SaaSFort Every security vendor tells you to scan your domain. Very few show you their own result. We think that’s backwards — if we ask B2B SaaS teams to expose their external posture to a 60-check scan, we should publish ours first.
So this is the transparent version: what our own external security audit found, what an A-F grade actually means line by line, and how you can run the identical scan on your domain in 60 seconds.
We’re launching on Product Hunt. SaaSFort goes live on Product Hunt — if external security posture as a defensible compliance metric resonates with you, a look (and an honest comment) on launch day means a lot to a small team.
Why a self-audit is the only honest demo
Enterprise buyers do not trust vendor claims — they verify. According to Vanta’s State of Trust Report, 67% of B2B deals over $50K now include a security assessment phase, and the first thing a procurement team does is scan your external surface independently, before they even send a questionnaire.
That means your external posture is a public fact whether you publish it or not. A self-audit just removes the asymmetry: we see what an attacker and a BSI auditor see, and we say it out loud.
What the 60-check scan actually measures
The SaaSFort scan runs 60 deterministic checks across 21 categories. “Deterministic” matters: these are not heuristic guesses that produce false positives. Each check is a binary fact an auditor can re-verify:
- TLS/SSL — protocol versions, cipher suites, certificate chain completeness, expiry, OCSP
- HTTP security headers — HSTS (with preload), Content-Security-Policy, X-Frame-Options, Referrer-Policy
- DNS & email authentication — SPF, DKIM, DMARC policy strength, DNSSEC, CAA records
- Web application surface — exposed admin panels, source-map leakage, known-vulnerable JS libraries, security.txt presence
- Compliance mapping — every finding tied to a NIS2 Article 21(2) measure and an ISO 27001 Annex A control
The grade is a transparent formula, not a black box: (passed_checks / 60) × 100, banded into A (90+), B (75–89), C (60–74), D (45–59), F (below 45). You can recompute it by hand from the findings list. That auditability is the whole point — a CISO can hand the report to an assessor and defend every line.
Reading an A-F grade line by line
A letter grade is only useful if it decomposes. Here is how procurement teams actually interpret each band:
| Grade | Score | What a buyer concludes |
|---|---|---|
| A | 90–100 | ”External posture is not a deal risk. Proceed.” |
| B | 75–89 | ”Minor gaps. Ask for a remediation date.” |
| C | 60–74 | ”Material gaps. Security review escalates.” |
| D | 45–59 | ”Posture is a red flag. Deal stalls.” |
| F | below 45 | ”Do not proceed without a full remediation plan.” |
The jump that matters most is C → B. Most C-grade domains fail on the same three things: TLS 1.3 not enforced, missing security headers, and a weak DMARC policy (p=none). All three are configuration changes, not engineering projects — which is why a low grade is usually recoverable in under 30 days.
The 30-day path from C to A
If your self-audit comes back at C, here is the prioritised order that moves the grade fastest:
- Enforce TLS 1.3, disable TLS 1.0/1.1 — single biggest cluster of failed checks
- Add the security header set — HSTS with
includeSubDomains; preload, a real CSP, X-Content-Type-Options - Move DMARC from
p=nonetop=quarantinethenp=reject— closes the email-spoofing supply-chain vector - Fix the certificate chain — ship the intermediate cert; this silently fails on more domains than any other check
- Remove source-map exposure and stale admin panels — reduces the attack surface auditors flag first
Re-scan after each change. The grade updates immediately because the checks are deterministic — you watch C become B become A in real time.
Run the identical scan on your domain
The scan we ran on ourselves is the same scan that is free for any domain — no account, no credit card, results in 60 seconds. Run your free external security scan and you get the same A-F grade, the same NIS2 Article 21(2) mapping, and the same prioritised remediation list.
If the grade is good, you can embed a live verification badge on your pricing or trust page — every visitor can independently verify it. If it is not good yet, the B2B SaaS security checklist and the NIS2 compliance checklists by industry give you the exact list to work down.
FAQ
What grade should a B2B SaaS company aim for?
A or high B before you enter an enterprise sales cycle. Below C, external posture actively blocks deals — 67% of B2B buyers run a security assessment, and a visibly poor external surface ends the conversation before the questionnaire stage.
Is an external scan enough for NIS2 compliance?
No — it is the fastest first step, not the whole programme. NIS2 Article 21(2) also covers governance, incident processes and supply-chain oversight. But the external-posture evidence is what a BSI auditor asks for first, and it is the part you can prove in 60 seconds. See the NIS2 audit preparation guide for the full scope.
Why publish your own grade?
Because external posture is a public fact regardless. Publishing it removes the trust asymmetry and demonstrates the product on the only domain we fully control — ours. It is also the most honest answer to “does this tool actually work?”
When does SaaSFort launch on Product Hunt?
SaaSFort is launching on Product Hunt. If a transparent, auditor-ready external security grade for €9/mo is useful to you, an upvote and an honest comment on launch day directly helps a small bootstrapped team reach the teams who need this.
Related: Security grade vs pen-test report · Why external scanning, not just pentesting · Continuous security monitoring for SaaS
Dalla lettura all'azione
Scansionate il vostro dominio gratuitamente. Primi risultati in meno di 10 secondi — senza registrazione.