Misconfigurations
Understand how Seenty detects and reports configuration weaknesses across your domains and cloud accounts.
Misconfigurations
A misconfiguration is a setting or configuration that deviates from security best practices and creates an opening for attackers. Unlike vulnerabilities (which are software bugs), misconfigurations are the result of how something was set up -- and they are almost always fixable without changing code.
Seenty scans for misconfigurations across two major surfaces: domains and cloud accounts.
Domain misconfigurations
Domain misconfigurations are detected automatically when Seenty scans your registered domains and their subdomains. These scans run nightly for verified domains and can also be triggered manually.
Common domain misconfigurations include:
Email authentication
- Missing SPF record -- Without a Sender Policy Framework record, attackers can send emails that appear to come from your domain (email spoofing).
- Missing DKIM record -- DomainKeys Identified Mail lets receiving servers verify that an email was authorized by the domain owner.
- Missing or weak DMARC policy -- DMARC ties SPF and DKIM together and tells receivers what to do with unauthenticated emails. A missing or
p=noneDMARC policy provides no protection.
DNS and infrastructure
- Dangling DNS records -- DNS records pointing to resources that no longer exist (e.g., a deleted cloud instance or an expired third-party service). Attackers can claim the abandoned resource and serve content on your subdomain.
- Self-signed or expired SSL certificates -- Certificates that browsers do not trust or that have expired, which can expose users to man-in-the-middle attacks.
- Exposed admin panels -- Login pages for administrative interfaces (e.g.,
/wp-admin,/admin,phpMyAdmin) that are publicly accessible on the internet. - Missing security headers -- HTTP headers like
Strict-Transport-Security,X-Content-Type-Options, andContent-Security-Policythat help protect against common web attacks.
Cloud misconfigurations (AWS)
AWS cloud scanning requires an Ultra plan or higher. See Billing for plan details.
When you connect an AWS account, Seenty scans for misconfigurations across three key areas:
IAM (Identity and Access Management)
- IAM users without MFA -- Any IAM user with console access but no multi-factor authentication configured is a high-risk finding.
- Stale access keys -- Access keys that have not been rotated in more than 90 days. Long-lived credentials increase the window of opportunity if a key is compromised.
- Root account without MFA -- The AWS root account has unrestricted access to all resources. Operating without MFA on this account is a critical risk.
- Overly permissive IAM policies -- Policies granting broad wildcards (
*:*) instead of following the principle of least privilege.
S3 (Storage)
- Publicly accessible S3 buckets -- Buckets with public read or write access expose data to anyone on the internet.
- Unencrypted buckets -- S3 buckets without server-side encryption enabled.
- Missing versioning -- Without versioning, accidentally deleted or overwritten files cannot be recovered.
Security Groups (Network)
- Open SSH (port 22) to 0.0.0.0/0 -- Allowing SSH access from any IP address exposes your instances to brute-force attacks.
- Open RDP (port 3389) to 0.0.0.0/0 -- Remote Desktop Protocol open to the internet is a common ransomware entry point.
- Overly permissive inbound rules -- Security groups that allow traffic on all ports or from all sources.
Cloud misconfigurations (Azure)
Azure cloud scanning requires an Ultra plan or higher. See Billing for plan details.
When you connect an Azure account, Seenty scans for misconfigurations across three areas:
RBAC (Role-Based Access Control)
- Users without MFA -- Azure AD users with access to resources but no MFA configured.
- Inactive users -- Accounts that have not signed in for an extended period but still have active permissions.
- Excessive role assignments -- Users with Owner or Contributor roles that could be scoped down to Reader or a custom role.
Storage
- Public storage accounts -- Storage accounts with public blob access enabled.
- Unencrypted storage -- Storage accounts without encryption at rest.
- HTTP access allowed -- Storage accounts that allow unencrypted HTTP connections instead of requiring HTTPS.
NSG (Network Security Groups)
- Open SSH/RDP rules -- NSG rules that allow SSH or RDP from any source.
- Overly permissive inbound rules -- Rules with broad port ranges or unrestricted source addresses.
- Missing NSGs -- Subnets or network interfaces without any network security group attached.
How severity is assigned
Seenty assigns severity based on the real-world risk each misconfiguration represents:
| Severity | Examples |
|---|---|
| Critical | Public S3 bucket with write access, root account without MFA |
| High | Open SSH to 0.0.0.0/0, IAM user without MFA, dangling DNS record |
| Medium | Missing DMARC policy, stale access keys, HTTP allowed on storage |
| Low | Missing optional security headers, bucket versioning disabled |
| Info | Detected configurations with no direct risk |
Plan availability
Not all misconfiguration checks are available on every plan:
| Check type | Available on |
|---|---|
| Basic DNS findings (SPF, DKIM, DMARC) | All plans |
| SSL certificate issues | Starter+ |
| Full domain findings (dangling records, exposed panels, headers) | Pro+ |
| AWS cloud misconfigurations | Ultra+ |
| Azure cloud misconfigurations | Ultra+ |
Upgrade your plan at any time from Workspace > Billing to unlock additional scanning capabilities.