The 36 Akamai security checks Black Cat runs
Black Cat SSPM evaluates 36 security policies against your Akamai configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.
access control
Investigate and unlock or revoke the locked Akamai Control Center user account
Disable or remove Akamai Control Center user accounts that have been inactive
Restrict the user's group access to only the groups required for their role
Restrict the API client's access level to READ_ONLY or least-privilege scopes
Rotate expiring API client credentials before they expire to prevent service disruption
Remove or deactivate API clients that are no longer in active use
Review and remove unnecessary admin-level grants from custom Akamai roles
configuration
Associate contracts with the empty group or remove the group if it is unused
Enable dual-stack (IPv4 and IPv6) support on the Akamai edge hostname
Lock the active production property version to prevent accidental modification
Enable SureRoute on the Akamai property to optimise origin connectivity performance
Configure origin failover on the Akamai property to improve resilience
Enable caching on the Akamai property to improve performance and reduce origin load
Remove CP codes that are no longer associated with any property to reduce billing clutter
dns
Enable DNSSEC signing on the Akamai Edge DNS zone to protect against DNS spoofing
Restrict DNS zone transfers to authorised secondary servers using ACLs or TSIG authentication
Enable TSIG authentication for DNS zone transfers to prevent unauthorised zone data access
Configure a secondary DNS zone to provide redundancy for the primary Akamai DNS zone
Investigate and resolve why the DNS zone SOA serial has not been updated recently
encryption
Set the minimum TLS version to 1.2 or higher on the Akamai property's origin settings
Enable HTTP Strict Transport Security (HSTS) header on the Akamai property
Increase the HSTS max-age directive to at least 31536000 seconds (one year)
Enable HTTP/2 on the Akamai property to improve performance and security
Configure the origin server to use HTTPS so traffic between Akamai and origin is encrypted
Replace the shared certificate with a dedicated TLS certificate for the edge hostname
mfa
Enable multi-factor authentication for the flagged Akamai Control Center user
security
Switch the WAF security configuration from alert-only mode to deny/block mode
Enable rate controls in the Akamai security configuration to mitigate volumetric attacks
Enable Slow POST protection to defend against slow-body denial-of-service attacks
Configure IP-based firewall rules in the Akamai security configuration
Configure geographic blocking rules to restrict traffic from high-risk regions
Review and remove unnecessary WAF policy exception rules to restore protection coverage
Switch the WAF policy from alert-only mode to deny mode to enforce active blocking
Lower the rate control threshold to a value that reflects legitimate traffic baselines
Enable Akamai Bot Manager to detect and mitigate automated bot traffic
Enable Account Protection Controls in the security configuration