Skip to main content
Vantyris

CS-002

An Edinburgh accounting firm attached a Vantyris report to a year-end engagement letter and answered the auditor's security question without a follow-up call.

An independent accounting partnership · Edinburgh, Scotland · 8 staff, 4 partners

Vantyris · Case study

CS-002 · Published 2026-05-23

An independent accounting partnership in Edinburgh.

8 staff, 4 partners · accountant sector

Score after remediation

61 to 91

Findings closed
3 of 3
Time to first fix
about 30 minutes
Time to all fixes
about 3 hours, single day

What made them run a scan

An institutional client (a small registered charity) added a clause to its year-end engagement letter: had the firm had its website externally scanned for vulnerabilities in the last 12 months. The partner running the engagement needed an evidence artefact to attach to the response, before the deadline at the end of the month.

What Vantyris found

  1. 01

    SPF record missing entirely on the main domain

    high

    Any sender on the public internet could spoof email from the firm's domain to the firm's own clients. DKIM was partially configured; DMARC was absent.

  2. 02

    Missing Permissions-Policy and Referrer-Policy headers

    medium

    The main site returned HSTS and X-Frame-Options correctly but the two newer policy headers were absent, dropping the MDN HTTP Observatory score from A to B.

  3. 03

    TLS 1.0 still enabled at the hosting panel

    medium

    The hosting account's TLS minimum was set to 1.0 by default. SSL Labs returned an A grade (capped to A by the legacy protocol), with a warning about deprecated TLS versions.

  4. 04

    Client portal subdomain isolated; no exposed admin services

    healthy

    The portal ran behind a separate authentication gateway with no admin surfaces reachable from the public internet. No findings on the portal.

What they fixed and how

The firm's part-time IT lead added SPF, DKIM, and DMARC at Cloudflare in about 30 minutes with a free SPF generator. The Permissions-Policy and Referrer-Policy headers were added at the Cloudflare layer in 90 minutes. TLS 1.0 was disabled at the hosting panel in 5 minutes. A re-scan returned a clean report which was attached to the engagement-letter response with two business days to spare.

In the customer's words

We needed something we could attach to our engagement letter response. The PDF was professional enough that the client's auditor accepted it without follow-up questions.

Partner, accounting firm in Edinburgh

What's next

The firm has set the scan to repeat quarterly, ahead of each major engagement-letter cycle. The PDF is filed under the firm's information-security evidence folder for the next time a client asks.

Vantyris · Shield Trust HoldingsAnonymised per customer release · Reviewed 2026-05-23

Other stories

For accountants

Want one of these?

Run a verified scan, fix what matters, send the PDF to whoever asked. From EUR 10.

Anonymised by sector and region. Customer names, domains, and exact identifiers withheld unless explicitly released. We do not pay for participation. See our privacy policy.

Start free checkBack to all stories