ShieldGaps Report – Your Attack Surface in Black and White
External security scan of a domain, clearly prepared for management, data protection and IT.
Overview
You know what happens inside your systems. But do you also know what attackers see from the outside? Forgotten subdomains, outdated CMS installations, exposed panels and third-party service provider systems expand your attack surface every day, usually without anyone documenting it. The ShieldGaps Report makes this attack surface visible for the first time: one-time, passive and legally compliant. We fully scan a domain of your choice, match every finding live against more than 40,000 known vulnerabilities, and deliver a reliable report that translates technical findings into clear business language. No intrusion, no load on your systems, no risk to ongoing operations.
What's included
- Complete attack surface analysis of all externally visible assets: domains, subdomains, services, certificates and panels, collected passively.
- CMS security scan for WordPress, TYPO3, Contao and other systems: plugins, themes, versions, configuration and known vulnerabilities.
- GDPR review of third-party trackers, consent handling and a visitor risk score, making data protection measurable.
- Management summary on a single page: your risk in business language, ready for the leadership team.
- DPO perspective with reference to Article 32 GDPR and the accountability principle.
- Technical appendix with reproducible details, concrete fixes and prioritisation by criticality.
- Export as PDF and SBOM for people as well as for audits and CRA evidence.
- Results consultation to put the findings into context and identify your quick wins.
Who it's for
For managing directors and decision-makers who need to know and document their cyber risk reliably, and for IT and data protection officers who need concrete, actionable findings. Particularly relevant for organisations affected by NIS2, the Cyber Resilience Act or supply chain requirements that must provide verifiable evidence of the state of their external security.
Secure and legally compliant
The scan is non-invasive: no exploits, no load, no intrusion. Operations and data storage are located exclusively in Germany, and the methodology complies with EU and German law, including Section 202a of the German Criminal Code (StGB). Active testing is carried out only with your written authorisation. Results are shared confidentially and exclusively with you.
What we need from you
One domain and your authorisation. Results the same day, instead of after weeks of project work.
Optionally extendable: On request, we close the identified gaps with clearly packaged fix bundles and confirm success with an included re-scan. For ongoing security, we build a continuous attack surface monitoring service from the one-time report.