Security Grade Report
Sample Co · Series B SaaS · prepared by Operative
Overall: B−
Executive summary
Sample Co's posture is solid in code, weak in cloud identity. The highest risk is a reachable path from a public storage bucket to database credentials, exploitable today, and the single most important thing to fix. Compliance evidence is largely in place for SOC 2, but three controls lack testing evidence. AI governance is early: copilots are in use with no approval path or logging.
Grades by domain
Code
B+
Cloud
C
Compliance
A−
AI governance
D
Top attack paths
| Path | Severity | Status |
|---|---|---|
| Public S3 → Lambda → DB credentials | Critical | Validated |
| Subdomain takeover → admin → users table | High | Validated |
| Over-scoped IAM role → RDS → billing data | Medium | Validated |
Top fix-ready actions
- Make the customer-assets bucket private and rotate exposed keys. — closes the critical path; ~2 hrs.
- Scope the lambda-exec IAM role to least privilege. — removes lateral movement to RDS.
- Claim or remove the dangling status.sampleco.com CNAME. — closes subdomain takeover.
- Add an approval path + logging for employee AI copilots. — first AI-governance control.
- Supply testing evidence for SOC 2 controls CC7.2, CC6.6, CC8.1. — unblocks the audit.