AuditCoreAuditCore
Sample report

See exactly what you'll get.

This is a real anonymized AuditCore report. Scroll to preview the dashboard view, severity breakdown, and per-finding detail with AI-generated fix prompts.

Download PDFScan your site
Scan complete · Business tier · 487 pages crawled

example.com

Completed Apr 18, 2026 · Duration 14m 32s
77
Total findings
Critical
2
High
7
Medium
14
Low
23
Info
31
Tech detected
Next.js 16StripeCloudflarePostgresWordPress
SEO score
82/100 B
12 issues · 48 passed
AI-readiness
64/100 C
No llms.txt · weak structured data

Compliance Impact

47
OWASP Top 10
47
PCI DSS 4.0
47
ISO 27001:2022
47
NIS2 Directive
41
GDPR Art. 32
18
SOC 2

Findings that may put the target out of compliance with each framework. Each finding below also lists the specific control IDs.

Top findings (sample)

CriticalInjectionCVSS 9.8
SQL Injection in /api/products?id=
https://example.com/api/products?id=1
EvidenceBoolean-based blind injection confirmed. Payload `1' AND 1=1--` returned different response than `1' AND 1=2--`. sqlmap fingerprinted MySQL 8.0.
AI FixUse parameterized queries (PDO bindParam in PHP, $1 placeholders in Postgres). Never concatenate user input into SQL strings.
Compliance:OWASP A03PCI 6.5.1ISO A.8.28NIS2 21(2)(e)GDPR Art.32
HighAuthCVSS 8.2
BOLA — Cross-user resource access
GET /api/orders/{order_id}
EvidenceUser A's session token returned 200 OK + full order data when requesting User B's order_id (sequential IDs). No ownership check on the endpoint.
AI FixAdd ownership middleware: `if order.user_id != current_user.id: return 403`. Apply to all `/api/orders/*`, `/api/users/*`, `/api/billing/*` routes.
Compliance:OWASP A01PCI 7.2.1ISO A.5.18SOC-2 CC6.1GDPR Art.32
HighHeadersCVSS 7.4
Missing Content-Security-Policy
All HTML responses
EvidenceNo CSP header set. Inline `<script>` tags executed without nonce/hash protection. Site uses 12 third-party JS sources.
AI FixSet CSP: `default-src 'self'; script-src 'self' 'nonce-{random}' https://js.stripe.com; ...`. Use report-only mode first to catch breakage.
Compliance:OWASP A05PCI 2.2.1ISO A.8.9NIS2 21(2)(e)
MediumTLSCVSS 5.3
TLS 1.0 / 1.1 enabled on api subdomain
api.example.com:443
EvidenceSSLyze handshake succeeded with TLS_RSA_WITH_3DES_EDE_CBC_SHA. PCI DSS 4.0 requires TLS 1.2+.
AI FixDisable TLS 1.0/1.1 in Nginx: `ssl_protocols TLSv1.2 TLSv1.3;`. Reload nginx — no client breakage expected (last browsers dropped 1.1 in 2020).
Compliance:OWASP A02PCI 4.2.1ISO A.8.24NIS2 21(2)(h)SOC-2 CC6.7
MediumSEO
Meta description missing on 8 pages
/blog/*, /products/*
EvidenceCrawled 20 pages — 8 had no `<meta name="description">`. Search engines will auto-generate snippets from page text, often poorly.
AI FixAdd unique 120–160 char descriptions per page. For blog posts, use the article excerpt; for product pages, generate from title + key spec.

Ready to audit your site?

Free trial: 1 page, full SEO + AI-readiness + security headers. No credit card.

Start free scan