Skip to content

How Black Cat SSPM maps to NIST CSF 2.0

NIST Cybersecurity Framework 2.0 - voluntary guidance for managing cybersecurity risk

GV — Govern

Establish and monitor the organization's cybersecurity risk management strategy

ID — Identify

Understand the organization's current cybersecurity risks

PR — Protect

Use safeguards to prevent or reduce cybersecurity risk

DE — Detect

Find and analyze possible cybersecurity attacks and compromises

RS — Respond

Take action regarding a detected cybersecurity incident

RC — Recover

Restore assets and operations affected by a cybersecurity incident

GV.RR — Roles, Responsibilities, and Authorities

Cybersecurity roles, responsibilities, and authorities are established

  • Recent Sensitive Change (google_ads)
  • Alert Source Unowned (incidentio)
  • App No Description (slack)
  • Archive Channel Unrestricted (slack)
  • Default Channels Excessive (slack)
  • Display Name Not Validated (slack)
  • Everyone Notify General (slack)
  • Inactive Channel (slack)
  • Message Edit Unrestricted (slack)
  • New User Notification Disabled (slack)
  • Notify Channel Unrestricted (slack)
  • Public Channel Retention Limited (slack)
  • Remove Private Channel Unrestricted (slack)
  • Remove Public Channel Unrestricted (slack)
  • Slackbot Responses Unrestricted (slack)
  • User Groups Unrestricted (slack)
  • Workflow Creation Unrestricted (slack)
  • Channel Without Moderation (teams)
  • Large Team Without Moderation (teams)
  • Meeting Recording Disabled (teams)
  • Message Edit Delete Unrestricted (teams)
  • Team Without Description (teams)
  • Policy Set Empty (terraform_cloud)
  • Policy Set Not Global (terraform_cloud)
  • Policy Set Overridable (terraform_cloud)
  • Sentinel Policy Advisory Only (terraform_cloud)
  • Workspace Auto Apply Enabled (terraform_cloud)
  • Workspace Destroy Plan Allowed (terraform_cloud)

GV.SC — Supply Chain Risk Management

Cyber supply chain risk management processes are established

  • Excessive Applications Installed (box)
  • Unauthorized Application (box)
  • Orb Allowlist Empty (circleci)
  • Bot With Admin (discord)
  • Excessive Integrations (discord)
  • Orphaned Webhook (discord)
  • Webhook Inventory (discord)
  • Connected App with Full Dropbox Access (dropbox)
  • Excessive Connected Apps per Member (dropbox)
  • Custom App Sideloading (teams)
  • Unapproved Third-Party App (teams)

ID.AM — Asset Management

Assets that enable the organization to achieve business purposes are identified and managed

ID.RA — Risk Assessment

The organization understands cybersecurity risks to assets and individuals

  • KMS Separation of Duties Violation (gcp)
  • SA Separation of Duties Violation (gcp)
  • Drive File Stale External Sharing (workspace)
  • Drive File Shared With Personal Email (workspace)
  • Drive File Shared With External Domain (workspace)
  • Drive File External Commenter Access (workspace)
  • Drive User Excessive External Sharing (workspace)

PR.AA — Identity Management, Authentication, and Access Control

Access to assets is limited to authorized users, services, and hardware

PR.DS — Data Security

Data are managed consistent with the organization's risk strategy

PR.IP — Platform Security

Security of technology platforms is managed to protect confidentiality, integrity, and availability

  • Old Service Account Keys (gcp)
  • User Managed Service Account Keys (gcp)
  • Stale API Key (openai)
  • Stale Admin Key (openai)
  • Admin Key Sprawl (openai)
  • SA Key Creation Not Disabled (gcp)
  • SA Key Upload Not Disabled (gcp)
  • Default SA Grant Not Disabled (gcp)
  • Unrestricted API Key (gcp)
  • Stale API Key (gcp)
  • GKE Network Policy Disabled (gcp)
  • GKE Private Cluster Disabled (gcp)
  • GKE Shielded Nodes Disabled (gcp)
  • GKE Release Channel Not Set (gcp)
  • GKE Node Pool Auto-Upgrade Disabled (gcp)
  • GKE Binary Authorization Disabled (gcp)
  • GKE Database Encryption Disabled (gcp)
  • GKE Intranode Visibility Disabled (gcp)
  • DNS DNSSEC Disabled (gcp)
  • DNS DNSSEC RSASHA1 Key-Signing Key (gcp)
  • DNS DNSSEC RSASHA1 Zone-Signing Key (gcp)
  • Cloud Function Plaintext Secrets in Environment (gcp)
  • IP Forwarding Enabled on Instance (gcp)
  • Empty Vault User (1password)
  • Firewall Rule Changed (1password)
  • SSO Disabled (1password)
  • SSO Policy Modified (1password)
  • Signing Key Changed (1password)
  • Default Security Group Has Rules (aws)
  • Default VPC In Use (aws)
  • EC2 IMDSv2 Not Enforced (aws)
  • EC2 Instance Has Public IP (aws)
  • GuardDuty Not Enabled (aws)
  • KMS Key Disabled (aws)
  • KMS Key Pending Deletion (aws)
  • KMS Key Rotation Disabled (aws)
  • RDS Backup Retention Too Short (aws)
  • RDS Publicly Accessible (aws)
  • RDS Storage Not Encrypted (aws)
  • S3 Bucket Encryption Disabled (aws)
  • S3 Bucket Logging Disabled (aws)
  • S3 Bucket Versioning Disabled (aws)
  • Unrestricted Egress (aws)
  • Unrestricted RDP Access (aws)
  • Unrestricted SSH Access (aws)
  • CP Code Unused (akamai)
  • Edge Hostname IPv4 Only (akamai)
  • Group With No Contracts (akamai)
  • Property Caching Disabled (akamai)
  • Property No Origin Failover (akamai)
  • Property Not Locked (akamai)
  • SureRoute Not Enabled (akamai)
  • Archived Workspace Not Deleted (anthropic)
  • Stale Workspace (anthropic)
  • App Service FTP Enabled (azure)
  • App Service HTTP/2 Disabled (azure)
  • App Service HTTPS Disabled (azure)
  • App Service Minimum TLS (azure)
  • App Service Remote Debugging Enabled (azure)
  • Defender App Service Disabled (azure)
  • Defender Containers Disabled (azure)
  • Defender Key Vault Disabled (azure)
  • Defender Resource Manager Disabled (azure)
  • Defender SQL Disabled (azure)
  • Defender Servers Disabled (azure)
  • Defender Storage Disabled (azure)
  • Key Vault Network ACLs Allow (azure)
  • Key Vault No Private Endpoint (azure)
  • Key Vault Purge Protection Disabled (azure)
  • Key Vault Soft Delete Disabled (azure)
  • NSG All Ports Open (azure)
  • NSG Permissive Outbound (azure)
  • NSG UDP Open (azure)
  • NSG Unrestricted RDP (azure)
  • NSG Unrestricted SSH (azure)
  • Network Watcher Disabled (azure)
  • SQL Firewall Allow Azure Services (azure)
  • SQL Firewall Unrestricted (azure)
  • SQL Minimum TLS (azure)
  • SQL TDE Disabled (azure)
  • SQL Threat Detection Disabled (azure)
  • SQL Vulnerability Assessment Disabled (azure)
  • Security Alert Notifications Disabled (azure)
  • Security Auto-Provisioning Disabled (azure)
  • Security Contact Email Missing (azure)
  • Security Contact Phone Missing (azure)
  • Storage Blob Soft Delete Disabled (azure)
  • Storage Container Soft Delete Disabled (azure)
  • Storage HTTPS Not Required (azure)
  • Storage Infrastructure Encryption Disabled (azure)
  • Storage Minimum TLS (azure)
  • Storage Network Default Allow (azure)
  • Storage Shared Key Enabled (azure)
  • Extension With Risky Permissions (chrome_enterprise)
  • Outdated Browser Version (chrome_enterprise)
  • Sideloaded Extension Detected (chrome_enterprise)
  • Config Policies Disabled (circleci)
  • Config Policies Soft Fail (circleci)
  • Forked PR Builds Enabled (circleci)
  • Pipeline Deprecated Image (circleci)
  • Schedule Non-Default Branch (circleci)
  • Stale Runner (circleci)
  • Webhook Insecure URL (circleci)
  • Webhook Unverified TLS (circleci)
  • CORS Allows All Origins (cloudflare_access)
  • Auto Upgrade Disabled (digitalocean)
  • Backups Disabled (digitalocean)
  • Basic Tier (digitalocean)
  • Database No Maintenance Window (digitalocean)
  • Database Single Node (digitalocean)
  • Droplet Powered Off (digitalocean)
  • Email Not Verified (digitalocean)
  • IPv6 Disabled (digitalocean)
  • Kubernetes HA Disabled (digitalocean)
  • Kubernetes No Registry Integration (digitalocean)
  • No Backups (digitalocean)
  • No Droplets Attached (digitalocean)
  • No Garbage Collection (digitalocean)
  • Outdated Kubernetes Version (digitalocean)
  • Outdated Version (digitalocean)
  • Surge Upgrade Disabled (digitalocean)
  • Bulk Recipients Enabled (docusign)
  • No IP Restrictions (docusign)
  • No Signer Certificate Required (docusign)
  • PowerForms Enabled (docusign)
  • Recipient Domain Validation Disabled (docusign)
  • Sign On Paper Enabled (docusign)
  • Signer Reassignment Enabled (docusign)
  • Cloud SQL Backup Not Enabled (gcp)
  • Cloud SQL Instance Has Public IP (gcp)
  • Cloud SQL SSL Not Required (gcp)
  • Default VPC In Use (gcp)
  • Essential Contacts Coverage Incomplete (gcp)
  • Firewall Rule Egress Open to World (gcp)
  • Firewall Rule Exposes Dangerous Port (gcp)
  • Instance Serial Port Enabled (gcp)
  • Shielded VM Disabled (gcp)
  • Actions Allow All External (github)
  • Public Repo Without Security Policy (github)
  • Repo Dependabot Disabled (github)
  • Repo Secret Scanning Disabled (github)
  • Webhook Insecure URL (github)
  • Active Runner Offline (gitlab)
  • Group No IP Restriction (gitlab)
  • Integration Insecure URL (gitlab)
  • No Compliance Framework (gitlab)
  • Project Container Scanning Disabled (gitlab)
  • Project Discussions Not Required (gitlab)
  • Shared Runner Not Locked (gitlab)
  • Broad Mute Timing (grafana)
  • Community Plugin (grafana)
  • Data Source Basic Auth (grafana)
  • Data Source TLS Skip Verify (grafana)
  • Data Source With Credentials (grafana)
  • Direct Access Data Source (grafana)
  • External Contact Point (grafana)
  • No Alert Rules Configured (grafana)
  • Outdated Plugin (grafana)
  • Unsigned Plugin (grafana)
  • Admin Stale Master Password (lastpass)
  • Critically Low Shared Folder Score (lastpass)
  • Empty Vault User (lastpass)
  • Low Shared Folder Security Score (lastpass)
  • Master Password Never Changed (lastpass)
  • Stale Master Password (lastpass)
  • Very Weak Master Password (lastpass)
  • Weak Master Password (lastpass)
  • ActiveSync Integration Enabled for OWA (m365)
  • Admin Malware Notifications Disabled (m365)
  • Anti-Phishing First Contact Tip Disabled (m365)
  • Anti-Phishing Spoof Detection Weak (m365)
  • Blocked File Type Action Not Quarantine (m365)
  • Common Attachment Types Filter Disabled (m365)
  • Common Attachment Types Missing (m365)
  • Comprehensive Spam Marking Disabled (m365)
  • Connection Filter Not Configured (m365)
  • Copilot License Assigned (m365)
  • Customer Lockbox Not Enabled (m365)
  • DMARC Record Missing (m365)
  • Distribution List Hidden From GAL (m365)
  • External Recipient Mail Tips Disabled (m365)
  • Group Naming Convention Not Configured (m365)
  • High Confidence Spam Not Quarantined (m365)
  • Inbound Spam Bulk Threshold Too High (m365)
  • Mail Tips Not Fully Enabled (m365)
  • Mailbox Move Enabled for Org Relationships (m365)
  • Mailbox SMTP Auth Not Disabled (m365)
  • Multi-Tenant App Without Verified Publisher (m365)
  • No File Types Blocked in OWA (m365)
  • No MIME Types Blocked in OWA (m365)
  • OWA Clickjacking Protection Not Set (m365)
  • On-Send Add-ins Enabled in OWA (m365)
  • Outbound Spam Notification Disabled (m365)
  • Outbound Spam Thresholds Not Configured (m365)
  • Remote Domain Auto-Reply Enabled (m365)
  • Remote Domain Delivery Reports Enabled (m365)
  • Remote Domain NDR Enabled (m365)
  • Remote Domain TNEF Enabled (m365)
  • Remote Domain Trusted Inbound Enabled (m365)
  • Remote Domain Trusted Outbound Enabled (m365)
  • Risk-Based Consent Not Configured (m365)
  • SMTP Auth Not Disabled Globally (m365)
  • SPF Hard Fail Not Enabled (m365)
  • SPF Record Missing (m365)
  • Self-Service Subscriptions Enabled (m365)
  • Sensitivity Labels Not Configured (m365)
  • Suspicious Outbound Copy Not Enabled (m365)
  • Transport Rule Deletes Messages (m365)
  • Transport Rule Disabled (m365)
  • Transport Rule Includes BCC (m365)
  • Transport Rule Processes External Sender (m365)
  • Unknown File Types Not Blocked (m365)
  • Unverified Domain (m365)
  • Unverified Federated Domain (m365)
  • Zero-Hour Auto Purge Disabled (m365)
  • Cloud Project Suspended (ovhcloud)
  • Developer Mode Enabled (ovhcloud)
  • IAM Policy No Identities (ovhcloud)
  • Instance In Shelved State (ovhcloud)
  • Instance Rescue Mode (ovhcloud)
  • Instance Using Default Image (ovhcloud)
  • OAuth2 Client No Description (ovhcloud)
  • Active Project Without Users (openai)
  • Disproportionate Output Tokens (openai)
  • Excessive API Request Volume (openai)
  • Project Without Rate Limits (openai)
  • Low Data Retention (snowflake)
  • No Account Resource Monitor (snowflake)
  • No SCIM Configured (snowflake)
  • No SSO Configured (snowflake)
  • Resource Monitor Notify Only (snowflake)
  • SSO Login Page Disabled (snowflake)
  • Warehouse No Auto Resume (snowflake)
  • Warehouse No Auto Suspend (snowflake)
  • Warehouse No Resource Monitor (snowflake)
  • Warehouse Oversized (snowflake)
  • No Client Idle Timeout Configured (teleport)
  • Node Running Outdated Teleport Version (teleport)
  • Trusted Cluster Is Disabled (teleport)
  • Organization Default Execution Mode Local (terraform_cloud)
  • Organization Force Delete Allowed (terraform_cloud)
  • Variable Set Priority Override (terraform_cloud)
  • Workspace Drift Detection Disabled (terraform_cloud)
  • Workspace No VCS Connection (terraform_cloud)
  • Workspace Outdated Terraform Version (terraform_cloud)
  • Deployment Protection Disabled (vercel)
  • Domain Expiring Soon (vercel)
  • Fork Protection Disabled (vercel)
  • Insecure Log Drain (vercel)
  • No Target Restriction (vercel)
  • SSL Not Verified (vercel)
  • Stale Integration (vercel)
  • Strict Deployment Protection Disabled (vercel)
  • Broken Connection (workato)
  • Collaborator Group No Description (workato)
  • Connection to Sensitive Provider (workato)
  • Recipe Excessive Application Integrations (workato)
  • Stale Connection (workato)
  • Workspace Recipe Limit (workato)
  • Automatic Email Forwarding Enabled (workspace)
  • DKIM Not Configured (workspace)
  • Domain Not Verified (workspace)
  • Gemini Not Licensed (workspace)
  • Group Spam Moderation Disabled (workspace)
  • IMAP Access Enabled (workspace)
  • POP Access Enabled (workspace)
  • Shared Drive Folder Sharing Unrestricted (workspace)
  • Shared Drive No Admin Restrictions (workspace)
  • Chat File Transfer Enabled (zoom)
  • Cloud Recording No Auto-Delete (zoom)
  • Local Recording Enabled (zoom)
  • No Meeting Password Required (zoom)
  • Unauthenticated Join Allowed (zoom)
  • Waiting Room Disabled (zoom)
  • Weak Password Policy (zoom)

PR.IR — Technology Infrastructure Resilience

Security architectures are managed to protect asset confidentiality, integrity, and availability

  • Account Protection Disabled (akamai)
  • Bot Management Disabled (akamai)
  • DNSSEC Not Enabled (akamai)
  • Geo Firewall Not Configured (akamai)
  • IP Firewall Not Configured (akamai)
  • Primary Zone No Secondary (akamai)
  • Rate Control Threshold Too Permissive (akamai)
  • Rate Controls Disabled (akamai)
  • SOA Serial Stale (akamai)
  • Slow POST Protection Disabled (akamai)
  • TSIG Not Enabled (akamai)
  • WAF In Alert-Only Mode (akamai)
  • WAF Policy Alert-Only Mode (akamai)
  • WAF Policy Excessive Exceptions (akamai)
  • Zone Transfer Unrestricted (akamai)
  • Safe Browsing Disabled (chrome_enterprise)
  • Allows All Inbound (digitalocean)
  • Allows All Outbound (digitalocean)
  • Default VPC Used (digitalocean)
  • No Firewall (digitalocean)
  • No VPC (digitalocean)
  • Publicly Accessible (digitalocean)
  • SSH Open To All (digitalocean)
  • IP Allowlist Disabled (incidentio)
  • Instance Has Public IP (ovhcloud)
  • Integration No Network Policy (snowflake)
  • Network Policy No Blocklist (snowflake)
  • Network Policy Wildcard (snowflake)
  • No Network Policy (snowflake)
  • No Network Restrictions Configured (teleport)
  • Overly Broad Network Allow Rule (teleport)
  • Agent Pool Organization Scoped (terraform_cloud)
  • Notification No HMAC Token (terraform_cloud)
  • Run Task Advisory Enforcement (terraform_cloud)
  • Run Task No HMAC Key (terraform_cloud)
  • SSH Key Present (terraform_cloud)
  • VCS Connection Organization Scoped (terraform_cloud)

DE.CM — Continuous Monitoring

Assets are monitored to find anomalies, indicators of compromise, and other events

  • WAF Disabled (cloudflare)
  • Browser Integrity Check Disabled (cloudflare)
  • Public Firewall Rule (gcp)
  • OAuth App AI With Data Scopes (workspace)
  • Sensitive Audit Event (openai)
  • Usage Anomaly (openai)
  • Audit Logging Not Enabled (gcp)
  • Data Access Logs Incomplete (gcp)
  • Security Contact Missing (gcp)
  • GKE Logging Disabled (gcp)
  • Cloud Logging Sink Missing (gcp)
  • Log Metric for Project Ownership Missing (gcp)
  • Log Metric for Audit Config Changes Missing (gcp)
  • Log Metric for Custom Role Changes Missing (gcp)
  • DNS Logging Disabled (gcp)
  • Cloud Function Public Ingress (gcp)
  • Cloud Run Service Public Ingress (gcp)
  • MySQL skip_show_database Not Enabled (gcp)
  • MySQL local_infile Enabled (gcp)
  • PostgreSQL log_connections Not Enabled (gcp)
  • PostgreSQL log_disconnections Not Enabled (gcp)
  • PostgreSQL log_min_messages Below WARNING (gcp)
  • PostgreSQL log_min_error_statement Above ERROR (gcp)
  • PostgreSQL log_min_duration_statement Not Disabled (gcp)
  • PostgreSQL pgaudit Extension Not Enabled (gcp)
  • Master Password Changed (1password)
  • AWS Config Not Recording (aws)
  • CloudTrail Data Events Disabled (aws)
  • CloudTrail Log Validation Disabled (aws)
  • CloudTrail Not Logging (aws)
  • CloudTrail Not Multi-Region (aws)
  • VPC Flow Logs Disabled (aws)
  • Alert Disabled (azure)
  • Alert NSG Create Missing (azure)
  • Alert NSG Delete Missing (azure)
  • Alert Policy Assignment Missing (azure)
  • Alert SQL Firewall Missing (azure)
  • Alert Security Solution Create Missing (azure)
  • Alert Security Solution Delete Missing (azure)
  • App Service Logging Disabled (azure)
  • Diagnostic Retention Short (azure)
  • Key Vault Diagnostic Logging Disabled (azure)
  • NSG Flow Logs Disabled (azure)
  • SQL Audit Retention Short (azure)
  • SQL Auditing Disabled (azure)
  • Modifiable Retention Policy (box)
  • No Indefinite Retention Policies (box)
  • No Retention Policies Defined (box)
  • Permanent Delete Disposition Action (box)
  • Retired Retention Policy (box)
  • Short Retention Period (box)
  • Audit Log Retention Period (datadog)
  • Audit Logging Disabled (datadog)
  • Monitoring Disabled (digitalocean)
  • Office Add-in Disabled (dropbox)
  • Suspended Member Not Removed (dropbox)
  • Subnet Flow Logs Disabled (gcp)
  • Global Mailbox Auditing Disabled (m365)
  • Mailbox Audit Bypass Configured (m365)
  • Mailbox Auditing Disabled (m365)
  • Non-Shared Mailbox Audit Bypass (m365)
  • Shared Mailbox Sent-As Not Audited (m365)
  • Shared Mailbox Sent-On-Behalf Not Audited (m365)
  • Unified Audit Log Not Enabled (m365)
  • User Mailbox Auditing Disabled (m365)
  • Audit Log Using Local Filesystem Storage (teleport)
  • Proxy Host Key Checks Disabled (teleport)
  • Role Disables Session Recording (teleport)
  • Session Recording Disabled (teleport)
  • Session Recording in Async Mode (teleport)
  • Session Recording in Proxy Mode (teleport)
  • Log Drain Disabled (vercel)
  • No Log Drain (vercel)

DE.AE — Adverse Event Analysis

Anomalies, indicators of compromise, and other potentially adverse events are analyzed

  • Alert Policy Disabled (gcp)
  • Alert Policy Has No Notification Channels (gcp)
  • Log Metric Project Ownership Alert Missing (gcp)
  • Log Metric Audit Config Alert Missing (gcp)
  • Log Metric Custom Role Alert Missing (gcp)

RS.MA — Incident Management

Responses to detected cybersecurity incidents are managed

  • Alert Source No Auto-Resolve (incidentio)
  • Escalation Path Shallow (incidentio)
  • Schedule No Holiday Configuration (incidentio)
  • Schedule Without Active Shift (incidentio)
  • Single Responder Escalation (incidentio)
  • Single Rotation Schedule (incidentio)
  • Workflow Disabled or Error (incidentio)
  • Workflow Ignores Step Errors (incidentio)
  • Escalation Policy Without Loops (pagerduty)
  • Escalation Policy Without Schedule (pagerduty)
  • Possibly Abandoned Service (pagerduty)
  • Service Without Auto-Resolve (pagerduty)
  • Service Without Escalation Policy (pagerduty)
  • Single User Escalation Rule (pagerduty)
  • Single User Schedule (pagerduty)

RC.RP — Incident Recovery Plan Execution

Restoration activities are performed to ensure operational availability

PR.AA-01 — Identities and credentials managed

Identities and credentials for authorized users, services, and hardware are managed

  • Dormant Accounts (okta)
  • Super Admin Count Excessive (okta)
  • Super Admin Count Excessive (workspace)
  • Super Admin Count Excessive (cloudflare)
  • Super Admin Redundancy Missing (okta)
  • Super Admin Redundancy Missing (workspace)
  • Super Admin Redundancy Missing (cloudflare)
  • OAuth App Inactive With Grants (okta)
  • Inactive User (openai)
  • Excessive Organization Owners (openai)
  • Long Session Duration (cloudflare_access)
  • No Clickjack Protection (salesforce)
  • Session Timeout Too Long (salesforce)

PR.AA-02 — Identities are proofed and bound

Identities are proofed and bound to credentials based on context of interactions

  • SSO Not Configured (workspace)
  • SSO Not Configured (cloudflare)
  • SSO Not Configured (atlassian)

PR.AA-03 — Users, services, and hardware authenticated

Users, services, and hardware are authenticated

  • Admin Without MFA (okta)
  • MFA Not Enrolled (okta)
  • MFA Not Enabled (cloudflare)
  • Admin Without 2-Step Verification (workspace)
  • Two-Factor Enforcement Disabled (cloudflare)
  • User 2-Step Verification Not Enforced (workspace)
  • Weak Password Policy (okta)
  • MFA Disabled (1password)
  • MFA Status Unknown (1password)
  • Sign-in Without MFA (1password)
  • Root Account MFA Not Enabled (aws)
  • User MFA Not Enabled (aws)
  • User MFA Not Enabled (akamai)
  • Two-Step Verification Not Enforced (atlassian)
  • User Without MFA (atlassian)
  • Password Manager Disabled (chrome_enterprise)
  • No MFA Requirement (cloudflare_access)
  • No SAML or OIDC Provider (cloudflare_access)
  • One-Time PIN Only Authentication (cloudflare_access)
  • Member Without 2FA (github)
  • Org 2FA Not Required (github)
  • Group 2FA Grace Period Too Long (gitlab)
  • Group 2FA Not Enforced (gitlab)
  • Member Without 2FA (gitlab)
  • Admin Without MFA (lastpass)
  • MFA Not Enabled (lastpass)
  • CA MFA Not Enforced (m365)
  • Guest Email OTP Not Enabled (m365)
  • MFA Registration Not Restricted (m365)
  • MFA Suspicious Activity Reporting Disabled (m365)
  • Weak Authentication Factors Enabled (m365)
  • Phishing Resistant Auth Policies (okta)
  • Phishing Resistant MFA Factors (okta)
  • Session MFA Not Required (okta)
  • Advanced Permissions Disabled (pagerduty)
  • SSO Disabled (pagerduty)
  • Admin Without MFA (salesforce)
  • High Failed Logins (salesforce)
  • User Without MFA (salesforce)
  • Weak Password Policy (salesforce)
  • Staff MFA Disabled (shopify)
  • MFA Not Required (slack)
  • User No MFA (slack)
  • Authentication Policy No MFA (snowflake)
  • MFA Not Enabled (snowflake)
  • Admin Action MFA Not Enforced (teleport)
  • Cluster MFA Disabled (teleport)
  • Device Trust Disabled (teleport)
  • Expired Certificate Disconnect Disabled (teleport)
  • Local Auth Enabled With SSO (teleport)
  • Local User Has No MFA Device (teleport)
  • Passwordless Without Hardware Key Policy (teleport)
  • Role Does Not Require Session MFA (teleport)
  • Session MFA Not Enforced (teleport)
  • TOTP Without WebAuthn (teleport)
  • User Uses Only TOTP for MFA (teleport)
  • Admin 2-Step Verification Not Enforced (workspace)
  • Delegated Admin Without 2-Step Verification (workspace)
  • User Without 2-Step Verification (workspace)
  • Admin Without MFA (zoom)
  • User Without MFA (zoom)

PR.AA-05 — Access permissions managed

Access permissions, entitlements, and authorizations are managed

  • Overly Permissive IAM Binding (gcp)
  • SA Impersonation Role Binding (gcp)
  • Excessive Project Owners (gcp)
  • Owner Role Group Assignment (gcp)
  • Privileged Service Account Binding (gcp)
  • External Account Member (cloudflare)
  • Group Allows External Members (workspace)
  • OAuth App Critical Scopes (workspace)
  • OAuth App Broad Scopes (okta)
  • OAuth App With Restricted Scopes Widely Authorized (workspace)
  • Org-Level Owner Binding (gcp)
  • Org-Level Editor Binding (gcp)
  • External Members at Org Level (gcp)
  • GKE Legacy ABAC Enabled (gcp)
  • GKE Workload Identity Disabled (gcp)
  • GKE Master Authorized Networks Disabled (gcp)
  • Cloud Function Default Service Account (gcp)
  • Instance Uses Full Cloud-Platform API Scope (gcp)
  • Instance Does Not Block Project-Wide SSH Keys (gcp)
  • OS Login Disabled on Instance (gcp)
  • Drive External Sharing Enabled (workspace)
  • Drive Link Sharing Anyone (workspace)
  • Drive Sharing Outside Organization (workspace)
  • Drive External Shared Drives Allowed (workspace)
  • Drive File External Edit Access (workspace)
  • Drive File Owner Is External (workspace)
  • Drive Shared Drive Has External Members (workspace)
  • Drive File Excessive Permissions (workspace)
  • Drive File Broad Internal Sharing (workspace)
  • Drive Shared Drive Creation Unrestricted (workspace)
  • Dormant User (1password)
  • Failed Sign-in Attempt (1password)
  • Failed Sign-in From Untrusted Location (1password)
  • Service Account Token Created (1password)
  • Sign-in From Untrusted Location (1password)
  • Suspended User Activity (1password)
  • Suspended User Not Removed (1password)
  • Inactive IAM Users (aws)
  • Old Access Keys Not Rotated (aws)
  • Overly Permissive IAM Policy (aws)
  • Password Never Used (aws)
  • Password Policy Expiration Too Long (aws)
  • Root Access Key Exists (aws)
  • Unused Access Keys (aws)
  • Weak Password Policy (aws)
  • API Client Broad Access (akamai)
  • API Client Credentials Near Expiry (akamai)
  • API Client Inactive (akamai)
  • Custom Role With Admin Permissions (akamai)
  • User Account Locked (akamai)
  • User All Groups Access (akamai)
  • User Inactive (akamai)
  • API Key Created By Non-User (anthropic)
  • Admin Invite Pending Review (anthropic)
  • Admin Redundancy Missing (anthropic)
  • Dormant Member (anthropic)
  • Excessive Org Admins (anthropic)
  • Excessive Workspace Admins (anthropic)
  • Expired Invite Not Cleaned (anthropic)
  • Inactive API Key Not Removed (anthropic)
  • Managed User Review (anthropic)
  • Stale API Key (anthropic)
  • Stale Invite (anthropic)
  • Unscoped API Key (anthropic)
  • Unscoped Admin (anthropic)
  • Workspace Single Admin (anthropic)
  • API Token Older Than 90 Days (atlassian)
  • External User With Product Access (atlassian)
  • Inactive User (atlassian)
  • Jira Project Permissive Default Roles (atlassian)
  • Session Duration Excessive (atlassian)
  • Suspended User With Access (atlassian)
  • User Dual Admin Role (atlassian)
  • User With Multiple API Tokens (atlassian)
  • App Service Auth Disabled (azure)
  • App Service Managed Identity Disabled (azure)
  • Classic Administrators (azure)
  • Custom Admin Roles (azure)
  • Guest Privileged Role (azure)
  • Key Vault RBAC Not Enabled (azure)
  • Owner Count Exceeded (azure)
  • SQL AD Admin Not Configured (azure)
  • Excessive Admin Users (box)
  • External Collaboration Not Restricted (box)
  • Inactive User Account (box)
  • No Device Pins Configured (box)
  • Platform Access Only Admin (box)
  • User Exempt from Device Limits (box)
  • User Exempt from Login Verification (box)
  • Download Restrictions Not Set (chrome_enterprise)
  • Incognito Mode Allowed (chrome_enterprise)
  • Stale Browser (90+ Days Inactive) (chrome_enterprise)
  • Unmanaged Browser (30+ Days Inactive) (chrome_enterprise)
  • No Groups Defined (circleci)
  • OIDC Not Configured (circleci)
  • Unrestricted Context (circleci)
  • User Checkout Key (circleci)
  • Application Allows All IdPs (cloudflare_access)
  • Application Without Policies (cloudflare_access)
  • Bypass Decision Policy (cloudflare_access)
  • Group Includes Everyone (cloudflare_access)
  • Group With Empty Include Rules (cloudflare_access)
  • No Purpose Justification (cloudflare_access)
  • Policy Allows Everyone (cloudflare_access)
  • Single Identity Provider (cloudflare_access)
  • Admin Redundancy (datadog)
  • Application Key Write Scopes (datadog)
  • Dashboard Permissions Open (datadog)
  • Excessive Admins (datadog)
  • External Admin (datadog)
  • External Admin Service Account (datadog)
  • SSO Disabled (datadog)
  • SSO Not Enforced (datadog)
  • Service Account Custom Role (datadog)
  • Kubernetes SSO Not Enabled (digitalocean)
  • Weak SSH Key (digitalocean)
  • Channel Everyone Overwrite (discord)
  • Everyone Role Has Dangerous Permissions (discord)
  • Excessive Admin Roles (discord)
  • Excessive Admins (discord)
  • Low Verification Level (discord)
  • MFA Not Required for Admins (discord)
  • Member Verification Gate Disabled (discord)
  • Overly Permissive Channel (discord)
  • Permanent Invite (discord)
  • Role Can Mention Everyone (discord)
  • Role Has Administrator Permission (discord)
  • Role Has Dangerous Permissions (discord)
  • Unlimited Use Invite (discord)
  • Excessive Admins (docusign)
  • Inactive User With Access (docusign)
  • Long Mobile Session Timeout (docusign)
  • Long Signing Session Timeout (docusign)
  • Long Web Session Timeout (docusign)
  • No Account Lockout (docusign)
  • No Password Expiration (docusign)
  • No SSO Configured (docusign)
  • Overly Broad Permission Profile (docusign)
  • SSO Not Mandatory (docusign)
  • Unclaimed Domain (docusign)
  • User Without Group (docusign)
  • Weak Password Length (docusign)
  • Weak Password Strength (docusign)
  • EMM Not Required (dropbox)
  • Email Not Verified (dropbox)
  • Excessive Admin Users (dropbox)
  • Excessive Device Sessions (dropbox)
  • Group Creation Unrestricted (dropbox)
  • Inactive Member Account (dropbox)
  • Stale Desktop Session (dropbox)
  • Stale Pending Invite (dropbox)
  • Stale Web Session (dropbox)
  • Instance Uses Default Service Account (gcp)
  • Org Default Permission Too Permissive (github)
  • Repo Branch Protection Disabled (github)
  • Stale Organization Member (github)
  • Deactivated Member Not Removed (gitlab)
  • Group Membership Unlocked (gitlab)
  • Pending Invitation Not Accepted (gitlab)
  • Project Branch Protection Disabled (gitlab)
  • Project Force Push Allowed (gitlab)
  • Project Merge Approvals Disabled (gitlab)
  • Project No Code Owner Approval (gitlab)
  • Email-Only User Access (google_ads)
  • Excessive Admin Users (google_ads)
  • Stale Pending Invitation (google_ads)
  • Stale User Access (google_ads)
  • Admin Without Recent Activity (grafana)
  • Basic Auth Enabled With SSO (grafana)
  • Disabled Service Account With Tokens (grafana)
  • Dormant User (grafana)
  • Excessive Admins (grafana)
  • Non-Expiring Service Account Token (grafana)
  • SSO Disabled (grafana)
  • Service Account Admin Role (grafana)
  • Single SSO Provider (grafana)
  • Access Policy Without IP Restriction (grafana_cloud)
  • Cloud Wildcard Access Policy (grafana_cloud)
  • Excessive Cloud Admins (grafana_cloud)
  • Overly Permissive Access Policy (grafana_cloud)
  • Excessive Admins (incidentio)
  • Single Account Owner (incidentio)
  • User No Slack Linked (incidentio)
  • User Without Base Role (incidentio)
  • Workflow Accesses Private Data (incidentio)
  • Admin Dormant (lastpass)
  • Admin Never Logged In (lastpass)
  • Disabled Account Not Removed (lastpass)
  • Dormant Account (lastpass)
  • Excessive Shared Folder Admins (lastpass)
  • Never Logged In Account (lastpass)
  • Shared Folder All Admin (lastpass)
  • Shared Folder Excessive Users (lastpass)
  • Shared Folder No Read-Only Users (lastpass)
  • Shared Folder Single Admin (lastpass)
  • ActiveSync Does Not Block Unmanaged Devices (m365)
  • Admin Consent Requests Disabled (m365)
  • App Certificate Credentials Expiring Soon (m365)
  • App Expired Certificate Credentials (m365)
  • App Expired Password Credentials (m365)
  • App Long-Lived Certificate Credentials (m365)
  • App Long-Lived Password Credentials (m365)
  • App Password Credentials Expiring Soon (m365)
  • App Using Password Credentials (m365)
  • Auth Methods Migration Incomplete (m365)
  • CA Block High Risk Users Missing (m365)
  • CA Block Risky Sign-ins Missing (m365)
  • CA Compliant Devices Not Required (m365)
  • CA Device Code Flow Not Blocked (m365)
  • CA Legacy Auth Not Blocked (m365)
  • CA Session Duration Not Set (m365)
  • Copilot License on Guest User (m365)
  • Custom Banned Passwords Not Enforced (m365)
  • Direct File Access on Public Computers (m365)
  • Excessive Global Administrators (m365)
  • External Users With Admin Role (m365)
  • Global Admin Not Cloud-Only (m365)
  • Global Admin Redundancy Missing (m365)
  • Guest Access to Groups Not Restricted (m365)
  • Guest Group Privileges Not Restricted (m365)
  • Guest Invitation Not Restricted (m365)
  • Guest User Permissions Not Restricted (m365)
  • Guest Users Present (m365)
  • Lockout Duration Too Short (m365)
  • M365 Group Creation Not Restricted (m365)
  • MSOL PowerShell Not Blocked (m365)
  • Mobile Device Allows Non-Provisionable (m365)
  • OAuth App AI With Data Scopes (m365)
  • OWA Session Timeout Disabled (m365)
  • Password Expiration Policy Enabled (m365)
  • Password Lockout Threshold Too High (m365)
  • Password Protection Mode Audit Only (m365)
  • Password Protection On-Prem Disabled (m365)
  • SP Certificate Credentials Expiring Soon (m365)
  • SP Expired Certificate Credentials (m365)
  • SP Expired Password Credentials (m365)
  • SP Long-Lived Certificate Credentials (m365)
  • SP Long-Lived Password Credentials (m365)
  • SP Password Credentials Expiring Soon (m365)
  • SP Using Password Credentials (m365)
  • Self-Service Sign Up Enabled (m365)
  • Shared Mailbox Sign-In Enabled (m365)
  • TAP Character Length Too Short (m365)
  • TAP Enabled for All Users (m365)
  • TAP Global Policy Enabled (m365)
  • TAP Maximum Lifetime Too Long (m365)
  • TAP Not One-Time Use (m365)
  • User Consent to Apps Not Restricted (m365)
  • Users Can Create Security Groups (m365)
  • Users Can Create Tenants (m365)
  • Users Can Install Outlook Add-ins (m365)
  • Users Can Register Applications (m365)
  • WAC Viewing on Public Computers (m365)
  • Bot Without Description (notion)
  • Broad Integration Capabilities (notion)
  • Guest User Sprawl (notion)
  • Inactive Member (notion)
  • Member Without Email (notion)
  • Stale Integration (notion)
  • Unrestricted Integration (notion)
  • API Credential Never Used (ovhcloud)
  • API Credential No Expiry (ovhcloud)
  • API Credential No IP Restriction (ovhcloud)
  • API Credential OVH Support Access (ovhcloud)
  • API Credential Overly Permissive (ovhcloud)
  • Excessive OAuth2 Clients (ovhcloud)
  • IAM Policy Excessive Identities (ovhcloud)
  • IAM Policy Wildcard Actions (ovhcloud)
  • IAM Policy Wildcard Resources (ovhcloud)
  • Identity User Disabled Not Removed (ovhcloud)
  • Identity User MFA Not Enabled (ovhcloud)
  • Identity User No Group (ovhcloud)
  • Identity User Password Never Changed (ovhcloud)
  • MFA Not Enabled (ovhcloud)
  • No IP Restrictions (ovhcloud)
  • Only SMS MFA Enabled (ovhcloud)
  • SSH Key Size Too Small (ovhcloud)
  • Weak SSH Key Algorithm (ovhcloud)
  • Access Policy Default Not Deny (okta)
  • App Not Using Federated Auth (okta)
  • App With Individual User Assignments (okta)
  • Dormant Super Admins (okta)
  • OAuth App AI With Broad Access (okta)
  • Session Idle Timeout Too Long (okta)
  • Session Lifetime Too Long (okta)
  • Super Admin API Tokens (okta)
  • Weak Account Lockout (okta)
  • API Key Non-User Owner (openai)
  • Admin Key Non-User Owner (openai)
  • Disabled User Not Removed (openai)
  • Excessive Project API Keys (openai)
  • Excessive Service Accounts (openai)
  • Orphaned Service Account (openai)
  • Owner Redundancy Missing (openai)
  • Project With Only Service Accounts (openai)
  • Stale Service Account (openai)
  • Excessive Admins (pagerduty)
  • Single Account Owner (pagerduty)
  • Unassigned User (pagerduty)
  • API Access Review (salesforce)
  • Excessive Modify All Data (salesforce)
  • Frozen Active User (salesforce)
  • Inactive Admin (salesforce)
  • Permission Set Modify All Data (salesforce)
  • Default Role Not Member (sentry)
  • Dormant User (sentry)
  • Excessive Admins (sentry)
  • Old Pending Invite (sentry)
  • SSO Disabled (sentry)
  • Excessive API Scopes (shopify)
  • Excessive Admins (shopify)
  • Staff Unrestricted Permissions (shopify)
  • Analytics Not Admin Only (slack)
  • App Management Unrestricted (slack)
  • Desktop Session Unlimited (slack)
  • Excessive Admins (slack)
  • Excessive Owners (slack)
  • External Admin (slack)
  • Guest Multi Channel (slack)
  • Guest Slash Commands (slack)
  • App Approval Not Required (slack)
  • Invite Approval Disabled (slack)
  • Marketplace Apps Not Required (slack)
  • Mobile Session Unlimited (slack)
  • Owner Redundancy (slack)
  • Public Channel Creation Unrestricted (slack)
  • SSO Disabled (slack)
  • SSO Display Name Change Allowed (slack)
  • SSO Email Change Allowed (slack)
  • SSO Not Enforced (slack)
  • Shared Channels Unrestricted (slack)
  • Slack Connect DM Unrestricted (slack)
  • TLS Email Invites Disabled (slack)
  • ACCOUNTADMIN Default Role (snowflake)
  • ACCOUNTADMIN Excessive Grants (snowflake)
  • Disabled User With Active Grants (snowflake)
  • Dormant User (snowflake)
  • Excessive Admin Roles (snowflake)
  • No Separation Of Duties (snowflake)
  • OAuth Integration Permissive (snowflake)
  • Password Only Auth (snowflake)
  • Service Account Password Auth (snowflake)
  • User Not Disabled (snowflake)
  • Weak Password Policy (snowflake)
  • Anonymous Meeting Join Enabled (teams)
  • Excessive Team Owners (teams)
  • Guest Access Overly Permissive (teams)
  • Guest Members in Team (teams)
  • Lobby Bypass for Everyone (teams)
  • Auth Connector Has Broad Claim Mapping (teleport)
  • Auth Connector Has No Role Mappings (teleport)
  • Auth Connector Maps Claims to Admin Role (teleport)
  • GitHub Connector Maps All Teams (teleport)
  • Local User Has No SSO Identity (teleport)
  • Role Allows Impersonation (teleport)
  • Role Enables SSH Agent Forwarding (teleport)
  • Role Has Broad Admin RBAC Rules (teleport)
  • Role Has Unlimited Session TTL (teleport)
  • Role Has Wildcard App Labels (teleport)
  • Role Has Wildcard Database Labels (teleport)
  • Role Has Wildcard Kubernetes Labels (teleport)
  • Role Has Wildcard Node Labels (teleport)
  • Token Grants Admin Role (teleport)
  • Token Grants Auth System Role (teleport)
  • Token Has No Expiry (teleport)
  • Token Uses Static Join Method (teleport)
  • Trusted Cluster Has Broad Role Map (teleport)
  • User Account Is Locked (teleport)
  • User Has Admin Role (teleport)
  • User Has Excessive Roles (teleport)
  • Organization 2FA Not Enforced (terraform_cloud)
  • Organization SAML Not Enabled (terraform_cloud)
  • Organization Session Timeout Too Long (terraform_cloud)
  • Team Excessive Permissions (terraform_cloud)
  • Team Secret Visibility (terraform_cloud)
  • Team Workspace Admin Access (terraform_cloud)
  • User 2FA Not Enabled (terraform_cloud)
  • User Pending Invitation (terraform_cloud)
  • Access Group Empty (vercel)
  • Auto Join Enabled (vercel)
  • Excessive Members (vercel)
  • Excessive Owners (vercel)
  • Member Unconfirmed (vercel)
  • Non-SSO Member (vercel)
  • Overly Broad Access (vercel)
  • Overprivileged Integration (vercel)
  • Project No Deployment Protection (vercel)
  • SSO Not Enforced (vercel)
  • Token No Expiration (vercel)
  • Token Overprivileged (vercel)
  • Token Stale (vercel)
  • API Client No IP Restriction (workato)
  • API Endpoint Inactive (workato)
  • API Platform Client Excessive Keys (workato)
  • Excessive API Clients (workato)
  • Excessive Admins (workato)
  • Inactive Member (workato)
  • No Custom Roles (workato)
  • Overprivileged Member (workato)
  • Workspace Single Admin (workato)
  • Admin With App Password (workspace)
  • Dormant Users (workspace)
  • Never Logged In Users (workspace)
  • OAuth App With Restricted Scopes (workspace)
  • User With App Password (workspace)
  • Excessive Admins (zoom)
  • Inactive User (zoom)
  • SSO Not Enforced (zoom)

PR.DS-01 — Data-at-rest protected

The confidentiality, integrity, and availability of data-at-rest are protected

  • Public Storage Bucket (gcp)
  • Bucket Versioning Disabled (gcp)
  • Bucket Uniform Access Disabled (gcp)
  • Cloud KMS Key Publicly Accessible (gcp)
  • Cloud KMS Key Rotation Period Exceeds 90 Days (gcp)
  • Cloud KMS Encryption Key Has No Rotation Schedule (gcp)
  • Cloud KMS Key Primary Version Not Active (gcp)
  • Cloud KMS Key Uses Software Protection Level (gcp)
  • Secret Manager Secret Publicly Accessible (gcp)
  • Secret Manager Secret Has No Rotation (gcp)
  • Secret Manager Secret Has No Versioning (gcp)
  • BigQuery Dataset Public Access (gcp)
  • Cloud SQL Authorized Networks Open to World (gcp)
  • Legacy VPC Network In Use (gcp)
  • Drive File Public Sharing (workspace)
  • Drive File Publicly Indexed (workspace)
  • Drive File Link Sharing Enabled (workspace)
  • Drive File Org-Wide Link Sharing (workspace)
  • Drive Publish to Web Allowed (workspace)
  • Vault Exported (1password)
  • S3 Bucket Policy Public (aws)
  • S3 Bucket Public Access Not Blocked (aws)
  • Confluence Space Anonymous Access (atlassian)
  • Confluence Space Public Links (atlassian)
  • Jira Project Public Access (atlassian)
  • Key Vault Key No Expiry (azure)
  • Key Vault Secret No Expiry (azure)
  • Storage Key Not Rotated (azure)
  • Storage Public Blob Access (azure)
  • Bidirectional Collaboration Whitelist (box)
  • Broad Inbound Collaboration Whitelist (box)
  • No Collaboration Whitelist Entries (box)
  • Excessive Env Vars (circleci)
  • Pipeline Hardcoded Secrets (circleci)
  • Expired Service Token Not Deleted (cloudflare_access)
  • Service Token Without Expiry (cloudflare_access)
  • Stale Service Token (cloudflare_access)
  • Dashboard Public Sharing (datadog)
  • Dashboard Public URL (datadog)
  • Unused API Key (datadog)
  • Plain Text Env Var (digitalocean)
  • Content Filter Not Full (discord)
  • Guild Publicly Discoverable (discord)
  • NSFW Channel (discord)
  • No AutoMod Rules (discord)
  • No Keyword Filtering (discord)
  • No Mention Spam Protection (discord)
  • No Spam Protection (discord)
  • Widget Enabled (discord)
  • External Folder Join Unrestricted (dropbox)
  • Folder Link Restriction Not Enforced (dropbox)
  • Public Shared Links Allowed by Default (dropbox)
  • Shared Folders Open to Anyone (dropbox)
  • Group Forking Allowed Outside (gitlab)
  • Group Public Visibility (gitlab)
  • Group Sharing Outside Organization (gitlab)
  • Group Sharing Unlocked (gitlab)
  • Public Project (gitlab)
  • Active External Data Link (google_ads)
  • Overly Permissive Dashboard (grafana)
  • Overly Permissive Folder (grafana)
  • Public Dashboard (grafana)
  • Dormant Cloud Token (grafana_cloud)
  • Excessive Tokens Per Policy (grafana_cloud)
  • Non-Expiring Cloud Token (grafana_cloud)
  • Recently Created Token Without Use (grafana_cloud)
  • Token With Wildcard Policy (grafana_cloud)
  • Public Status Page (incidentio)
  • Default Calendar Sharing Too Permissive (m365)
  • Default Group Access Public (m365)
  • Default Sharing Policy Allows External (m365)
  • Distribution Group Open Join Policy (m365)
  • Distribution List Allows External Senders (m365)
  • External Forwarding on Mailbox (m365)
  • Forwarding Address Configured (m365)
  • Forwarding SMTP to External (m365)
  • Guest Access to Group Content Not Restricted (m365)
  • LinkedIn Integration Enabled in OWA (m365)
  • Mailbox Delivers to Both Mailbox and Forward (m365)
  • Mobile Contact Sync Enabled in OWA (m365)
  • Organization Sharing Enabled (m365)
  • Outbound Spam External Forwarding Allowed (m365)
  • Public Microsoft 365 Group (m365)
  • Remote Domain Auto-Forwarding Allowed (m365)
  • Sharing Policy Allows External Domains (m365)
  • Transport Rule Forwards Outside Org (m365)
  • Transport Rule Redirects Externally (m365)
  • Export Enabled (notion)
  • External Guest Access (notion)
  • Guest Invitations Enabled (notion)
  • Public Sharing Enabled (notion)
  • Publicly Shared Database (notion)
  • Publicly Shared Page (notion)
  • Stale Public Page (notion)
  • Storage Container No Lifecycle (ovhcloud)
  • Storage Container Permissive CORS (ovhcloud)
  • Storage Container Public (ovhcloud)
  • Storage Container Versioning Disabled (ovhcloud)
  • Public Sharing Model (salesforce)
  • Data Scrubber Defaults Disabled (sentry)
  • Data Scrubber Disabled (sentry)
  • Debug Files Access (sentry)
  • Enhanced Privacy Disabled (sentry)
  • Event Attachments Access (sentry)
  • Open Membership (sentry)
  • Shared Issues Enabled (sentry)
  • Password Protection Disabled (shopify)
  • Webhook External Destination (shopify)
  • Webhook Using HTTP (shopify)
  • Public File Sharing (slack)
  • No Storage Integration Required (snowflake)
  • Outbound Share Review (snowflake)
  • Share To Many Accounts (snowflake)
  • Unload To Inline URL (snowflake)
  • Unload To Internal Stages (snowflake)
  • External Messaging Enabled (teams)
  • External Shared Channel (teams)
  • Public Team (teams)
  • Unrestricted External Federation (teams)
  • Variable Not Marked Sensitive (terraform_cloud)
  • Variable Plaintext Credentials (terraform_cloud)
  • Variable Set Global Scope (terraform_cloud)
  • Workspace Global Remote State (terraform_cloud)
  • Auto Expose System Environment Variables (vercel)
  • Directory Listing Enabled (vercel)
  • Exposed to Preview (vercel)
  • IP Visibility Enabled (vercel)
  • Plain Text Secret (vercel)
  • Public Source (vercel)
  • Sensitive Env Var Policy Disabled (vercel)
  • Group Allows External Posting (workspace)
  • Group Allows Open Join (workspace)
  • Group Contact Owner Anyone (workspace)
  • Group Discoverable by Anyone (workspace)
  • Group Domain-Wide Membership Visibility (workspace)
  • Group Public Conversations (workspace)
  • Mail Delegation Enabled (workspace)
  • Shared Drive Allows External Users (workspace)
  • Shared Drive Allows Non-Members (workspace)
  • Shared Drive Has External Members (workspace)
  • Shared Drive No Download Restriction (workspace)

PR.DS-02 — Data-in-transit protected

The confidentiality, integrity, and availability of data-in-transit are protected

  • Always Use HTTPS Disabled (cloudflare)
  • Automatic HTTPS Rewrites Disabled (cloudflare)
  • HSTS Disabled (cloudflare)
  • TLS Mode Not Strict (cloudflare)
  • TLS 1.3 Disabled (cloudflare)
  • Opportunistic Encryption Disabled (cloudflare)
  • Minimum TLS Version Weak (cloudflare)
  • SSL Policy Weak TLS Version (gcp)
  • Edge Hostname Using Shared Cert (akamai)
  • HSTS Max-Age Too Short (akamai)
  • HSTS Not Enabled (akamai)
  • HTTP/2 Not Enabled (akamai)
  • Origin Not Using TLS (akamai)
  • TLS Version Below 1.2 (akamai)
  • Device Without Disk Encryption (chrome_enterprise)
  • SSL Encryption Disabled (cloudflare)
  • SSL Mode Flexible (cloudflare)
  • HTTP Allowed (digitalocean)
  • Insecure Backend (digitalocean)
  • No SSL Termination (digitalocean)
  • SSL Not Enforced (digitalocean)
  • S/MIME Buffer Encryption Not Enabled (m365)
  • S/MIME CRL Timeout Too Long (m365)
  • S/MIME Cert Chain With Root Not Included (m365)
  • S/MIME Cert Chain Without Root Not Included (m365)
  • S/MIME Clear Signing Not Enabled (m365)
  • S/MIME Encryption Algorithms Not Configured (m365)
  • S/MIME Encryption Not Enforced (m365)
  • S/MIME Signing Not Enforced (m365)
  • S/MIME Triple-Wrap Not Enabled (m365)
  • Extension Disabled (pagerduty)
  • Webhook External URL (pagerduty)
  • Webhook Inactive (pagerduty)
  • Data Rekeying Disabled (snowflake)
  • Application Has TLS Verification Disabled (teleport)
  • Database Configured Without TLS (teleport)
  • S/MIME Not Configured (workspace)

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial