Step 3: Assessment
Example Vulnerability Assessment
Here's what it actually looks like when we deliver findings. This is a fictional example for Acme Company — the email you'd receive with everything inline.
From:
Eric Turner <eric@aks-llc.com>
To:
Jane Smith <jane@acmecompany.com>
Date:
March 18, 2026 at 2:14 PM
Subject:
CONFIDENTIAL — Initial Finding: Acme Company External Assessment
Hi Jane,
We've completed the initial probe of the three targets you authorized (www.acmecompany.com, portal.acmecompany.com, and api.acmecompany.com). As discussed, we stopped at the first confirmed finding.
Unfortunately, we found a critical issue fairly quickly.
FINDING: Customer Database Exposed via API Endpoint
Severity: CRITICAL
Target: api.acmecompany.com
We discovered that your API endpoint at /api/v1/customers returns your entire customer database — names, email addresses, physical addresses, phone numbers, and order histories — to anyone who requests it. No login required. No API key. No authentication of any kind.
We confirmed this by making a simple unauthenticated request:
curl https://api.acmecompany.com/api/v1/customers
The response returned 14,832 complete customer records. We immediately stopped, did not download or store the data, and are reporting this to you now.
WHAT THIS MEANS:
Right now, anyone on the internet who knows (or guesses) that URL can download your entire customer list. That's names, home addresses, email addresses, phone numbers, and full order histories for every customer you have. That's enough for identity theft, phishing campaigns targeting your customers by name, or bulk sale on dark web marketplaces.
Depending on your state, if this data has been accessed by an unauthorized party, you may have mandatory breach notification requirements.
WHAT WE RECOMMEND:
1. Immediately: Disable or restrict the /api/v1/customers endpoint. If your application depends on it, put it behind authentication today. This is the single most important thing.
2. Check your logs: Look at your server access logs for requests to /api/v1/customers from IP addresses you don't recognize. Check for high-volume GET requests, unusual user agents, or access from foreign IP ranges. If this endpoint has been live for any length of time, there is a real possibility someone has already found and exploited it. If you see evidence of that, this goes from being a vulnerability to an active breach — and the response changes significantly. We can help with that if needed.
3. Longer term: Implement proper API authentication (session-based or API key), role-based access controls, rate limiting, and remove the ability to dump all records in a single request.
WHAT'S NEXT:
This was found within the first hour of testing. When a critical issue surfaces that quickly, it usually means the codebase hasn't had a security review — which means there are very likely more issues we didn't get to.
I'd like to set up a quick call to walk through this and talk about next steps. That could be your team patching this and us re-scanning to verify, or us continuing with a deeper assessment. Totally your call — no pressure either way.
Let me know when works for you this week.
Eric Turner
A.K.S Security, LLC
844-955-4225 | info@aks-llc.com
CONFIDENTIAL — This email and its contents are intended solely for the addressee. Do not forward or share without written consent.
This is a fictional example. Real assessments may include multiple findings, screenshots, full reproduction steps, and severity scoring. This shows the format and level of detail you can expect from the initial free probe.