Testimonials Blog Case Studies About Contact Remote Support Client Resources
Cybersecurity · July 16, 2026

We Ran Our Own Company Through a Security Audit. Here's Everything We Found.

When we tell a business owner their IT needs a security review, there's a fair question hiding behind their polite nod: "Would your own setup pass one?" So we found out. In July we pointed the same independent scanning tools we use on client environments at our own website and email, and published the results, including the part we couldn't fix.

The starting point

We didn't start from a mess. Our site already had the security basics that most small business websites skip entirely. The first scan from securityheaders.com came back with an A.

But an A isn't an A+. The report flagged a weakness in our content security policy, a setting called unsafe-inline that quietly undoes much of the protection the policy is supposed to provide. Think of it as installing a good door and leaving a window latch open.

A deeper scan from internet.nl, a testing service run by the Dutch internet community and government, and one of the strictest free audits available, scored us 75%. It found more open latches: our domain name wasn't cryptographically signed (DNSSEC), there was no policy controlling which authorities could issue certificates for our domain (CAA), and a few smaller items.

securityheaders.com scan of defineedge.com showing a capped A grade, July 14 2026 internet.nl scan of defineedge.com showing a 75% score, July 15 2026

What we fixed

Over two working sessions, we closed everything that was ours to close:

The content policy. We rebuilt how our site loads its own code so the risky unsafe-inline exception could be removed entirely, for scripts and styles both. This is the change that separates a decorative security policy from a working one.

DNSSEC. Our domain's DNS answers are now cryptographically signed, so visitors' computers can verify they're reaching the real defineedge.com and not a forged copy.

Certificate controls (CAA). We published records that name exactly which certificate authorities are allowed to issue certificates for our domain, and turned on monitoring that alerts us if any certificate is ever issued anywhere in the world for our name. Prevention plus detection.

A security contact file. A small standard file (security.txt) that tells security researchers exactly how to reach us if they ever find a problem. Most companies don't have one. Every company should.

Email verification. We confirmed all three email authentication systems, SPF, DKIM, and DMARC, are active and enforcing. In plain terms: if someone tries to send an email pretending to be from our domain, receiving mail systems are told to treat it as suspect. Given that impersonation emails are how most small businesses actually get burned, this one matters more than any website score.

Eighty-two minutes after the first scan, securityheaders.com returned an A+. By the next day, internet.nl had climbed from 75% to 95%.

securityheaders.com scan of defineedge.com showing an A+ grade, July 14 2026 internet.nl scan of defineedge.com showing a 95% score, July 16 2026

The part we couldn't fix, and why we're telling you anyway

The remaining 5% comes down to one thing: TLS 1.3 isn't enforced as the minimum on our connection. Every connection to our site is still encrypted, but our hosting platform's shared infrastructure also accepts older TLS versions, to stay compatible with older devices, and doesn't let individual customers force TLS 1.3-only. It's not a live vulnerability, it's a strictness preference on the auditor's checklist. The fix would be changing platforms, which would be solving a scorecard, not a security problem.

We're including this because it's the most useful part of the whole exercise. Any vendor can show you a green badge. What you actually want from an IT partner is someone who can tell you exactly where the line is: what's fixed, what's accepted, and why, in writing, in plain English. If your current IT provider can't explain the last 5% of anything, that's worth noticing.

What this means for your business

Every check we ran on ourselves is free and public. Which means your customers, your insurers, your bank's security questionnaire, and yes, your competitors, can run them on you today. You can verify our own results yourself: the before scan and the after scan on internet.nl.

None of what we fixed required expensive tools. It required knowing the checks exist, understanding what the findings mean, and about two afternoons of careful work.

If you'd like to know what these same scans say about your business, your website, and more importantly, whether your email domain can be impersonated, we'll run them and walk you through the results in plain English. No charge, no pressure, and you keep the report either way.

Want to know your own score?

We'll run these same scans on your business.

Website security headers, DNSSEC, email authentication, the works. We'll walk you through the results in plain English. No charge, no pressure, and you keep the report either way.

More from the blog