Example Audit Report

See the structure and format of a YourInfraAudit infrastructure security audit report.

This page shows the structure of a typical YourInfraAudit report. Actual reports contain detailed findings specific to your infrastructure.

Report structure

Every YourInfraAudit report follows a consistent structure designed for both technical teams and stakeholders.

1. Executive summary

A short, non-technical overview of the audit scope, key findings and overall risk assessment. Written for decision-makers who need the outcome without the technical detail.

2. Scope

What was audited: servers, platforms, control panels, services, domains, accounts. Scope is always agreed before the engagement begins.

3. Infrastructure overview

A summary of the audited environment: server count, operating systems, control panels, hosting stack, email setup, DNS, backup and related components.

4. Risk matrix

Findings are classified by severity:

  • Critical — immediate risk of compromise, data loss or service disruption
  • High — significant risk that should be addressed within days
  • Medium — notable risk that should be planned for remediation
  • Low — minor issue or improvement opportunity

5. Findings

Each finding includes a title, severity, risk description and remediation recommendation.

High severity

WHMCS storage path accessible or incorrectly isolated

Risk: Sensitive files may be exposed if storage paths are not properly moved or protected outside the web root.

Recommendation: Move storage paths outside the web root and verify web server restrictions. Review file permissions and directory indexing settings.

High severity

No verified restore process

Risk: Backups may exist but remain unusable during a real incident if restore procedures are not tested.

Recommendation: Define a restore procedure, perform test restores on a regular schedule and document RPO/RTO expectations.

Medium severity

Weak DMARC policy

Risk: The domain is more exposed to spoofing and abuse. Email recipients may not enforce the domain's intended policy.

Recommendation: Move gradually from monitoring (p=none) to quarantine/reject after reviewing legitimate mail sources in DMARC aggregate reports.

6. Operational observations

Notes on processes, practices and operational gaps that are not direct vulnerabilities but affect overall security posture.

7. Remediation plan

A prioritized list of actions grouped by urgency: immediate, short-term and medium-term. Each action references the related finding.

8. Suggested timeline

A realistic implementation schedule based on finding severity, dependencies and available resources.

9. Appendix

Technical details, raw scan excerpts, configuration references and evidence supporting the findings.

Request your audit

Every infrastructure is different. Request an audit and we will scope the engagement based on your environment.

See pricing and packages for available options.

Need a different audit scope?

We tailor every engagement to your infrastructure. Tell us what you need.

Request an audit View sample report