SPHIOR Logo
SPHIOR
Continuous Security as a Service

From security scanning to audit evidence, SPHIOR handles it every month.

Aligned with SOC 2, ISO 27001, and OWASP, SPHIOR delivers monthly evidence built for engineers, executives, and auditors alike. Vanta and Drata integration supported.

Check your site for free

https://
Hand It to SPHIORCreate Account
The Cost of Inaction

By the time it makes the news, it is already a financial event.

What happened to companies that deprioritized security. Every case below is a documented fact, not a cautionary tale.

Real-World Breach Cases

Code Spaces2014

Continuity

Stopped in 12h

12 hours from breach to bankruptcy

The root AWS account had no MFA, so stolen credentials alone gave full access. After ransom was refused, the attacker deleted every instance, bucket, and snapshot. The company had no path to recovery and shut down the same day. Skipping MFA at cloud setup erased the entire business.

Cause

No MFA on the root AWS account

Yahoo! (US)2013–2014

Accounts impacted

3B+

Weak hashing erased ~$350M in acquisition value

Two breaches in 2013 and 2014 went undisclosed until 2016. MD5-hashed passwords were trivially crackable, enabling continuous exploitation. All 3 billion accounts were ultimately affected. Yahoo's Verizon acquisition price was cut by $350M over the hidden incident.

Cause

Legacy MD5 hashing and delayed disclosure

British Airways2018

Customers affected

~500K

22 lines of code that shook a global brand

Magecart inserted 22 lines of skimmer code into a third-party JavaScript loaded on the checkout page. Every card detail entered was forwarded to attackers in real time for nearly two weeks. About 500K customers were affected and the initial GDPR fine proposal reached £183M.

Cause

Third-party JavaScript injection (Magecart)

Equifax2017

Records exposed

148M

An unpatched vulnerability exposed 148M people

A critical Apache Struts patch (CVE-2017-5638) sat unapplied for two months. Attackers exploited it, remained undetected for 76 days, and exfiltrated 148M records including SSNs and birth dates. Total settlement and fine costs exceeded $575M. The CEO and CIO resigned.

Cause

CVE-2017-5638 left unpatched for 2 months

Target2013

Cards stolen

40M

An HVAC vendor's credentials breached 40M cards

Credentials stolen from an HVAC vendor provided a foothold inside Target's corporate network. Poor network segmentation let malware spread to 4,000+ POS terminals during Christmas season. 40M payment cards and 70M personal records were stolen, triggering CEO and CIO resignations.

Cause

Vendor network not isolated from POS systems

SolarWinds2020

Orgs compromised

18,000+

A trusted software update became a nation-state weapon

Attackers inserted the SUNBURST backdoor into a legitimate monitoring software update. Over 18,000 organizations installed it — including the US Treasury and State Departments. The intrusion went undetected for ~9 months and redefined supply-chain attacks as a top-tier threat.

Cause

Build system compromise and malicious code injection

Change Healthcare2024

Total loss

~$3B+

One missing MFA setting halted US healthcare for weeks

One internal account lacked MFA on a critical system. A single stolen password was enough for ransomware operators to access the core. US pharmacies and hospitals stopped processing prescriptions and payments for weeks. Total losses to UnitedHealth Group exceeded $3B.

Cause

MFA missing on a critical access account

CrowdStrike2024

Machines crashed

8.5M

A security vendor's own update caused history's largest IT outage

A faulty content update — not malware — crashed 8.5M Windows machines globally. Airports, banks, hospitals, and broadcasters halted simultaneously. Fortune 500 firms alone lost $5.4B+. A trusted security vendor proved a single bad update can outscale any cyberattack.

Cause

Unvetted content update pushed to production

Bybit2025

Stolen

~$1.4B

Phishing seized the keys behind a multi-sig wallet

Phishing and access exploitation let attackers seize the signing environment of a multi-signature wallet. The multi-sig protocol itself was intact, but the human layer managing the keys was compromised. ~$1.4B in Ethereum was stolen — the largest single crypto theft in history.

Cause

Phishing compromise of multi-sig key managers

Coverage Architecture

A single overlooked misconfiguration can compromise your entire system.

Attackers don't attack your strongest defenses; they look for abandoned subdomains, unmonitored APIs, and minor cloud misconfigurations. SPHIOR dissects your business into four distinct layers—from the public surface down to authenticated regions—and continuously hunts for vulnerabilities from a hacker's perspective.

SPHIOR

Public Surface

Everything an attacker sees first

Domains, SSL/TLS, exposed ports, leaked metadata. The surface that defines your initial risk posture.

Configuration

Misconfigurations are the most ignored vulnerability

Security headers, TLS settings, public storage, dependency drift — checked continuously, not annually.

API & Endpoints

Hidden doors live in your traffic

Undocumented endpoints, leaky responses, weak input validation. The risks unique to your application boundary.

Authenticated

The real impact lives behind login

On Enterprise, with verified ownership and consent, SPHIOR runs dynamic testing (DAST) inside authenticated regions.

Cloud Infrastructure

Find cloud misconfigurations before attackers do

Automated auditing of IAM policies, storage exposure, firewall rules, and encryption settings across AWS, GCP, Azure, and Cloudflare. Available on Scale (optional add-on) and Enterprise (included).

Enterprise DAST Architecture

Deep, authenticated audits, architected for absolute security.

Safely and comprehensively diagnose vulnerabilities deep within your system, beyond the login screen. Through secure session handoffs via our dedicated browser extension and isolated scanning environments, we completely eliminate the risk of production impact and data leakage.

STL 01

Secure Integration via Extension

Use the SPHIOR Chrome extension to securely synchronize auth credentials or session tokens from your local environment. No plaintext passwords stored on our servers.

STL 02

Encrypted Session Vault

Received sessions are heavily encrypted and managed strictly within a secure vault. They are loaded into memory only during the scan to maintain safe access.

STL 03

State-Aware Dynamic Scanning

Not just a crawler, but an engine that understands application state. We deeply and accurately trace post-login processes involving complex transitions and API calls.

STL 04

Fully Isolated Audit Environment

Scans execute on isolated, ephemeral microVMs for each customer. Physical data boundaries ensure that your audit data never leaks to other environments.

Reports for Decision-Making

One assessment. Three audiences. Three optimized outputs.

Vulnerability reports change meaning depending on who reads them. SPHIOR generates the right shape for engineering, leadership, and audit — from the same evidence.

E.2 · Featured Finding #1
Featured Findings Deep-Dive

SQL Injection in /api/search

NEW
criticalCVSS 9.1· External vulnerabilityCross-confirmed
api.example.com/api/searchSphior Web App Scanner / ZAP active rule (40018)

1. Risk Summary

In this month's Sphior automated assessment, we observed a SQL Injection vulnerability on your externally exposed API endpoint /api/search. This is a typical example of CWE-89 (Improper Neutralization of SQL Element), with risks of DB content retrieval, credential leakage, and schema enumeration via authenticated users. We observed a pattern where user-supplied input from the `q` parameter is directly concatenated into the SQL query, and blind SQL injection is also possible. This directly affects SOC 2 CC6.1 / ISO 27001 A.8.2 + GDPR Art. 32 audit-support evidence quality, with an observed impact scope of approximately 42,000 authenticated users (observed scope). Response within this month is recommended.

2. Risk Snapshot

Business Impact
Critical

Possibility of information leakage at a scale of 42,000 authenticated users (observed scope). GDPR notification obligations may be triggered, with critical impact on SOC 2 CC6.1 audit-support evidence quality.

Exploit Difficulty
High

Attack is established via authenticated users; payload construction after reconnaissance is technically easy. Easily detected by ZAP active scan, with only limited scripting knowledge required.

Observed Urgency
Highest

Newly detected this month. Critical class, response within this quarter recommended. WAF emergency rules enable interim mitigation; preemptive measures against attacker reconnaissance are necessary.

3. Observed Evidence (excerpt)

Full evidence + scanner raw output in App-A · #1
HTTP TRACE
GET /api/search?q=test' UNION SELECT NULL,version(),NULL-- HTTP/1.1 Host: api.example.com Authorization: Bearer <REDACTED> Content-Type: application/json Response: 200 OK { "results": [{"id": null, "name": "PostgreSQL 14.5 ← DB version leakage"}] }

4. Recommended Actions

STEP 01EmergencyMigration to parameterized queries

Rewrite the SQL query of /api/search using prepared statements, separating user input from SQL syntax. Response within this quarter recommended; mitigate in parallel via WAF rules during remediation.

Implementation hintExpress + pg: `client.query('SELECT … WHERE q = $1', [userInput])` / Python + psycopg2: `cur.execute('SELECT … WHERE q = %s', (userInput,))`

STEP 02ContainmentWAF emergency rule deployment

Apply WAF rules across all endpoints to block payloads containing SQL patterns (UNION / SELECT / -- / ; etc.). Interim mitigation until remediation is complete, operated in combination with SOC integration.

Implementation hintCloudflare WAF managed ruleset OWASP CRS (sql-injection) temporary enable / AWS WAF: AWSManagedRulesSQLiRuleSet high-priority adoption

STEP 03VerificationFix verification via Sphior re-scan

After remediation, verify the fix via Sphior re-scan and confirm 400 responses to the same payload patterns. Confirmation results are stored as tamper-evident snapshots (SHA-256 anchored) in SOC 2 audit-support evidence and reflected in the next monthly report.

Implementation hintSphior dashboard's Re-scan now button (scan completes within 5 minutes + results reflected)

5. Compliance Standards & References

CWE-89OWASP A03 InjectionNIST SP 800-53 SI-10SOC 2 CC6.1ISO 27001:2022 A.8.2
Related findings#6 (Verbose error on /login) / #11 (CVE-2024-XXXX lodash) — Authentication boundary complementary observations
Affected scopeSame pattern possibility across 8 endpoints including /api/search; scope confirmation via Sphior re-scan recommended
Full Per-Finding CardFull Per-Finding Card (Critical 2 page Extended) see App-A · #1 — full Request/Response + exploitation chain + remediation code complete edition
Audit-support reference  |  Confidential
E.2 · Featured Finding #1  |  Page 19 of 30
E.2 · Featured Finding #2
Featured Findings Deep-Dive

Missing CSRF Token on /api/transfer

NEW
criticalCVSS 8.8· Authenticated (state-changing)Cross-confirmed
api.example.com/api/transferSphior Web App Scanner / ZAP passive scan (10202)

1. Risk Summary

This finding is a missing CSRF (Cross-Site Request Forgery) token validation on the /api/transfer endpoint. Sphior Web App Scanner observed that CSRF token middleware is not applied on state-changing endpoints, allowing cross-site requests using authenticated user sessions. Origin / Referer validation was also not confirmed for POST / PUT / DELETE endpoints, and the SameSite cookie attribute is set to `None`. This affects SOC 2 CC6.6 / ISO 27001 A.8.8 + A.5.30 audit-support evidence quality, and as an observed event on a financially critical transaction endpoint, response within this month is recommended.

2. Risk Snapshot

Business Impact
Critical

Possibility of triggering unauthorized transactions by authenticated users on financially critical endpoints. Critical impact on SOC 2 CC6.6 audit-support evidence quality + Processing Integrity (PI1.1).

Exploit Difficulty
Medium-High

Limited to state-changing endpoints, but attack is established via phishing-induced redirect to attacker site during browsing by authenticated users; technically straightforward.

Observed Urgency
High

Requires authenticated user victims but easy to obtain via phishing. Response within this quarter recommended; immediate mitigation possible via middleware application.

3. Observed Evidence (excerpt)

Full evidence + scanner raw output in App-A · #2
HTTP TRACE
POST /api/transfer HTTP/1.1 Host: api.example.com Cookie: session_id=abc123 (HttpOnly not set, SameSite=None) Content-Type: application/json Origin: https://attacker.example {"to":"attacker_account","amount":50000} Response: 200 OK ← Processed without CSRF token validation (403 expected)

4. Recommended Actions

STEP 01EmergencyDouble-submit CSRF token middleware application

Install and apply CSRF token middleware on 12 state-changing endpoints (POST / PUT / DELETE). Reject with 403 response on token absence / mismatch. Response within this quarter recommended.

Implementation hintExpress: csurf package / Django: built-in {% csrf_token %} / Rails: protect_from_forgery

STEP 02ContainmentSameSite cookie attribute Strict enforcement

Set SameSite=Strict on session cookies to immediately restrict cookie transmission via cross-site requests. Apply HttpOnly + Secure together as interim measures during middleware remediation period.

Implementation hintSet-Cookie: session=…; Secure; HttpOnly; SameSite=Strict (unified across all endpoints)

STEP 03VerificationFix verification via regression tests + Sphior re-scan

Integrate automated CSRF tests for state-changing endpoints into CI, verifying 403 responses on token absence / mismatch. Confirm adoption across all endpoints via Sphior re-scan.

Implementation hintContinuous detection of missing CSRF tests via Sphior Code Scanner's CI integration

5. Compliance Standards & References

CWE-352OWASP A01 Broken Access ControlNIST SP 800-53 IA-2SOC 2 CC6.6 · PI1.1ISO 27001:2022 A.8.8 · A.5.30
Related findings#8 (Cookie no HttpOnly) — Of 12 state-changing endpoints, all except this finding confirmed as CSRF token applied
Affected scopeObserved on 1 of 12 state-changing endpoints including /api/transfer; remaining 11 already have it applied
Full Per-Finding CardFull Per-Finding Card (Critical 2 page Extended) see App-A · #2 — middleware application code samples + framework-specific implementation guide complete edition
Audit-support reference  |  Confidential
E.2 · Featured Finding #2  |  Page 20 of 30
E.2 · Featured Finding #3
Featured Findings Deep-Dive

Reflected XSS in Search Param

NEW
highCVSS 7.5· External vulnerabilityCross-confirmed
app.example.com/search?q=Sphior Web App Scanner / ZAP active rule (40012)

1. Risk Summary

This finding is a Reflected Cross-Site Scripting in the query parameter (q=) of the app.example.com/search endpoint. Sphior Web App Scanner confirmed that the payload `<script>alert(1)</script>` is directly reflected in the response HTML. We observed a pattern where HTML escape is not applied in the search query display section and the template engine's auto-escape is also disabled. Combined with the concurrent observation of HttpOnly-less cookies, this carries the possibility of a session theft → admin session hijacking chain. This affects SOC 2 CC6.6 / ISO 27001 A.8.8 audit-support evidence quality, and response within this quarter is recommended.

2. Risk Snapshot

Business Impact
Medium-High

Session cookie theft (combined with HttpOnly absence), phishing chain, possibility of admin panel session hijacking.

Exploit Difficulty
High

Trivial via URL; attack is established merely by getting a victim to click a crafted URL. Reconnaissance unnecessary due to public search functionality; attack surface is wide.

Observed Urgency
High

Wide attack surface on public endpoints; rapid response after early detection is recommended. Root-cause remediation possible via output encoding + CSP.

3. Observed Evidence (excerpt)

Full evidence + scanner raw output in App-A · #3
HTTP TRACE
GET /search?q=<script>alert(document.cookie)</script> HTTP/1.1 Host: app.example.com Response: 200 OK Content-Type: text/html <html><body>Search results: <script>alert(document.cookie)</script>… ← payload directly reflected in response HTML, executed by user browser (encoding not applied)

4. Recommended Actions

STEP 01EmergencyOutput encoding standardization

Output the search query display section with HTML escape (&lt; / &gt; / &amp; / &quot; format) and re-enable the template engine's auto-escape on all views. Response within this quarter recommended.

Implementation hintReact: JSX auto-escape default / Vue: {{ }} auto-escape / Django: {% autoescape on %}

STEP 02ContainmentContent-Security-Policy header hardening

Add CSP policy prohibiting inline scripts (script-src 'self', etc.) to all responses, fully eliminate unsafe-inline. Deprecate X-XSS-Protection header + migrate to CSP.

Implementation hintApply across all endpoints via Cloudflare Workers / Nginx config / Express helmet middleware

STEP 03VerificationMandatory HttpOnly + SameSite on session cookies

Mandate HttpOnly + SameSite=Strict on session cookies to prevent cookie acquisition from JS and minimize the impact of cookie theft via XSS. Confirm full adoption via Sphior re-scan.

Implementation hintSet-Cookie: session=…; HttpOnly; Secure; SameSite=Strict (unified across all endpoints)

5. Compliance Standards & References

CWE-79OWASP A03 InjectionNIST SP 800-53 SI-10SOC 2 CC6.6ISO 27001:2022 A.8.8
Related findings#8 (Cookie no HttpOnly) / #6 (Verbose error on /login) — Impact increases when XSS combines with absent HttpOnly cookies
Affected scopeSame pattern possibility across 3 public search functionality endpoints including app.example.com/search; scope confirmation via Sphior re-scan recommended
Full Per-Finding CardFull Per-Finding Card (Standard 1 page) see App-A · #3 — output encoding code samples + CSP policy design guidelines complete edition
Audit-support reference  |  Confidential
E.2 · Featured Finding #3  |  Page 21 of 30
Threat Update Engine

Every month, SPHIOR keeps pace with the latest attack techniques.

Security threats evolve every month. SPHIOR's security team continuously incorporates new vulnerabilities, attack patterns, and CVEs into the scan engine — so your diagnostic standards never go stale.

Every monthly assessment runs on the latest engine.

Engine Updates

Continuously updated

    Engine continuously synced

    Global Scan Execution Infrastructure

    Every month, SPHIOR handles all diagnostics, report generation, and delivery on your behalf — no dedicated engineer required. Scans are executed from data centers around the world.

    Global
    24 Cities
    24/7
    Zero-Touch Governance

    Ref · SPHIOR-SOC2

    Monthly Security Evidence

    SOC 2
    • External assessment performed
    • Critical findings prioritized
    • Remediation status tracked
    MonthlyContinuously Reviewed

    Ref · SPHIOR-ISO

    Gap Analysis Report

    ISO 27001
    • Security controls compliance check
    • Risk assessment results recorded
    • Corrective actions tracked
    QuarterlyAudit Ready

    Ref · SPHIOR-OWASP

    Scan Evidence

    OWASP
    • OWASP Top 10 compliant scan
    • Deep API & authenticated area audit
    • CVSS score & fix priority
    MonthlyEngine Updated
    Governance & Evidence

    Monthly third-party audit records, the only proof of trustworthiness.

    When an incident lands, the question is what you did before it. SPHIOR's monthly reports become defensible evidence — across audit, vendor risk, and corporate due diligence.

    • Supporting evidence for SOC 2 / ISO 27001

      External assessment records, scope, and remediation status — packaged for auditor reference.

    • Vendor reviews and security questionnaires

      Concrete monthly artifacts to back up your security posture, not adjectives.

    • Cyber due diligence in M&A and IPO

      Removes 'unmanaged web security' as a value-discount lever during diligence.

    Choose Your Plan

    Stay ahead of site outages, reputation damage, and hidden vulnerability risks — and know exactly what to fix first. Choose the plan that matches your business scale and the depth of security assurance you need.

    Save 20%

    Core

    For startups & small teams

    Automated monthly checks on uptime, DNS, TLS, and baseline misconfigurations. Maintain basic security assurance without a dedicated engineer.

    $199/mo

    Billed 1,990 yearly

    • Continuous uptime & response monitoring
    • Baseline vulnerability & misconfiguration scan
    • Exposed endpoint detection
    • DNS security audit (SPF / DKIM / DMARC / DNSSEC)
    • TLS certificate transparency check
    • Core Web Vitals, SEO & accessibility audit
    • Monthly security baseline audit report

    First month free

    Scale

    For growing businesses & SaaS teams

    Everything in Core, plus dedicated scan engines for CVEs, known vulnerabilities, and insecure headers. Connect AWS / GCP / Azure / Cloudflare to add cloud infrastructure auditing to your monthly report. Monthly delta tracking tells you exactly what to fix first.

    $599/mo

    Billed 5,990 yearly

    • Everything in Core
    • Full CVE & known vulnerability scanning
    • Security headers, HTML & privacy deep audit
    • Month-over-month delta tracking (new risk detection)
    • Code security scanning (GitHub integration)
    • Cloud infrastructure audit (AWS / GCP / Azure / Cloudflare — optional)
    • GRC integration push (Drata / Vanta / Secureframe)
    • Monthly vulnerability report with remediation priorities

    First month free

    Enterprise

    For regulated industries & audit-ready orgs

    Everything in Scale, plus DAST for authenticated areas, admin panels, and APIs. Cloud infrastructure auditing is required (not optional) and combined with AI governance analysis to generate audit-support evidence every month.

    $2,499/mo

    Billed 24,990 yearly

    Custom scoped based on coverage, authenticated setup, and support needs.

    • Everything in Scale
    • Dynamic Application Security Testing (DAST)
    • Authenticated area & admin panel full audit
    • API security testing
    • Cloud infrastructure security audit (required, full integration)
    • AI governance analysis + AI chat included
    • Governance Audit Report (executive brief + audit trail)

    Ready to Secure Your Digital Future?

    Start Free

    ✓ 24/7 Monitoring