checkmarx.com

15-check dossier · scoreboard above, section details below

Get a pack →

Scanning…

dns

info

Open standalone →

resolving…

mx

info

Open standalone →

resolving mx…

spf

info

Open standalone →

resolving spf…

dmarc

info

Open standalone →

resolving dmarc…

dkim

info

Open standalone →

probing dkim selectors…

tls

info

Open standalone →

fetching tls cert…

redirects

info

Open standalone →

tracing redirects…

headers

info

Open standalone →

fetching headers…

cors

info

Open standalone →

sending preflight…

web-surface

info

Open standalone →

inspecting web surface…

dnssec

info

Open standalone →

checking dnssec…

mta-sts

info

Open standalone →

checking mta-sts…

tls-rpt

info

Open standalone →

checking tls-rpt…

whois

info

Open standalone →

resolving whois…

ct-log

info

Open standalone →

querying CT logs…

additional context — IP + user-agent lookups

lookups that complement a dossier — useful when investigating a finding, but not part of the dossier engine itself.

IP lookup — geolocation, ASN, ISP for any IP address surfaced by the DNS or redirect sections.
user-agent parser — the browser/OS/device the request came from.
single-record DNS lookup — drill into one record type at a time.

checkmarx.com

15-check dossier · scoreboard above, section details below

Get a pack →

Mostly compliant · 5 items need attention

Aggregate grade across 15 checks. Auditors typically flag any High-severity finding.

Pass: 10
Warn: 5
Fail: 0

What an auditor would flag first

medium
Security headers
2 security header(s) missing
SOC 2 CC6.6ISO 27001 A.14.1.2
low
DMARC
p=quarantine — receivers send to spam
SOC 2 CC6.7ISO 27001 A.13.2.1
low
DKIM
1/6 DKIM selectors valid
SOC 2 CC6.7

Need this as an artifact your auditor can verify?

Your checkmarx.com scan flagged 1 medium and 4 low findings. A signed pack covers the apex plus up to 100 CT-discovered subdomains, Ed25519-signed and ISO-timestamped, delivered in 10–30 minutes.

Get a pack →See methodology See a sample$29

Scanning…

15-check summary

DNS recordsA/AAAA records present
MX1 MX record(s) present
SPF-all hardfail — strict policy
DMARCp=quarantine — receivers send to spam
DKIM1/6 DKIM selectors valid
TLS certificatecert expires in 84 days
Redirect chainHTTPS served correctly
Security headers2 security header(s) missing
CORSno CORS headers — cross-origin requests blocked by default
Web surfaceHTTPS surface reachable (robots ✓, sitemap ✓, title ✓)
MTA-STSnot applicable: no _mta-sts TXT record
TLS-RPTnot applicable: no TLSRPT record
DNSSECDNSSEC not configured — no DS or DNSKEY records found
WHOISdomain registered until 2029-03-09
Certificate Transparencycheck failed: crt.sh: Error: crt.sh http 429; certspotter: Error: certspotter http 429

dns

info

Open standalone →

A/AAAA records present

Why it matters: Without authoritative A or AAAA records on the apex, the domain is unreachable. Missing baseline DNS shows up in vendor reviews as evidence of unmanaged infrastructure (SOC 2 CC6.6).

A: ttl=6585 141.193.213.21
ttl=6585 141.193.213.20
AAAA: —
NS: ttl=38400 dns3.bigrock.com.
ttl=38400 dns4.bigrock.com.
ttl=38400 dns2.bigrock.com.
ttl=38400 dns1.bigrock.com.
SOA: ttl=86400 dns4.bigrock.com. ranf.checkmarx.com. 2026051901 7200 7200 2419200 38400
CAA: —
TXT: ttl=7200 "google-site-verification=QpPLhjzR2uHh-639m__JRNsHmDc67feZoQrLQmaOZLU"
ttl=7200 "google-site-verification=wPO0Vk8rfSkmq4LI7MOgx4CnRnVZQvvhs6aXmi7dsdY"
ttl=14400 "k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPtW5iwpXVPiH5FzJ7Nrl8USzuY9zqqzjE0D1r04xDN6qwziDnmgcFNNfMewVKN2D1O"
ttl=7201 "openai-domain-verification=dv-WIIXBckL8IcrG87t3W1fNuHE"
ttl=7200 "o1thtu8hd9dvm1m0is8o36lqg8"
ttl=14400 "google-site-verification=F5_bTdjvJ9iEInTemUyKtFuEwItdETffnQu0bxyt2ko"
ttl=7200 "docker-verification=ac5f9f08-f78a-4ed4-a177-c9cd3dd85724"
ttl=86400 "jamf-site-verification=4_5CDWmB8lj8jxhtPmRf4w"
ttl=86400 "atlassian-domain-verification=4zdxHKq5sOWhLhtjWKJ2nlkhEsLBlh8Ta+Gld/nehGg5sX5w5o17e+d3NR+xVv8Z"
ttl=7200 "logmein-verification-code=eNTtN8P0v8IhwxSpOwOLJvRBm"
ttl=7200 "cursor-domain-verification-p6e9k2=1gH3HMtiwJqOg8YRK7faibg5G"
ttl=14400 "amazonses:EVZgC4HwLAr2w0/sMZWEFgheLrTT09dgRoJdTPGmNLI="
ttl=14400 "amazonses:lqyMnoA0VL0fnHiivXRrarcGODAf1cVnR/auYLHcxYY="
ttl=14400 "docusign=42adf495-ef93-4f2f-8cc9-fed2e8b1b55b"
ttl=7200 "ciscocidomainverification=49bbffc649c8677a394104a272cb18c00eab922bf289fb1f070399de60b28c10"
ttl=14400 "v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net include:mailgun.org include:sendgrid.net include:_spf.salesforce.com include:amazonses.com include:146169.spf06.hubspotemail.net include:spf.eu.exclaimer.net -all"
ttl=7200 "anthropic-domain-verification-edje63=hEH9tbBjxl7z2GWvM3pYHbK1J"
ttl=7200 "1password-site-verification=SDL5F44IJVDQ5MIRNV4MW3SGNQ"

fetched 2026-05-23T09:25:03.931Z

dns

info

Open standalone →

resolving…

mx

info

Open standalone →

1 MX record(s) present

Why it matters: MX records direct inbound mail. Misconfiguration silently breaks email delivery and lets attackers stand up parallel MX hosts for spoofing campaigns (ISO 27001 A.8.21).

pri=0 checkmarx-com.mail.protection.outlook.com.

fetched 2026-05-23T09:25:03.844Z

mx

info

Open standalone →

resolving mx…

spf

info

Open standalone →

-all hardfail — strict policy

Why it matters: SPF tells receiving servers which hosts may send mail for the domain. Without it, any sender can forge the envelope-from — the primary mechanism behind business-email-compromise (SOC 2 CC6.7).

v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net include:mailgun.org include:sendgrid.net include:_spf.salesforce.com include:amazonses.com include:146169.spf06.hubspotemail.net include:spf.eu.exclaimer.net -all

v=spf1
include:spf.protection.outlook.com
include:servers.mcsv.net
include:mailgun.org
include:sendgrid.net
include:_spf.salesforce.com
include:amazonses.com
include:146169.spf06.hubspotemail.net
include:spf.eu.exclaimer.net
-all

fetched 2026-05-23T09:25:03.848Z

spf

info

Open standalone →

resolving spf…

dmarc

low

Open standalone →

p=quarantine — receivers send to spam

Why it matters: DMARC binds SPF and DKIM into an enforceable policy (quarantine or reject) and surfaces spoofing attempts via aggregate reports. `p=none` or absent means spoofing succeeds silently (SOC 2 CC6.7).

Recommendations

Upgrade to p=reject once your SPF and DKIM pass rates are consistently high

v=DMARC1; p=quarantine; pct=100

v=: DMARC1
p=: quarantine
pct=: 100

fetched 2026-05-23T09:25:03.847Z

dmarc

info

Open standalone →

resolving dmarc…

dkim

low

Open standalone →

1/6 DKIM selectors valid

Why it matters: DKIM signs outbound mail so receivers can detect tampering. Missing selectors or rotated-away keys break DMARC alignment and let receivers downgrade trust (ISO 27001 A.8.24).

Recommendations

Check the missing selectors in your DNS provider and re-add any removed records

default:: —
google:: —
k1:: —
selector1:: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1uacXWsQIaEf2Ejx99VOzfIMsTx3x3nRzIsmscmfTVgDejICjSVzRfGVmVTSVbHWiBlxtlQM0RCdSh4YKmLpgVbzTxXz6i+sY/eTr/WotIJODM68Rooe7D+IdSmqwv+EjZ1p0numcg1Gh/zdPt6OqlINtbXJW5w7vqkQQY2d7nQIDAQAB; n=1024,1450864163,1
selector2:: —
mxvault:: —

fetched 2026-05-23T09:25:03.969Z

dkim

info

Open standalone →

probing dkim selectors…

tls

low

Open standalone →

cert expires in 84 days

Why it matters: A valid current TLS certificate is the baseline for data in transit. Expiry, weak chain, or hostname mismatch break HTTPS and fail PCI 4.2.1 / SOC 2 CC6.1.

Recommendations

Schedule certificate renewal — consider enabling auto-renewal

subject cn:: checkmarx.com
issuer:: WE1 / Google Trust Services
valid:: May 17 10:28:24 2026 GMT → Aug 15 11:28:19 2026 GMT
authorized:: yes
sha256:: 70:A6:9A:51:91:D5:53:16:FF:CE:21:76:CD:11:6E:29:BF:71:24:D8:66:54:BE:A5:C9:70:CB:C0:0E:0B:53:56
sans: checkmarx.com

fetched 2026-05-23T09:25:03.883Z

tls

info

Open standalone →

fetching tls cert…

redirects

info

Open standalone →

HTTPS served correctly

Why it matters: Bare HTTP requests must redirect to HTTPS without dropping the user mid-chain. Plain-text fallback or open redirects fail PCI 4.2.1 and feed phishing chains (SOC 2 CC6.6).

final status: 200 · 1 hop

[200] https://checkmarx.com/

fetched 2026-05-23T09:25:04.011Z

redirects

info

Open standalone →

tracing redirects…

headers

medium

Open standalone →

2 security header(s) missing

Why it matters: Security headers — HSTS, CSP, X-Frame-Options, Referrer-Policy — defend against XSS, clickjacking, and downgrade attacks. Absent headers map directly to OWASP ASVS V14 findings (ISO 27001 A.8.23).

Recommendations

Add response header — Strict-Transport-Security: max-age=15552000; includeSubDomains
Add response header — Content-Security-Policy: default-src 'self' (tune per app)

final url: https://checkmarx.com/

security headers

strict-transport-security: —
content-security-policy: —
x-frame-options: DENY
x-content-type-options: nosniff
referrer-policy: no-referrer-when-downgrade
permissions-policy: accelerometer=(), camera=(), geolocation=*, microphone=(), payment=(), usb=()

other headers

alt-svc: h3=":443"; ma=86400
cache-control: max-age=600, must-revalidate
cf-cache-status: DYNAMIC
cf-ray: a00302db48ef50a5-IAD
connection: keep-alive
content-encoding: br
content-type: text/html; charset=UTF-8
date: Sat, 23 May 2026 09:25:03 GMT
link: <https://checkmarx.com/wp-json/>; rel="https://api.w.org/", <https://checkmarx.com/wp-json/wp/v2/pages/103613>; rel="alternate"; title="JSON"; type="application/json", <https://checkmarx.com/>; rel=shortlink
server: cloudflare
set-cookie: __cf_bm=KccR3pHydPuu79fB7skG2AobJoGlENzyHtc6dFa8_Cg-1779528303.8887563-1.0.1.1-ZGlWJBJOJIOzqCrFnMHGnGwN7R3KZ0G4GGPbAl9jypMU_zPu3OIxW7i4A2vuhiP49HW.VFB6nZeGIIcu2UCvNzorVyjVI3k13uDp0IcRAnm0Qbqzi2arKWQlV_kKlgHo; HttpOnly; SameSite=None; Secure; Path=/; Domain=checkmarx.com; Expires=Sat, 23 May 2026 09:55:03 GMT
transfer-encoding: chunked
vary: Accept-Encoding, Accept-Encoding, Accept-Encoding, Accept-Encoding,Cookie
x-cache: HIT: 65
x-cache-group: normal
x-cacheable: SHORT
x-powered-by: WP Engine

fetched 2026-05-23T09:25:04.009Z

headers

info

Open standalone →

fetching headers…

cors

info

Open standalone →

no CORS headers — cross-origin requests blocked by default

Why it matters: Overly permissive CORS (wildcard with credentials, or reflected origin) lets any origin read authenticated responses from this domain. OWASP A05 misconfiguration territory (NIST AC-4).

origin: https://drwho.me
method: GET
preflight status: 200

access-control-* headers

access-control-allow-origin: —
access-control-allow-methods: —
access-control-allow-headers: —
access-control-allow-credentials: —
access-control-max-age: —
access-control-expose-headers: —

no access-control-* headers returned — site does not advertise CORS to this origin

fetched 2026-05-23T09:25:04.716Z

cors

info

Open standalone →

sending preflight…

web-surface

info

Open standalone →

HTTPS surface reachable (robots ✓, sitemap ✓, title ✓)

Why it matters: Public files — robots.txt, sitemap.xml, head meta — are what attackers see first during reconnaissance. Misadvertised paths, stale sitemaps, and verbose generators leak more than intended (ISO 27001 A.8.9).

robots.txt

present

# START YOAST BLOCK
# ---------------------------
User-agent: *
Disallow: /tag/*
Disallow: /category/czech-republic/feed/
Disallow: /faq/what-major-android-browser-flaw-allowing-hackers-to-bypass-sop/feed/
Disallow: /blog/tag/banking-sector/feed/
Disallow: /blog/tag/application-security-vulnerabilities/feed/
Disallow: /author/omriinbar/feed/
Disallow: /zh/blog/hacker-vs-struts2-game-has-no-ending/feed/
Disallow: /zh/emea/tcss/feed/
Disallow: /ko/emea/balidea/feed/
Disallow: /author/stephen/feed/
Disallow: /author/jonathansinger/feed/
Disallow: /category/technical-blog/feed/
Disallow: /blog/tag/drupal/feed/
Disallow: /r-d-israel/senior-qa-engineer-200/feed/
Disallow: /de/emea/orange-cyberdefense/feed/
Disallow: /blog/tag/crypto/feed/
Disallow: /blog/tag/partnership/feed/
Disallow: /author/guyrotem/feed/
Disallow: /*.pdf$

Sitemap: https://checkmarx.com/sitemap_index.xml
# ---------------------------
# END YOAST BLOCK

sitemap.xml

present — 12 url(s)

head

title: Unified Agentic AppSec Testing, Monitoring & Remediation Platform | Checkmarx
description: Agentic AppSec platform for code to cloud application security testing - SAST, SCA, ASPM. See Checkmarx One; get a demo.

social

og:locale: en_US
og:type: website
og:title: Enterprise AppSec Platform & Application Security Testing | Checkmarx
og:description: Agentic AppSec platform for code-to-cloud application security testing - SAST, SCA, ASPM. See Checkmarx One; get a demo.
og:url: https://checkmarx.com/
og:site_name: Checkmarx
og:image: https://checkmarx.com/wp-content/uploads/2025/09/Checkmarx-Home_.webp
og:image:width: 1800
og:image:height: 945
og:image:type: image/webp
twitter:card: summary_large_image
twitter:site: @checkmarx

fetched 2026-05-23T09:25:04.200Z

web-surface

info

Open standalone →

inspecting web surface…

dnssec

low

Open standalone →

DNSSEC not configured — no DS or DNSKEY records found

Why it matters: DNSSEC cryptographically signs DNS responses, blocking cache-poisoning attacks. US federal civilian agencies are required to enable it under OMB M-22-09 (NIST SC-20).

Recommendations

Enable DNSSEC in your DNS provider's control panel and add the resulting DS record at your registrar

enabled: no
DS records: —
DNSKEY records: —

fetched 2026-05-23T09:25:03.945Z

dnssec

info

Open standalone →

checking dnssec…

mta-sts

info

Open standalone →

not applicable: no _mta-sts TXT record

Why it matters: MTA-STS forces inbound SMTP to use TLS and refuse downgraded connections. Without it, an in-path attacker can strip TLS and read mail in plaintext (SOC 2 CC6.7).

no _mta-sts TXT record

mta-sts

info

Open standalone →

checking mta-sts…

tls-rpt

info

Open standalone →

not applicable: no TLSRPT record

Why it matters: TLS-RPT publishes a reporting address for SMTP-TLS failures. Without it, downgrade attacks on inbound mail go unnoticed (SOC 2 CC7.2).

no TLSRPT record

tls-rpt

info

Open standalone →

checking tls-rpt…

whois

info

Open standalone →

domain registered until 2029-03-09

Why it matters: Registrar and expiry tell auditors the domain is owned, current, and not about to lapse. An expired or about-to-expire domain fails business-continuity evidence (SOC 2 A1.2).

registrar: BigRock Solutions Ltd
created: 2005-03-09T13:44:22Z
expires: 2029-03-09T12:44:22Z
statuses: clientTransferProhibited https://icann.org/epp#clientTransferProhibited

fetched 2026-05-23T09:25:04.114Z

whois

info

Open standalone →

resolving whois…

ct-log

info

Open standalone →

check failed: crt.sh: Error: crt.sh http 429; certspotter: Error: certspotter http 429

Why it matters: Every certificate issued for this domain is published in Certificate Transparency logs — including subdomains you may have forgotten. Unknown subdomains in CT are pre-disclosed attack surface (ISO 27001 A.8.16).

crt.sh: Error: crt.sh http 429; certspotter: Error: certspotter http 429

ct-log

info

Open standalone →

querying CT logs…

additional context — IP + user-agent lookups

lookups that complement a dossier — useful when investigating a finding, but not part of the dossier engine itself.

IP lookup — geolocation, ASN, ISP for any IP address surfaced by the DNS or redirect sections.
user-agent parser — the browser/OS/device the request came from.
single-record DNS lookup — drill into one record type at a time.