Skip to main content
Vantyris

CS-003

A Bristol design agency scanned twelve active client sites in one afternoon and turned eight of them into follow-up engagements.

A digital design and build agency · Bristol, England · 14 staff including 3 developers

Vantyris · Case study

CS-003 · Published 2026-05-23

A digital design and build agency in Bristol.

14 staff including 3 developers · agency sector

Score after remediation

64 to 84

Findings closed
9 of 11
Time to first fix
about 2 days across the portfolio
Time to all fixes
about 3 weeks across the portfolio

What made them run a scan

A retainer client received a phishing email impersonating the agency itself. No financial loss, but the founder wanted to know which of the agency's other client sites were similarly impersonatable, before any of them became the next target.

What Vantyris found

  1. 01

    Four of twelve client domains had no DMARC record

    high

    Any sender on the public internet could spoof email from those four client domains to their customers without authentication failure being acted on.

  2. 02

    Two of twelve client sites had a WordPress admin reachable on a non-standard port

    high

    Both were development environments mistakenly left in production. One had a default admin username.

  3. 03

    Seven of twelve client sites had at least one missing security header

    medium

    Most commonly Content-Security-Policy or X-Frame-Options. None of the client sites returned the full set of four recommended headers.

  4. 04

    One client site offered a deprecated TLS cipher

    low

    The cipher in question is not currently exploitable against modern clients but flagged by SSL Labs and OWASP guidance.

  5. 05

    Eleven of twelve client sites passed the TLS baseline

    healthy

    TLS 1.2 or 1.3 was enabled with modern cipher suites on every site bar one. The remaining one was on a legacy host.

What they fixed and how

The agency ran twelve verified scans in a single afternoon (one medium credit pack plus change). Each client received a branded PDF report with prioritised actions. Eight clients booked follow-up engineering work; three self-fixed using the report; one chose to defer. The total cost of credits was about EUR 60. The eight follow-up engagements paid for the agency's annual Vantyris credit budget several times over within the first week.

In the customer's words

We bought a pack of credits, ran every active client, and within 48 hours had a clear conversation with each of them about what needed work. It paid for itself with the first follow-up engagement.

Founder, design agency in Bristol

What's next

The agency now runs every client on a quarterly cadence and includes a free baseline Vantyris scan with every new client onboarding. The pattern has become an active sales asset, not just a security one.

Vantyris · Shield Trust HoldingsAnonymised per customer release · Reviewed 2026-05-23

Other stories

For agencies

Want one of these?

Run a verified scan, fix what matters, send the PDF to whoever asked. From EUR 10.

Anonymised by sector and region. Customer names, domains, and exact identifiers withheld unless explicitly released. We do not pay for participation. See our privacy policy.

Start free checkBack to all stories