Security Directory

V

Vintage Cellars

vintagecellars.com.au

66

The website demonstrates a moderate security posture with no critical vulnerabilities identified, but several high-impact gaps remain, especially in compliance and governance areas. Notably, the absence of fundamental GDPR elements such as Privacy Policy, Cookie Policy, and Consent Banner exposes the business to regulatory fines and reputational damage. Similarly, missing NIS2-related documentation and incident response procedures indicate a lack of formalized security governance, which increases operational risk. Security headers and email security show room for improvement but are less urgent compared to compliance shortfalls. SSL/TLS and DNS configurations are generally sound but require updates to maintain best practices. Network security posture is strong, reflecting effective perimeter defenses. Addressing these issues promptly will reduce legal exposure, improve customer trust, and strengthen resilience against cyber threats.

F

First Choice Liquor

firstchoiceliquor.com.au

65

The website demonstrates a concerning security posture with no critical issues but multiple high and medium severity findings, particularly in security headers, GDPR compliance, and NIS2 regulatory adherence. The absence of essential HTTP security headers like Strict-Transport-Security and Content-Security-Policy exposes the site to common web-based attacks and undermines user trust. Significant GDPR compliance gaps, including missing privacy and cookie policies and consent mechanisms, present legal and reputational risks. The lack of a documented information security framework, incident response procedures, and security policies indicates immature security governance and poor readiness for cyber incidents. While email security, SSL/TLS, DNS health, and network security are relatively strong, some SSL certificate renewal and DNSSEC improvements are needed. Overall, the website is vulnerable to exploitation and regulatory penalties, which could impact business continuity, customer trust, and legal compliance. Immediate remediation is necessary to strengthen defenses and align with cybersecurity best practices and legal requirements.

L

Liquorland

liquorland.com.au

69

The website exhibits a moderate overall security posture, with no critical vulnerabilities but several high and medium severity issues that expose the business to regulatory, operational, and reputational risks. While the network security and SSL/TLS configurations are strong, significant gaps exist in compliance with GDPR and NIS2 requirements, particularly regarding privacy policies, consent mechanisms, and documented security frameworks. Missing security headers such as Content-Security-Policy and Permissions-Policy increase the risk of client-side attacks. The absence of incident response and business continuity plans further exacerbates potential operational disruptions. Email security is adequate but could be improved by implementing DKIM. Immediate attention is needed to address privacy and governance shortcomings to avoid regulatory penalties and maintain customer trust. Overall, the business should prioritize establishing foundational security policies and compliance measures alongside technical enhancements.

Z

Zurich

zurich.co.nz

64

The website demonstrates a moderate security posture with no critical vulnerabilities detected, but several high-impact issues remain unaddressed. Key deficiencies are present in security headers, GDPR compliance, and adherence to NIS2 regulatory requirements, exposing the business to potential data breaches, regulatory fines, and reputational damage. Notably, missing essential headers like X-Frame-Options and Content-Security-Policy increase the risk of clickjacking and cross-site scripting attacks. The absence of privacy-related policies and consent mechanisms significantly undermines GDPR compliance, risking legal penalties and loss of customer trust. Furthermore, the lack of documented security frameworks, incident response plans, and vulnerability disclosure policies indicates immature governance and incident management capabilities. Email security and network infrastructure appear relatively robust, reducing exposure to phishing and network-level threats. Overall, urgent remediation is needed to strengthen compliance and protect sensitive data, while foundational security controls require enhancement to mitigate evolving cyber risks.

V

Vets Beyond Borders

vetsbeyondborders.org

53

The website's overall security posture is concerning, with multiple critical and high-severity issues primarily related to missing security headers, inadequate GDPR compliance, and insufficient information security governance. Key vulnerabilities include exposure of critical services such as MySQL, lack of essential security policies, and missing privacy and cookie compliance mechanisms, which collectively increase legal, reputational, and operational risks. Email and TLS security measures are moderately implemented but require improvements to prevent phishing and data interception. DNS security is relatively strong but can be enhanced further. The absence of incident response and business continuity planning exposes the business to extended downtime and unmanaged breaches. Immediate attention is needed to reduce attack surface and ensure regulatory compliance to safeguard customer trust and avoid potential penalties. Without remediation, the company faces heightened risks of data breaches, service interruptions, and legal non-compliance.

G

GapOnly

gaponly.com.au

63

The website exhibits a concerning security posture with no critical issues but multiple high and medium severity vulnerabilities, particularly in security headers, GDPR compliance, and NIS2 regulatory adherence. Key security headers like Strict-Transport-Security, X-Frame-Options, and Content-Security-Policy are missing, exposing the site to common web-based attacks such as clickjacking and cross-site scripting. GDPR compliance gaps, including the absence of a cookie policy and consent banner, risk regulatory penalties and damage to customer trust. Additionally, the lack of documented security policies and incident response procedures puts the organization at risk of inadequate preparation for cyber incidents. SSL/TLS configurations are suboptimal, with weak key lengths and certificates nearing expiration, increasing the potential for man-in-the-middle attacks. DNS security is moderately healthy but could be improved by enabling DNSSEC. Network security and email security are strong points, which is positive but insufficient to offset the other deficiencies. Immediate remediation in these areas is essential to reduce risk, protect customer data, and maintain regulatory compliance.

B

Best Media Rates

bestmediarates.com.au

63

The website's overall security posture is concerning, with multiple critical and high-severity issues that expose it to significant risks including data breaches, regulatory non-compliance, and service disruptions. Key deficiencies in security headers and the absence of fundamental security controls like Strict-Transport-Security, Content-Security-Policy, and X-Frame-Options increase vulnerability to common web attacks such as XSS and clickjacking. GDPR compliance gaps, including missing cookie policies and consent banners, expose the business to legal and financial penalties. The lack of documented security policies, incident response plans, and vulnerability disclosure under the NIS2 framework reflects immature security governance. Network exposure of critical services like MySQL and FTP significantly heightens the risk of unauthorized access and data exfiltration. While email security and SSL/TLS configurations are relatively strong, critical gaps remain in network security and DNS configurations. Immediate remediation is essential to protect sensitive data, maintain customer trust, and ensure regulatory compliance. Without swift action, the business faces increased risk of cyber incidents and reputational damage.

C

Coles Group

colesgroup.com.au

73

The website demonstrates a generally stable security posture with no critical issues identified; however, several high and medium-level gaps present significant compliance and risk challenges. Key deficiencies include missing essential security headers and incomplete GDPR compliance, notably the absence of a cookie policy and consent mechanism, which could expose the business to regulatory penalties. The lack of an established information security framework, security policies, and incident response procedures severely undermines resilience against cyber threats and incident management. Email security is moderately sound but could be improved by implementing DKIM to prevent spoofing. Although network and SSL/TLS configurations are strong, issues like mixed content and missing DNSSEC pose potential attack vectors. Addressing these areas will enhance regulatory compliance, reduce liability, and strengthen overall risk management. Immediate attention to governance and privacy controls is critical to align with NIS2 and GDPR requirements and protect brand reputation.

W

Woolworths Group

woolworthsgroup.com.au

70

The website demonstrates a generally strong network security posture and good SSL/TLS and email security configurations. However, it exhibits significant weaknesses in compliance and governance, particularly with GDPR and NIS2 regulatory requirements, which present critical business and legal risks. Missing privacy and cookie policies, along with the absence of a cookie consent banner, expose the organization to potential regulatory penalties and reputational damage. Security header implementations are insufficient, notably the missing Content-Security-Policy, which increases vulnerability to cross-site scripting attacks. The lack of documented security policies, incident response procedures, and business continuity planning undermines the organization’s ability to effectively manage and respond to security incidents. Addressing these gaps is essential to safeguard customer trust, meet compliance obligations, and reduce potential financial and operational impacts. Prioritizing governance and policy frameworks alongside technical hardening will substantially improve the overall security posture.

L

Lancashirecapital

lancashirecapital.com

62

The website demonstrates significant security weaknesses primarily in its security headers, GDPR compliance, and adherence to the NIS2 framework, reflecting an overall inadequate security posture. There are no critical vulnerabilities reported; however, the presence of 12 high and 10 medium issues indicates serious risks that could expose the business to data breaches, regulatory penalties, and reputational damage. Missing essential HTTP security headers and lack of privacy and cookie policies undermine both user trust and legal compliance. The absence of documented information security policies, incident response plans, and business continuity strategies further increases the organization's operational risk. Additionally, network security concerns such as exposed FTP services present attack vectors that could be exploited. While email security and SSL/TLS configurations score relatively well, the impending SSL certificate expiry and lack of HSTS reduce the effectiveness of encrypted communications. Immediate remediation in these areas is critical to protect sensitive customer data, maintain compliance with regulations like GDPR and NIS2, and uphold business continuity.

L

lancashireinsurance.com

lancashireinsurance.com

55

The website exhibits a poor overall security posture, with critical vulnerabilities and significant compliance gaps that expose the business to substantial risks. Key issues include missing essential security headers, lack of GDPR compliance elements such as privacy and cookie policies, and absence of fundamental NIS2 security frameworks and incident response procedures. Critical network services like MySQL and PostgreSQL are exposed publicly, presenting severe attack vectors. While email security, SSL/TLS, and DNS health scores are relatively stronger, critical service exposures and missing security controls overshadow these areas. The absence of security policies and incident response plans further increases the risk of operational disruption and regulatory penalties. Immediate remediation is required to protect sensitive data, maintain customer trust, and comply with regulatory requirements. Without urgent action, the business faces heightened risks of data breaches, legal liabilities, and reputational damage.

The website demonstrates a generally strong network security and TLS/SSL posture, with high scores in these areas indicating good foundational protections. However, significant gaps exist in compliance and governance frameworks, specifically related to GDPR and NIS2 regulations, which pose legal and reputational risks. Critical email security deficiencies, notably the lack of email authentication, increase the risk of phishing and spoofing attacks. The absence of documented security policies, incident response plans, and business continuity strategies reveals immature security governance that could delay effective response to cyber incidents. Missing privacy and cookie policies, along with the lack of a cookie consent banner, expose the business to regulatory penalties and undermine customer trust. Medium-level issues such as mixed content and missing security headers further weaken the security posture and could be exploited. Overall, urgent remediation is needed in compliance, policy documentation, and email security to reduce risk and ensure regulatory adherence. Addressing these will enhance resilience, protect customer data, and safeguard business continuity.

C

coles.com.au

coles.com.au

75

The website demonstrates a generally strong foundational security posture with excellent scores in email security, SSL/TLS, and network security. However, there are significant gaps in compliance and policy documentation, particularly relating to GDPR and NIS2 requirements, which pose legal and operational risks. Critical headers that mitigate common web attacks such as clickjacking and cross-site scripting are missing, exposing the site to potential exploitation. The absence of a Privacy Policy, Cookie Policy, and consent mechanisms could lead to regulatory penalties and damage to customer trust. Lack of documented information security frameworks, incident response procedures, and business continuity planning further increase organizational risk and reduce resilience to cyber incidents. DNS security is also lacking due to missing DNSSEC implementation, which could allow DNS spoofing attacks. Addressing these gaps will not only enhance security but also ensure regulatory compliance and protect business reputation. Prioritizing policy development and security controls will help safeguard assets and maintain stakeholder confidence.

The website's security posture is currently weak, with numerous high and critical severity issues that expose the business to significant risks including data breaches, regulatory non-compliance, and operational disruptions. Critical services such as MySQL and FTP are openly exposed, creating easy attack vectors for malicious actors. The absence of key security headers and lack of HTTPS enforcement undermine client trust and increase vulnerability to common web attacks. GDPR compliance gaps, including no cookie policy or consent mechanism, expose the company to regulatory fines and reputational damage. The lack of documented security frameworks, incident response, and business continuity plans indicate insufficient organizational readiness to handle security incidents. While email security and DNS health are relatively strong, foundational network and application security controls require urgent remediation. Overall, immediate focus on closing critical exposure points and establishing governance is essential to protect business assets and customer trust.

Z

Zurich Australia

zurich.com.au

65

The website demonstrates a moderate security posture with no critical issues but multiple high and medium severity concerns, particularly in security headers, GDPR compliance, and NIS2 regulatory adherence. While network security and SSL/TLS configurations are strong, significant gaps exist in privacy policies, incident response planning, and security framework documentation, which expose the business to regulatory risks and potential reputational damage. Missing key security headers such as Content-Security-Policy and X-Frame-Options increase the risk of client-side attacks like clickjacking and cross-site scripting. Non-compliance with GDPR due to absent privacy and cookie policies may result in legal penalties and loss of customer trust. Lack of incident response and vulnerability disclosure policies hinders effective risk management and timely breach response. Immediate attention is needed to align with NIS2 security requirements to ensure operational resilience and regulatory compliance. Addressing these gaps will safeguard customer data, reduce legal exposure, and strengthen overall cyber resilience.

P

PetSure (Australia) Pty Ltd

petsure.com.au

66

The website security assessment reveals a concerning overall security posture, with no critical issues but multiple high and medium severity vulnerabilities primarily related to security headers, GDPR compliance, and NIS2 regulatory requirements. Key gaps include missing fundamental HTTP security headers, absence of essential GDPR cookie policies and consent mechanisms, and a lack of formalized information security, incident response, and business continuity frameworks. SSL/TLS configurations show weaknesses with expiring certificates and weak key lengths, raising risks of data interception. While email and network security measures are strong, DNS security can be improved. These vulnerabilities increase the risk of data breaches, regulatory fines, and reputational damage, highlighting an urgent need for remediation to protect business assets and maintain customer trust. Addressing these issues will also enhance compliance with evolving cybersecurity regulations such as NIS2 and GDPR.

M

Medibank

medibankoshc.com.au

65

The website demonstrates a moderate overall security posture with no critical vulnerabilities but multiple high and medium risk issues that could expose the business to significant threats. Key deficiencies in security headers and email authentication protocols increase the risk of data breaches, phishing attacks, and user exploitation. The lack of GDPR compliance elements, such as cookie policies and consent mechanisms, exposes the organization to regulatory penalties and reputational damage. Absence of incident response and vulnerability disclosure policies under NIS2 requirements limits the company’s ability to effectively manage and mitigate cyber incidents. While SSL/TLS and network security configurations are relatively strong, improvements in DNS security and email protections are needed. Addressing these gaps will reduce attack surfaces, enhance customer trust, and ensure regulatory compliance. Immediate attention to policy implementation and security headers will yield the highest business value and risk reduction. Overall, the site requires focused remediation to align with best practices and legal obligations.

M

Medibank

medibanklife.com.au

73

The website demonstrates a solid foundation in core technical security areas such as email security, SSL/TLS implementation, and overall network security. However, significant gaps exist in compliance with GDPR and NIS2 regulatory frameworks, with critical deficiencies in privacy policies, consent mechanisms, and documented security governance. The absence of key security headers, particularly the Content-Security-Policy, exposes the site to client-side attacks like cross-site scripting. Lack of incident response, vulnerability disclosure, and business continuity plans present operational risks that could escalate the impact of security events. Additionally, DNS security could be strengthened by enabling DNSSEC and configuring CAA records to prevent domain-based attacks. Overall, while the infrastructure is strong, the organization must urgently address policy, compliance, and procedural gaps to reduce legal, reputational, and operational risks.

E

Equiniti

equiniti.com

75

The website demonstrates a generally solid security posture in areas such as network security, email security, and SSL/TLS implementation, with high module scores in these domains. However, significant gaps exist in compliance with GDPR and NIS2 regulatory frameworks, reflected by low scores and multiple high-severity findings. The absence of essential policies—such as cookie consent, incident response, and security documentation—poses considerable legal, operational, and reputational risks. Missing GDPR elements could lead to regulatory penalties and erosion of customer trust, while lack of NIS2 alignment may expose the business to increased vulnerability and non-compliance fines. Medium-level risks related to security headers, DNS security features, and mixed content issues could be exploited to compromise data confidentiality and integrity. Immediate attention to regulatory compliance and incident preparedness will strengthen the organization’s resilience and legal standing. Overall, the business should prioritize addressing compliance and policy shortcomings to mitigate risks and safeguard stakeholder confidence.

L

Lancashire Inc.

lancashiregroup.com

76

The website demonstrates a generally stable security posture with no critical vulnerabilities detected, but notable gaps exist in compliance and governance areas. GDPR compliance is weak, primarily due to the absence of a cookie consent banner and insufficient privacy policy details, risking regulatory penalties. The NIS2 framework adherence is particularly poor, with multiple high-severity issues such as missing security policies, incident response procedures, and information security frameworks, exposing the business to operational and reputational risks. Technical security controls like email security, SSL/TLS configurations, and DNS health are fairly strong but can be further improved. Missing security headers and lack of advanced HTTP policies indicate opportunities to harden defenses. The lack of business continuity planning and vulnerability disclosure policies reduces the organization's preparedness for incidents and coordination with external security researchers. Enhancing these areas will not only improve security posture but also strengthen customer trust and regulatory compliance. Addressing these issues promptly will mitigate potential legal, financial, and operational impacts.

M

Medibank Private Limited

medibank.com.au

73

The website demonstrates a moderate overall security posture with no critical vulnerabilities detected, but several high and medium-risk issues require urgent attention. Key compliance gaps exist in GDPR adherence, notably the absence of a cookie policy and consent banner, which expose the business to regulatory penalties and reputational damage. The NIS2-related security framework and incident response capabilities are severely lacking, indicating unpreparedness for cyber incidents and potential operational disruptions. Security headers and SSL/TLS configurations are generally adequate but have room for improvement to mitigate common web-based attacks. DNS health and network security score well, reflecting a solid underlying infrastructure. Email security is robust, reducing phishing risks via email vectors. Prioritizing GDPR compliance and establishing formal security policies will significantly reduce legal and operational risks. Immediate remediation will enhance customer trust and regulatory standing, supporting long-term business resilience.

The website demonstrates a generally strong security posture with no critical or high-severity issues detected. Key strengths include excellent email security and network security, reflected in near-perfect module scores. However, several medium and low priority issues indicate gaps in compliance and configuration that could expose the organization to risk. Notably, the absence of key security headers, incomplete GDPR and NIS2 compliance, and missing DNSSEC protection suggest vulnerabilities in data protection and regulatory adherence. The SSL/TLS configuration is strong but can be enhanced by including subdomains in HSTS policies. Addressing DNS-related configurations like enabling DNSSEC and configuring CAA records will improve domain security against spoofing and unauthorized certificate issuance. Overall, the business should focus on closing these mid-level gaps to bolster defense against evolving threats and maintain regulatory compliance.

V

Virgin Australia Airlines Pty Ltd

virginaustralia.com

72

The website demonstrates a generally strong security posture in areas such as email security, SSL/TLS configuration, and network security, all scoring 100/100. However, critical gaps exist in compliance and governance domains, particularly related to GDPR and NIS2 frameworks, with scores as low as 25/100. High-severity issues include missing essential privacy policies, lack of cookie consent mechanisms, and absence of incident response and security policy documentation. The missing Content-Security-Policy header further exposes the site to cross-site scripting risks. DNS health is fairly good but can be improved by enabling DNSSEC and configuring CAA records. Overall, while technical defenses are solid, the lack of regulatory compliance and formal security governance poses significant business risks, including legal penalties and reputational damage. Immediate remediation in compliance and policy documentation is critical for maintaining trust and regulatory adherence.

V

Virgin Money UK PLC

cybg.com

75

The website demonstrates a generally sound security posture with no critical vulnerabilities detected and strong scores in email security, network security, and DNS health. However, significant gaps exist in compliance with GDPR and NIS2 regulations, reflected by low module scores of 43 and 25 out of 100 respectively. Key risks include the absence of cookie policies and consent mechanisms, lack of comprehensive security and incident response documentation, and missing critical headers. These deficiencies expose the business to regulatory penalties, reputational damage, and increased risk of data breaches. SSL/TLS configurations need attention to ensure trust and secure communications. Addressing these issues will mitigate compliance risks and strengthen the overall security framework. Prioritizing governance and policy implementation will have the greatest business impact. Immediate action is recommended to avoid escalating risks and regulatory scrutiny.

V

Virgin Money UK

cybusinessonline.co.uk

77

The website demonstrates a generally strong technical security foundation with high scores in email security, SSL/TLS, DNS health, and network security. However, significant gaps exist in compliance and governance areas, particularly related to GDPR and NIS2 regulations, which pose notable legal and operational risks. The absence of a cookie policy, consent banner, and incomplete privacy documentation expose the business to potential regulatory penalties and customer trust issues. Critical deficiencies in information security framework, incident response, and security policy documentation under NIS2 further elevate the risk of unmanaged security incidents and business disruption. While no critical vulnerabilities were identified, the combination of high and medium severity findings indicates an urgent need to address compliance and governance controls. Proactively remediating these issues will reduce regulatory exposure, improve stakeholder confidence, and strengthen the overall security posture. Immediate focus on policy implementation and GDPR compliance will deliver the greatest business value and risk mitigation. Ongoing monitoring of SSL certificates and DNS configurations ensures continued protection of core infrastructure components.

The website's overall security posture is solid with no critical or high severity issues detected. The SSL/TLS implementation and network security are exemplary, scoring 100/100, ensuring encrypted communications and robust infrastructure defenses. However, medium-severity issues in security headers, GDPR compliance, NIS2 adherence, email security, and DNS configuration indicate gaps that could expose the business to regulatory risks and attack vectors such as email spoofing or DNS-based attacks. The absence of DKIM records and DNSSEC reduces trustworthiness of communications and domain authenticity, potentially impacting customer confidence and deliverability. Failure in security headers analysis suggests missing or misconfigured HTTP response headers that guard against common web attacks. Addressing these medium-level vulnerabilities will strengthen regulatory compliance, minimize reputational risk, and enhance overall resilience. The low-level findings, such as complex SPF and missing CAA records, while less urgent, should be remediated to improve email security and certificate issuance controls over time.

A

Aegon

aegon.co.uk

68

The website demonstrates a solid foundational security posture in areas such as SSL/TLS configuration, network security, and email security, all scoring 85% or above. However, significant gaps exist in compliance with GDPR and NIS2 requirements, exposing the business to regulatory and reputational risks. The absence of privacy and cookie policies, along with missing consent mechanisms, creates legal vulnerabilities and undermines user trust. Key security headers are inadequately configured, increasing exposure to common web-based attacks like cross-site scripting. Additionally, the lack of documented information security frameworks, incident response plans, and business continuity strategies signals insufficient organizational readiness for cyber incidents. Medium-level DNS and email security issues further highlight areas for improvement to prevent spoofing and phishing attacks. Addressing these high-impact issues promptly will enhance regulatory compliance, strengthen security posture, and protect brand reputation.

V

Velocity Frequent Flyer Pty Limited

velocityfrequentflyer.com

68

The website demonstrates a moderate security posture with no critical vulnerabilities detected but multiple high and medium-risk issues that expose the organization to regulatory, reputational, and operational risks. Key weaknesses lie in missing essential security headers, lack of compliance with GDPR requirements, and absence of fundamental NIS2 cybersecurity governance frameworks. While foundational network and email security measures are strong, gaps in security policy documentation, incident response readiness, and privacy transparency present significant business risks. Failure to implement privacy policies and consent mechanisms may lead to regulatory fines and loss of customer trust. Additionally, missing headers like Strict-Transport-Security and Content-Security-Policy increase exposure to man-in-the-middle and cross-site scripting attacks. The organization should prioritize closing these gaps to protect sensitive information, ensure regulatory compliance, and maintain customer confidence. Immediate remediation combined with policy development and communication enhancements is essential to strengthen overall security posture.

N

Not Found

youraccountonline.com

67

The website's overall security posture reveals significant gaps, particularly in compliance with GDPR and NIS2 regulations, which pose legal and reputational risks. Critical vulnerabilities in email authentication and missing key security headers expose the business to phishing and man-in-the-middle attacks. Although network security and DNS health are relatively strong, foundational security policies and incident response processes are lacking, undermining resilience against cyber threats. The absence of a Privacy Policy, Cookie Policy, and Consent Banner further endangers compliance with data protection laws and customer trust. SSL/TLS implementation is adequate but requires immediate attention due to upcoming certificate expiration and missing HSTS enforcement. Addressing these issues promptly will reduce exposure to regulatory penalties, data breaches, and brand damage. Overall, the website requires urgent improvements in governance, technical controls, and privacy management to align with industry standards and legal frameworks.

N

Nationwide Building Society

nationwide.co.uk

73

The website demonstrates a solid foundation in network security, email security, and SSL/TLS implementation, reflected by high module scores in these areas. However, significant gaps exist in data privacy compliance (GDPR) and organizational security governance (NIS2), exposing the business to regulatory penalties and increased cyber risk. Missing critical policies such as Privacy Policy, Cookie Policy, and incident response procedures undermine trust and operational readiness. The absence of a Content-Security-Policy header and DNSSEC further increases exposure to web-based attacks. While no critical vulnerabilities were found, the presence of multiple high and medium issues indicates urgent remediation is necessary to reduce legal, reputational, and operational risks. Addressing these weaknesses will improve compliance, customer trust, and resilience against cyber threats. Immediate focus on governance and privacy compliance will yield the highest business impact. Overall, the posture is moderate but requires strategic enhancements to meet industry standards and regulatory demands.

Y

Yorkshire Bank

ybonline.co.uk

72

The website demonstrates a generally stable security posture with no critical vulnerabilities detected, and strong performance in email and network security. However, significant gaps exist in GDPR compliance and adherence to NIS2 regulatory requirements, posing legal and operational risks. The absence of a Privacy Policy and Cookie Consent Banner exposes the business to potential data protection violations and regulatory penalties. Deficiencies in security governance, such as missing incident response procedures and security policy documentation, increase the risk of inadequate breach handling. SSL/TLS configurations require improvement to prevent potential data interception and integrity issues. While DNS and network security are robust, enhancements in security headers and vulnerability disclosure practices are advisable. Addressing these issues promptly will reduce compliance risks, protect customer trust, and strengthen overall security resilience.

C

Clydesdale Bank

cbonline.co.uk

72

The website demonstrates a generally stable security posture with no critical vulnerabilities detected. However, significant gaps exist in compliance with GDPR and NIS2 requirements, exposing the business to regulatory, legal, and reputational risks. Key deficiencies include the absence of a Privacy Policy, cookie consent mechanisms, and essential security documentation such as incident response and business continuity plans. Additionally, SSL/TLS configurations require attention to prevent potential data interception and trust issues. While network and email security are strong, the lack of security headers and incomplete policies may undermine overall protection. Immediate focus on regulatory compliance and security governance will reduce exposure and support customer trust. Addressing these issues will also prepare the organization for evolving cybersecurity frameworks and audits.

The website demonstrates a generally strong security posture with no critical or high-level vulnerabilities detected, and excellent scores in SSL/TLS and network security. However, several medium-level issues indicate gaps in compliance and protective measures, particularly regarding security headers, GDPR compliance, NIS2 readiness, email authentication, and DNS security. These weaknesses could expose the business to data privacy risks, regulatory non-compliance penalties, and increased susceptibility to phishing or DNS-related attacks. While low-level issues such as missing CAA records are less urgent, addressing them will further strengthen the security framework. Prioritizing remediation of medium-risk findings will enhance overall resilience and maintain customer trust. Proactive improvements will also help ensure alignment with evolving regulatory and security standards.

The website demonstrates a generally strong network and transport layer security posture, with high scores in SSL/TLS and network security. However, there are significant gaps in compliance and governance areas, particularly related to GDPR and NIS2 regulatory frameworks, which pose legal and operational risks. Missing critical documentation such as security policies, incident response, and vulnerability disclosure procedures increases exposure to unmanaged security incidents and regulatory penalties. The absence of a cookie consent banner and potential GDPR non-compliance on privacy policies further heightens legal liability. Security headers are partially implemented but lack key directives like Content-Security-Policy, exposing the site to certain web-based attacks. Email security is adequate but could be improved by implementing DKIM records to protect brand reputation and reduce phishing risks. Addressing these issues will enhance regulatory compliance, reduce risk exposure, and improve customer trust and business continuity resilience.

P

Paymentwall, Inc.

paymentwall.com

69

The website demonstrates a moderate to weak overall security posture with no critical issues but several high and medium severity findings that present significant risk. Key vulnerabilities stem from missing essential security headers, lack of GDPR compliance measures such as cookie policies and consent mechanisms, and insufficient adherence to NIS2 cybersecurity regulations including absent incident response and security policy documentation. While network security and email security are strong, deficiencies in SSL/TLS configurations and DNS security also expose the site to potential threats. The absence of a comprehensive information security framework and business continuity planning further exacerbates operational risk. Immediate remediation is necessary to protect customer data, ensure regulatory compliance, and reduce the likelihood of reputational damage or legal penalties. Addressing these gaps will strengthen the organization's security posture and build customer trust.

V

Virgin Media Business

virginmediabusiness.co.uk

72

The website demonstrates a generally strong technical security foundation with good network security (100/100) and solid scores in DNS health (90/100), SSL/TLS (87/100), and security headers (85/100). However, significant gaps exist in regulatory compliance and organizational security management, particularly around GDPR and NIS2 requirements, which are critical for legal adherence and incident readiness. The absence of a cookie policy and consent banner exposes the business to regulatory penalties and damages customer trust. Lack of security policy documentation, incident response procedures, and business continuity planning present serious operational risks in the event of a security incident. Email security is adequate but could be improved by implementing DKIM to prevent spoofing. Addressing these compliance and procedural shortcomings is essential to mitigate legal risks, maintain customer confidence, and ensure resilience against cyber threats. Overall, the site’s technical defenses are strong, but governance and compliance need urgent focus to reduce business risk.

A

active value GmbH

jti-campus.org

67

The website demonstrates a moderate security posture with no critical issues detected; however, several high and medium-level vulnerabilities pose significant risks. Key deficiencies in security headers, GDPR compliance, and adherence to NIS2 regulations expose the organization to data breaches, regulatory penalties, and operational disruptions. Notably, the absence of a Content-Security-Policy header and weak SSL key configurations increase susceptibility to web-based attacks and data interception. GDPR-related gaps, including missing cookie policies and consent mechanisms, risk non-compliance fines and damage to customer trust. Furthermore, the lack of documented security policies, incident response, and business continuity planning highlights unpreparedness for cyber incidents. While network security and email security scores are comparatively strong, SSL/TLS configurations and DNS settings require improvement to enhance overall resilience. Addressing these issues promptly will reduce legal exposure, protect customer data, and strengthen the organization's cybersecurity posture.

R

Reporters Without Borders

journalismtrustinitiative.org

59

The website exhibits significant security gaps with no critical vulnerabilities but multiple high and medium severity issues, particularly in security headers, GDPR compliance, NIS2 regulatory adherence, and SSL/TLS configurations. The absence of key security headers exposes the site to common web attacks such as clickjacking, content injection, and cross-site scripting. GDPR non-compliance, including missing cookie policies and consent mechanisms, risks legal penalties and damages customer trust. Weaknesses in NIS2 compliance, such as missing incident response and security policies, indicate inadequate organizational cybersecurity governance. SSL/TLS weaknesses, including a weak key length and soon-to-expire certificate, threaten data confidentiality and secure communications. DNS health shows misconfigurations impacting email delivery and domain security. Network security posture is strong, reflecting well on perimeter defenses. Overall, the site requires urgent remediation of regulatory and technical gaps to reduce business risk and protect brand reputation.

U

United Internet for Unicef Stiftung

united-internet-for-unicef-stiftung.com

71

The website demonstrates a moderate security posture with no critical vulnerabilities detected, but several high and medium-risk issues remain unaddressed. The strongest areas are network security and SSL/TLS configurations, with near-optimal scores. However, significant gaps exist in compliance with GDPR and NIS2 regulatory requirements, including missing cookie policies, consent mechanisms, and absence of formal security and incident response documentation. Security headers are inconsistently implemented, leaving the site vulnerable to clickjacking and some cross-site scripting risks. Email security and DNS configurations are generally good but could be strengthened further. Failure to address these issues exposes the business to regulatory penalties, reputational damage, and increased risk of cyber incidents. Prioritizing compliance and security policy development will mitigate legal and operational risks while improving overall resilience.

V

Virgin Media O2

virginmediao2.co.uk

67

The website demonstrates a moderate security posture with no critical vulnerabilities but several high and medium severity issues that pose significant business risks. Key concerns include missing essential security headers, lack of GDPR compliance mechanisms such as cookie policies and consent banners, and absence of foundational NIS2 security governance like incident response and security policy documentation. These gaps increase exposure to web-based attacks, regulatory fines, and operational disruptions. While network security and SSL/TLS configurations are strong, DNS and email security require improvements to prevent spoofing and phishing risks. The low scores in GDPR and NIS2 compliance highlight urgent needs to align with legal and regulatory frameworks to avoid penalties and reputational damage. Addressing these issues promptly will strengthen trust, reduce liability, and protect business continuity.

I

IONOS Inc.

ionos-status.com

73

The website demonstrates a mixed security posture with no critical vulnerabilities but multiple high and medium risk issues that could impact business operations and compliance. Key deficiencies include missing critical HTTP security headers, lack of GDPR compliance elements such as cookie policies and consent mechanisms, and absence of formalized security and incident response frameworks aligned with NIS2 requirements. While SSL/TLS and network security configurations are generally strong, the approaching SSL certificate expiration and weak HSTS settings present avoidable risks. The lack of documented security policies and incident response plans exposes the organization to increased operational and reputational risks in case of a breach. GDPR non-compliance may result in regulatory penalties and loss of customer trust. Immediate remediation in security headers, GDPR compliance, and NIS2 framework implementation is essential to strengthen the security baseline and meet regulatory obligations. Overall, this assessment highlights the need for a structured approach to security governance and technical hardening to reduce business risk effectively.

S

STIFTUNG UNITED INTERNET FOR UNICEF

united-internet-for-unicef-stiftung.de

66

The website's overall security posture reveals significant compliance and security gaps, particularly in privacy and regulatory adherence, with a critical GDPR issue indicating non-compliance for an EU business. While foundational network and SSL/TLS security controls are strong, key security headers are missing, exposing the website to clickjacking and cross-site scripting risks. There is a notable absence of documented information security policies, incident response plans, and vulnerability disclosure processes, which hinders effective security governance and response. Email security is relatively well managed, but lack of DKIM records could impact email deliverability and phishing protection. DNS security measures are decent but could be improved by enabling DNSSEC and configuring CAA records. Overall, the most pressing risks are regulatory non-compliance and missing security governance frameworks, which could lead to legal penalties, reputational damage, and operational disruptions. Immediate attention to privacy policies, cookie management, and security documentation is essential to align with GDPR and NIS2 requirements.

A

active value GmbH

jti-app.com

67

The website demonstrates a moderate security posture with no critical issues but several high and medium risks that could expose the business to significant threats. Key weaknesses include missing essential security headers, inadequate GDPR compliance, and absent or incomplete security governance frameworks aligned with NIS2 requirements. The absence of a Cookie Policy and Consent Banner places the organization at legal and reputational risk under data protection regulations. SSL/TLS configurations show weaknesses such as expiring certificates and weak key lengths, potentially undermining encrypted communications. While email security and network security scores are relatively strong, foundational policies and incident response capabilities are lacking. Addressing these gaps is critical to safeguarding customer data, maintaining regulatory compliance, and ensuring business continuity. Prioritizing governance documentation and security controls will improve both risk management and stakeholder confidence.

1

1&1 Mail & Media Applications SE

mail-and-media.com

65

The website demonstrates a concerning security posture with no critical issues but multiple high and medium risks primarily related to missing security headers, GDPR compliance gaps, and insufficient NIS2 framework implementation. The absence of key HTTP security headers such as Strict-Transport-Security and Content-Security-Policy exposes the site to common web attacks like clickjacking and cross-site scripting. GDPR compliance shortcomings, including the lack of cookie policies and consent mechanisms, risk regulatory penalties and damage to customer trust. Additionally, the lack of documented security policies, incident response plans, and security contacts undermines the organization’s ability to manage security incidents effectively. While email, SSL/TLS, DNS, and network security subsystems score relatively well, important enhancements such as enabling HSTS and DNSSEC remain unaddressed. Overall, the site is vulnerable to both technical exploits and regulatory risks, requiring immediate attention to avoid business disruption and reputational harm. Proactive remediation will strengthen the security posture, ensure compliance, and foster customer confidence.

T

Telefonica UK Limited

o2.com

70

The website's overall security posture shows no critical issues but reveals significant gaps in key areas such as security headers, GDPR compliance, and NIS2 regulatory adherence. High severity issues include missing essential HTTP headers that protect against common web attacks, absence of a cookie consent banner, and a lack of fundamental information security and incident response policies. While email security, SSL/TLS, DNS health, and network security are relatively strong, the deficiencies in governance and compliance expose the business to legal risks, regulatory penalties, and increased vulnerability to cyber threats. The low security header score (35/100) and poor NIS2 compliance (25/100) highlight urgent needs for improvement. Addressing these gaps will not only enhance protection against exploitation but also strengthen customer trust and regulatory standing. Prioritizing policy documentation and technical controls will reduce risk exposure and support business continuity. Overall, the assessment indicates a pressing requirement to integrate security best practices with compliance frameworks to safeguard business operations effectively.

W

WEB.DE

web.de

68

The website's overall security posture reveals significant compliance and governance gaps, particularly concerning GDPR and NIS2 regulatory requirements, which present substantial legal and reputational risks. While technical controls such as SSL/TLS encryption, email security, DNS health, and network security are generally strong, critical deficiencies in privacy policies, cookie management, and incident response frameworks undermine stakeholder trust and regulatory compliance. The absence of a cookie consent banner and adequate privacy measures for EU users exposes the business to potential fines under GDPR. Additionally, the lack of documented security policies, incident response procedures, and business continuity planning under NIS2 regulations increases operational vulnerability to cyber incidents. Security headers are improperly configured, which can lead to exploitation of common web vulnerabilities. Immediate remediation is essential to mitigate legal penalties, safeguard customer data, and maintain business continuity. Addressing these issues will strengthen compliance posture and enhance overall cybersecurity resilience.

T

Telefónica Deutschland

telefonica.de

67

The website's overall security posture demonstrates strong technical controls in network security, SSL/TLS configuration, and DNS health, with scores above 85 in these areas. However, significant compliance and governance issues are present, particularly concerning GDPR and NIS2 requirements, resulting in low scores of 18 and 25 respectively. The critical GDPR finding highlights the absence of adequate privacy measures for an EU business, posing substantial legal and financial risks. High-priority gaps include missing cookie consent mechanisms, lack of documented security and incident response policies, and absence of a formal information security framework. Email security is moderate but requires improvements to prevent spoofing and phishing attacks. While low-severity issues exist, they are overshadowed by critical compliance deficiencies that could lead to regulatory penalties and reputational damage. Immediate remediation focusing on privacy compliance and governance frameworks is essential to mitigate legal exposure and strengthen customer trust.

O

o2

o2.de

49

This website has 9 critical security issue(s) requiring immediate attention. Overall security score: 50/100 (unknown risk level). A comprehensive security review is recommended.

T

Telefónica Germany GmbH & Co. OHG

o2business.de

50

The website's security posture is currently poor, with critical vulnerabilities and compliance gaps that expose the business to significant legal, operational, and reputational risks. Key deficiencies in GDPR compliance, including missing cookie policies and consent mechanisms, put the organization at risk of regulatory penalties within the EU. Network security is severely compromised by the exposure of multiple critical and high-risk services such as SMB, Telnet, MSSQL, and MongoDB, which are common vectors for cyberattacks and data breaches. The absence of fundamental security policies, incident response procedures, and vulnerability disclosure frameworks further exacerbates this risk. Security headers and email authentication protocols are inadequately implemented, increasing the risk of web-based attacks and email spoofing. Although DNS health scores relatively well, SSL/TLS weaknesses and expiring certificates undermine secure communications. Immediate remediation is essential to protect sensitive data, maintain customer trust, and ensure business continuity. Without swift action, the organization faces heightened chances of cyber incidents and regulatory enforcement actions.

X

Xodo

eversign.com

73

The website currently exhibits a moderate to low overall security posture, with critical issues notably absent but several high and medium severity vulnerabilities present. Key deficiencies exist in security header implementations, GDPR compliance, and adherence to NIS2 regulatory frameworks, indicating significant gaps in both technical and organizational security controls. The absence of fundamental headers such as Strict-Transport-Security and Content-Security-Policy increases risk exposure to common web attacks like man-in-the-middle and cross-site scripting. GDPR-related shortcomings, including lack of a cookie consent banner and incomplete privacy policies, expose the business to regulatory penalties and undermine customer trust. The failure to establish an information security framework, incident response procedures, and security documentation highlights weaknesses in governance and risk management. However, strengths are noted in email security, SSL/TLS configurations, DNS health, and network security, which provide a solid foundation for secure communications and infrastructure. Addressing the highlighted issues will substantially reduce risk, improve compliance, and safeguard brand reputation. Immediate focus on regulatory compliance and security policy development is crucial for sustainable business operations.