treat the host as potentially compromised. Investigate, remediate, and request delisting via check.spamhaus.org.
High	Known CVE correlated to service fingerprint	A publicly documented, CVSS-scored vulnerability matches a service version visible from the internet. Tooled exploits likely exist.	Apply vendor patch. Restrict internet access to the service where patching is not immediately possible.
Medium	Admin interface publicly reachable	A management panel is exposed to internet scanning and brute-force attempts without network-level access controls.	Place behind VPN or SSO. Enforce MFA and IP allowlisting.
Medium	Email spoofing protections absent or misconfigured	Weak SPF and unenforced DMARC allow any host to send email impersonating your domain — the primary enabler of BEC and phishing attacks.	Publish a strict SPF record, set DMARC to p=reject, and configure DKIM signing.
Low	TLS certificate expiring within 30 days	An expiring certificate risks service outages and browser trust warnings if not renewed in time.	Renew the certificate and consider automated renewal via Let's Encrypt or your CA's ACME endpoint.
Low	Sensitive file accessible at well-known path	A .env file or .git/ directory is publicly readable, potentially exposing credentials, API keys, or source code.	Remove the file from the web root, audit for credential exposure, and rotate any secrets that may have been disclosed.