Skip to content

The 36 Akamai security checks Black Cat runs

Black Cat SSPM evaluates 36 security policies against your Akamai configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.

access control

mediumUser Account Locked

Investigate and unlock or revoke the locked Akamai Control Center user account

mediumUser Inactive

Disable or remove Akamai Control Center user accounts that have been inactive

highUser All Groups Access

Restrict the user's group access to only the groups required for their role

highAPI Client Broad Access

Restrict the API client's access level to READ_ONLY or least-privilege scopes

highAPI Client Credentials Near Expiry

Rotate expiring API client credentials before they expire to prevent service disruption

lowAPI Client Inactive

Remove or deactivate API clients that are no longer in active use

highCustom Role With Admin Permissions

Review and remove unnecessary admin-level grants from custom Akamai roles

configuration

lowGroup With No Contracts

Associate contracts with the empty group or remove the group if it is unused

lowEdge Hostname IPv4 Only

Enable dual-stack (IPv4 and IPv6) support on the Akamai edge hostname

mediumProperty Not Locked

Lock the active production property version to prevent accidental modification

lowSureRoute Not Enabled

Enable SureRoute on the Akamai property to optimise origin connectivity performance

mediumProperty No Origin Failover

Configure origin failover on the Akamai property to improve resilience

lowProperty Caching Disabled

Enable caching on the Akamai property to improve performance and reduce origin load

lowCP Code Unused

Remove CP codes that are no longer associated with any property to reduce billing clutter

dns

highDNSSEC Not Enabled

Enable DNSSEC signing on the Akamai Edge DNS zone to protect against DNS spoofing

mediumZone Transfer Unrestricted

Restrict DNS zone transfers to authorised secondary servers using ACLs or TSIG authentication

mediumTSIG Not Enabled

Enable TSIG authentication for DNS zone transfers to prevent unauthorised zone data access

lowPrimary Zone No Secondary

Configure a secondary DNS zone to provide redundancy for the primary Akamai DNS zone

lowSOA Serial Stale

Investigate and resolve why the DNS zone SOA serial has not been updated recently

encryption

criticalTLS Version Below 1.2

Set the minimum TLS version to 1.2 or higher on the Akamai property's origin settings

highHSTS Not Enabled

Enable HTTP Strict Transport Security (HSTS) header on the Akamai property

mediumHSTS Max-Age Too Short

Increase the HSTS max-age directive to at least 31536000 seconds (one year)

lowHTTP/2 Not Enabled

Enable HTTP/2 on the Akamai property to improve performance and security

highOrigin Not Using TLS

Configure the origin server to use HTTPS so traffic between Akamai and origin is encrypted

mediumEdge Hostname Using Shared Cert

Replace the shared certificate with a dedicated TLS certificate for the edge hostname

mfa

criticalUser MFA Not Enabled

Enable multi-factor authentication for the flagged Akamai Control Center user

security

criticalWAF In Alert-Only Mode

Switch the WAF security configuration from alert-only mode to deny/block mode

highRate Controls Disabled

Enable rate controls in the Akamai security configuration to mitigate volumetric attacks

highSlow POST Protection Disabled

Enable Slow POST protection to defend against slow-body denial-of-service attacks

mediumIP Firewall Not Configured

Configure IP-based firewall rules in the Akamai security configuration

mediumGeo Firewall Not Configured

Configure geographic blocking rules to restrict traffic from high-risk regions

highWAF Policy Excessive Exceptions

Review and remove unnecessary WAF policy exception rules to restore protection coverage

highWAF Policy Alert-Only Mode

Switch the WAF policy from alert-only mode to deny mode to enforce active blocking

mediumRate Control Threshold Too Permissive

Lower the rate control threshold to a value that reflects legitimate traffic baselines

highBot Management Disabled

Enable Akamai Bot Manager to detect and mitigate automated bot traffic

highAccount Protection Disabled

Enable Account Protection Controls in the security configuration

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial