> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cystack.net/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Grading

> BaseCheck's security assessment criteria

CyStack BaseCheck classifies systems into 4 security levels: A, B, C, D. This applies to web systems or publicly exposed infrastructure (Internet-facing).

### 🟢 Level A - High Security

> The system is properly configured with no clear risks detected.

* No leaked accounts/emails
* TLS only uses strong standards (TLS 1.2+ with modern ciphers, no CBC/RSA)
* No security vulnerabilities detected
* Not listed on any blacklist
* All subdomains are well secured (HTTPS, no exposed admin panels)
* Only common and legitimate ports are open (80, 443, 22…)
* Presence of WAF or firewall detected

***

### 🟡 Level B - Good, Minor Improvements Needed

> A few minor weaknesses exist but no serious impact yet.

* Fewer than 5 leaked accounts/emails
* TLS still contains weak ciphers (CBC) but supports Forward Secrecy
* Contains **Low** severity vulnerabilities
* A few subdomains have minor issues (e.g., expired cert, redirect issues)
* Open ports are reasonable with no suspicious services
* Signs of WAF present (e.g., headers, Cloudflare...)

***

### 🟠 Level C - Medium Risk, Potential Threats

> Noticeable configuration issues that should be addressed soon.

* More than 10 leaked accounts/emails
* TLS supports CBC/RSA or uses TLS 1.0/1.1
* Contains **Low/Medium** vulnerabilities
* Subdomains show risk indicators (e.g., dev., admin., no authentication, exposed IP)
* Uncommon ports are open (e.g., 11308, 11310)
* No WAF or firewall detected

***

### 🔴 Level D - High Risk

> The system has multiple serious weaknesses that may be exploited.

* Listed on blacklists (spam, malware, abuse…)
* TLS certificate expired or has critical issues
* Subdomains expose sensitive information: admin panels, debug interfaces
* Contains **High/CRITICAL** vulnerabilities
* Sensitive services exposed without protection (FTP, DB, RDP…)
* No firewall/WAF or any detectable protection mechanism
