Procurement readiness
Vendor questionnaire guide
How Sycrion answers 15 of the most common vendor security questionnaire questions — CAIQ, VSAQ, and enterprise procurement checklists. Run a scan to get pre-filled answers for your domain.
15
Questions covered
3
Compliance mappings
8
Data sources used
90s
Time to answer all
Do you enforce TLS 1.2 or higher on all endpoints?
SSL Labs grades TLS configuration. Protocol support, cipher suites, and certificate validity are documented.
Source: SSL Labs
Are your SSL/TLS certificates valid and up to date?
Certificate expiry, issuer, chain validity, and transparency log presence are checked.
Source: SSL Labs · crt.sh
Do you implement HTTP Strict Transport Security (HSTS)?
HSTS header presence and max-age value are verified against SecurityHeaders standards.
Source: SecurityHeaders
Do you implement SPF (Sender Policy Framework)?
SPF DNS record presence, syntax, and policy strictness (fail vs softfail) are documented.
Source: MXToolbox · DNS
Do you implement DKIM (DomainKeys Identified Mail)?
DKIM selector records are checked. Presence and key strength are documented.
Source: MXToolbox · DNS
Do you implement DMARC email authentication?
DMARC record presence, policy (none / quarantine / reject), and reporting configuration are documented.
Source: MXToolbox · DNS
Do you implement a Content Security Policy (CSP)?
CSP header presence and configuration are checked. Missing or weak CSP is flagged with a finding.
Source: SecurityHeaders
Are you protected against clickjacking attacks?
X-Frame-Options and CSP frame-ancestors directive presence is verified.
Source: SecurityHeaders
Do you implement XSS protection mechanisms?
X-XSS-Protection and CSP headers are checked. Missing headers are documented as findings.
Source: SecurityHeaders
Are there any known unpatched CVEs in your publicly facing systems?
Software versions visible in HTTP headers, banner responses, and DNS are cross-referenced against NVD CVE database.
Source: NVD · Shodan
Do you have any unnecessary services exposed to the internet?
Open ports and exposed services on your domain are identified via Shodan passive scan.
Source: Shodan
Are any sensitive files or directories publicly accessible?
70+ common sensitive paths are probed: .env, config files, admin interfaces, backup files, and package manifests.
Source: HTTP path probes
Is your domain or IP associated with malware or phishing?
Domain reputation is checked against VirusTotal threat intelligence database.
Source: VirusTotal
What is your public subdomain exposure?
Publicly registered subdomains are enumerated via certificate transparency logs.
Source: crt.sh
Are your DNS records properly configured with no dangling entries?
DNS A, MX, TXT, CNAME records are checked for misconfigurations and dangling pointers.
Source: DNS · MXToolbox
Can you demonstrate compliance with NIS2 Article 21 security measures?
Findings are mapped to NIS2 Article 21 requirements. Report section includes control mapping with status per requirement.
Source: NIS2 control mapping
Do you implement appropriate technical security measures under GDPR Article 32?
Report includes GDPR Article 32 control mapping: encryption, confidentiality, integrity, availability, and resilience.
Source: GDPR control mapping
Can you provide evidence of ISO 27001-aligned security controls?
Relevant findings are mapped to ISO 27001 Annex A controls. Documented in the procurement report.
Source: ISO 27001 control mapping
Get pre-filled answers for your domain
Run a free scan. The report includes answers to the questions above, source-attributed and formatted for vendor questionnaire submission. No manual research required.