Reports give you continuous visibility into your external attack surface. Every query you can run in ShadowTrackr — including magic queries — can be saved, scheduled, and shared as a report.
You can view reports in the dashboard, and export them as PDF, JSON, CSV, or Excel. On export you can choose to download or send the report by email.
To create a report, go to
Reports in the left-hand menu and click the
Add report button (top right). Enter the query you want to run, select the output format, and click create.
A library of ready-made report templates is available — activate any template with a single click. New accounts come with the most popular reports enabled by default. The only report that is scheduled for automatic email delivery out of the box is the Weekly PDF Report.
Here are some example queries from the report library:
Expired certificates report
index=certificates not_after>-1d not_after<30d | table cn renewed grade ip issuer not_after tags last_seen
Security.txt validation report
index=websites security_txt_exists=1 security_txt_valid=0 last_seen>-7d | table url security_txt_exists security_txt_valid security_txt_errors https_status tags last_seen
Reports can be scheduled to run daily, weekly, or monthly at any time you choose. Setting the schedule to "never" keeps the report available on-demand in the dashboard without sending it by email.
Scheduled reports are delivered by email to any address you specify — recipients do not need a ShadowTrackr account.
Weekly PDF Report
A comprehensive security summary delivered to your inbox every Monday morning before the start of your workweek. The report is designed to be actionable — highlighting what changed and what needs attention. You can add as many recipient email addresses as you like; recipients do not need a ShadowTrackr account. This is the only report scheduled for automatic email delivery by default.
Below is the full list of reports available in the ShadowTrackr report library. Each report is a pre-built query template that you can activate, customize, and schedule.
Software Vulnerabilities Report
Filters the software inventory to show only versions with known vulnerabilities. Critical CVEs (CVSS 9+) appear in red and require immediate patching. All other CVEs should also be addressed promptly — these are internet-facing assets and actively targeted by attackers. Vulnerability data is sourced from
MITRE and
NIST.
Exploited Software Vulnerabilities Report
Shows software on your assets with vulnerabilities that are confirmed to be actively exploited in the wild. This is your most urgent patching list — every entry represents a known, weaponized attack vector on your infrastructure. CVE and CVSS data is sourced from
MITRE and
NIST.
CISA — KEV Matched with Your Vulnerable Assets
Cross-references software found on your assets with CISA's Known Exploited Vulnerabilities (KEV) catalog. Ideally this report should be empty. Any match means an actively exploited vulnerability exists on your infrastructure and requires immediate action.
CISA — Most Exploited Products
An overview of the most frequently exploited products over the last three months, based on US CISA data. Use this report to prioritize patching and hardening for the software most targeted by attackers.
CISA — Most Recent CVEs
Lists CVEs published by the US CISA agency in the last month that are confirmed to be actively exploited. Every entry on this list should be patched as soon as possible, and no later than the due date specified by CISA.
Internet Standards Report
Assesses compliance with modern internet standards using the Internet.nl methodology. The Internet.nl standards check evaluates key website security and interoperability measures such as HTTPS/TLS configuration, DNSSEC, IPv6, HSTS, secure email standards, and modern encryption support. By default only pay-level domains are included. To add subdomains, visit the URL page for the domain, open the action menu (three dots, top right) and select “add to internet standards report".
European Cookie Law Report
Checks whether your websites place cookies on the user's device before any consent interaction. Setting cookies before the user accepts a policy may violate the GDPR and Article 5(3) of the European ePrivacy Directive (2002/58/EC). A cookie_on_load False value means no cookie is set on first load; True means a cookie is placed before any user interaction. Note that this might just be a functional cookie, which is not a direct violation.
Mailservers Report
Shows the security posture of your mailservers. Major email providers like Google and Microsoft reject messages from servers without proper MX, SPF, DMARC, and DKIM configuration. Any red or orange indicator in this report signals a deliverability or spoofing risk. Even domains that do not send email should have default MX, SPF, and DMARC records to prevent abuse.
Security.txt Validation Report
Shows all security.txt files found on your assets that contain syntax errors, with the exact error and location. If a URL has no security.txt file at all, it will not appear here — check the Missing security.txt Report for that.
Missing security.txt Report
Lists all URLs that do not have a security.txt file. A valid security.txt helps security researchers report vulnerabilities responsibly. For URLs that do have one but with errors, see the Security.txt Validation Report.
Supplier Dependency Report
This report plots all suppliers found for your assets on a worldmap to show you your supply chain dependencies. Below the worldmap is a table with suppliers, sorted by number of assets, that shows how control of that supplier is orgnanized: Sovereign European, Fully European, European subsidiary, or Non-European.
Software Overview Report
Lists all software detected on your assets by passively fingerprinting network artefacts. Critical vulnerabilities (CVSS 9+) are highlighted in red and should be patched immediately. CVE data and CVSS scores come from
MITRE and
NIST. No active checks, login scripts, or exploits are run — detection is entirely passive.
Remote Login Services Report
Identifies remote access entry points to your infrastructure: RDP, SSH, VPN endpoints, and database logins. Beyond legitimate users, attackers target these services for initial access. Keep them patched, enforce multi-factor authentication where possible, and place services like Microsoft Terminal Services or database logins behind a VPN. Directly exposing these to the internet puts you one exploit or leaked credential away from a breach.
Blacklisted Assets Report
Checks your internet-facing assets against multiple blocklists. When one of your assets appears on a blocklist you should act immediately to get delisted — preferably before it impacts email deliverability or business reputation. Assets still on a blocklist show a red "Last seen" date; removed entries show black. Informational detections such as TOR exit nodes or Bitcoin nodes are included as well.
Cloudprovider Report
Maps your assets to their cloud providers, grouped by provider name. The domains shown summarize the specific URLs detected — at least one subdomain is hosted there, though not necessarily all. Click a provider name to drill down into the full details.
Domains
Domains Report
An overview of all domains extracted from your assets. Even if you do not use email on a domain, set an SPF null record (v=spf1 -all) to help email providers block anyone abusing your domain for spam or phishing. For stronger protection, add DNSSEC, DKIM, and DMARC as well.
Expiring Domains Report
Lists domains expiring within the next 30 days. Renew them in time — an expired domain can be registered by someone else and used for phishing campaigns or redirected to a competitor. Please note that the Dutch registrars have a policy of not publishing domain expiry information.
Phishy Domains Report
Detects typosquatting, misspelling, and leet-speak permutations of your domains that are actively registered and in use. For each match, ShadowTrackr checks nameservers, mailservers, and the website content to help you assess whether it is malicious. If it is, contact the hosting provider's abuse team and start a Notice-and-Take-Down procedure. Many more permutations are checked behind the scenes — only those actually in use are displayed.
Bad Websites Report
Filters your websites to show only those with active security issues. Use this as a focused remediation list — every entry represents a website that needs attention.
Websites Security Report
Provides the detailed security test results behind your website grades. Based on the Mozilla Observatory grading method, it breaks down individual HTTP header checks and security controls. Most scores can be improved through webserver configuration changes. CSP adjustments can be more involved, but the remaining headers are typically straightforward to fix.
Shared Hosting Report
Identifies websites that are not yours but are hosted on the same shared infrastructure. If any of these poses a risk to your organization, contact the hosting provider to request a change. If the listed websites are actually yours, you can find them under suggestions and add them as assets.
Hosts Report
Lists all hosts observed in the last 7 days. Use this report to maintain an up-to-date inventory of your internet-facing infrastructure, spot new or unexpected hosts, and confirm that decommissioned systems are no longer reachable.
Bad Hosts Report
Identifies hosts with insecure or misconfigured ports exposed to the internet, including services that lack proper TLS encryption. Without TLS your traffic can be intercepted, enabling eavesdropping, session hijacking, and credential theft. Remediate every finding in this report as a priority.
Rare Ports Report
Lists ports that are uncommonly open on internet-facing hosts. Standard web (80, 443), email, FTP and SSH ports are excluded. ShadowTrackr scanning nodes attempt to identify the actual protocol running on each port, so services like SMTP on port 2525 will be correctly recognized.
Non-webserver Hosts Report
Shows hosts with open ports other than 80 and 443 — the non-web services visible from the internet. Review this report regularly to verify that only intended services are publicly accessible and no unexpected listeners have appeared.
Hosts without DNS records
This report provides an overview of all your hosts of which the ip addresses do not appear in any known DNS records.
Certificates Report
Lists all SSL/TLS certificates found on your assets. Use this report to maintain a complete inventory of your certificates, verify issuers, and spot any certificates that should not be there.
Bad Certificates Report
Shows certificates with active security issues such as weak algorithms, incorrect chains, or trust problems. Each entry needs investigation and remediation to maintain secure encrypted connections.
Expiring Certificates Report
Tracks certificates that are approaching expiry within the next 30 days alongside those that have recently been renewed. Renew certificates these before they expire — an expired certificate causes browsers to display a security warning instead of your website. Already-expired certificates appear as grade "T" (Trust issue) in the main certificates view. Use this report to verify that your renewal process is working and that no certificate is slipping through the cracks.
Stale DNS Records Report
Identifies DNS records that still resolve but no longer point to an active website or server. Remove these records to reduce your attack surface and prevent potential subdomain takeover.
DNS Dependency Report
This reports shows a sankey diagram with on the left side all your domains and on the right side the DNS nameservers where the DNS records for your domains live. It provides a good overview of the DNS nameservers on which your online presence depends.
Datadump Detections Report
Shows where your domains, email addresses or custom keywords appeared on common dumpsites or coding sharing sites
Exposed Email Addresses Report
Lists email addresses exposed on your assets that appear in known data breaches. Each breach entry includes the email address and a compromised password. Notify affected users to reset their credentials and consider enforcing multi-factor authentication to guard against password reuse.
ISP Report
Provides an overview of the Internet Service Providers hosting your assets, including ASN numbers and geographic location data. Use this to understand where your infrastructure is physically hosted and to verify that assets reside in expected regions.
