| Tool | PCI Requirement | Purpose |
|---|---|---|
| SSL/TLS Checker | 4.2.1 | Validate certificate grades, protocols, and cipher suites |
| CVE Lookup | 6.3 | Search the NVD for known vulnerabilities by software/version |
| ASV Scan Import | 11.3.2 | Upload and parse Qualys/Tenable/Rapid7 scan results |
| Pen Test Parser | 11.4 | Upload and parse Burp Suite, Nessus, or ZAP reports |
| Headers & DNS | 2.2.5 | Check HTTP security headers and DNS records |
| Remediation Dashboard | — | Aggregated view of all findings across all tools |
Accessing Security Tools
Open the Security Tools Tab
In the assessment workbench, open the Security dropdown in the top navigation bar and select Security Tools. The Security Tools panel opens with six sub-tabs.
SSL/TLS Checker
The SSL/TLS Checker validates a domain’s certificate configuration and assigns a letter grade (A through F). It uses SSL Labs for detailed analysis with a direct TLS fallback when SSL Labs is unavailable.Running a Check
Enter the Domain
Type the domain name (e.g.,
example.com) in the input field. Do not include https:// — the checker adds it automatically.Click Run Check
The check runs server-side. SSL Labs analysis may take 30–60 seconds; if SSL Labs is overloaded, the system falls back to a direct TLS connection check that completes in under 5 seconds.
Review Results
The result card displays:
| Field | Description |
|---|---|
| Grade | Letter grade badge (A+, A, B, C, D, F) color-coded green through red |
| PCI Compliance | PASS or FAIL badge — FAIL if grade is below B, TLS < 1.2, or weak ciphers detected |
| Certificate Issuer | The certificate authority (e.g., Let’s Encrypt, DigiCert) |
| Valid Until | Certificate expiration date |
| Protocol | Supported TLS versions |
| Cipher Suite | Active cipher suites |
| PCI Issues | Specific problems that affect PCI compliance (e.g., “TLS 1.0 enabled”, “Weak cipher suites”) |
Check History
Previous checks are listed below the input form with the domain, grade, date, and PCI status. Expand any previous check to view its full results or re-apply it to the assessment.SSL Labs results are cached by SSL Labs itself. If you need a fresh analysis, wait a few minutes between checks of the same domain.
CVE Vulnerability Lookup
The CVE Lookup tool searches the NIST National Vulnerability Database (NVD) for known vulnerabilities affecting a specific software product and version. Results are cached locally to reduce API calls and improve response times.Searching for Vulnerabilities
Enter Product and Version
Type the software product name (e.g.,
Apache HTTP Server) and version (e.g., 2.4.49) in the input fields.Click Search
The system queries the NVD API. Results typically return within 2–5 seconds, or instantly if the product/version combination has been searched before (cached for 7 days).
Review CVEs
Each CVE result displays:
| Field | Description |
|---|---|
| CVE ID | The unique identifier (e.g., CVE-2021-41773) |
| Severity | Color-coded badge — Critical (red), High (orange), Medium (yellow), Low (blue) |
| CVSS Score | Numerical score from 0.0 to 10.0 |
| Description | Summary of the vulnerability |
| Published | Date the CVE was published |
Lookup History
All previous lookups are displayed below the search form with product, version, CVE count, and date. Expand any previous lookup to review its results or re-apply to the assessment.ASV Scan Import
The ASV Scan Import tool parses CSV exports from Approved Scanning Vendors — Qualys, Tenable (Nessus), and Rapid7 — and converts them into structured findings with PCI compliance determination.Uploading a Scan
Fill In Scan Details
Enter the scan metadata:
- Scan Date — when the scan was performed
- Quarter — the PCI quarter this scan covers (e.g., Q1 2026)
- Vendor — select Qualys, Tenable, Rapid7, or Generic (auto-detected if left as Auto)
Select the CSV File
Click the file input to select a
.csv file exported from your ASV scanning tool.Click Upload & Parse
The system detects the vendor format from the CSV column headers and parses each row into a normalized finding with host, port, severity, CVSS score, and remediation guidance.
Review Results
The result card shows:
- PASS / FAIL badge — FAIL if any finding has CVSS score >= 4.0
- Host count — number of unique hosts scanned
- Vulnerability count — total number of findings
- Severity breakdown — badge counts for Critical, High, Medium, Low, Info
Supported Vendor Formats
| Vendor | Detection Method | Key Columns |
|---|---|---|
| Qualys | Column header contains QID | IP, DNS, QID, Title, Severity, CVSS, Port, Protocol, CVE ID, PCI Vuln |
| Tenable (Nessus) | Column header contains Plugin ID | Plugin ID, CVE, CVSS, Risk, Host, Port, Name, Synopsis, Solution |
| Rapid7 | Column header contains Vulnerability ID | Vulnerability ID, Asset IP, Asset Names, Severity, CVSS Score, Title |
| Generic CSV | Fallback format | Best-effort column matching — looks for host, port, severity, cvss, title, description |
Managing Findings
Expand a scan result to view all findings. Each finding row displays:- Severity badge — color-coded (Critical, High, Medium, Low, Info)
- Title — vulnerability name
- Host and Port — affected asset
- CVSS Score — numerical risk score
- Remediation Status — dropdown to mark as Open, In Progress, Fixed, or Accepted Risk
- False Positive — toggle to flag false positives (excluded from compliance calculation)
Penetration Test Parser
The Pen Test Parser imports results from common penetration testing tools and normalizes findings into a unified format. It supports three major formats and a generic CSV fallback.Uploading Test Results
Fill In Test Details
Enter the penetration test metadata:
- Test Type — External, Internal, or Segmentation
- Test Date — when the test was performed
- Tester Name — the person or firm that conducted the test
- Tool — select Burp Suite, Nessus, OWASP ZAP, or Generic (leave as Auto-detect for automatic format detection)
Select the Report File
Click the file input to select an
.xml or .csv file exported from the penetration testing tool.Click Upload & Parse
The system auto-detects the file format:
Findings are extracted and normalized with severity, confidence, host, port, CVE/CWE references, and remediation guidance.
| Format | Detection |
|---|---|
| Burp Suite XML | .xml file with <issues> root element |
| OWASP ZAP XML | .xml file with <OWASPZAPReport> root element |
| Nessus CSV | .csv file with Plugin ID column header |
| Generic CSV | .csv file — best-effort column matching |
Review Results
The result card shows:
- PASS / FAIL badge — FAIL if any Critical or High findings exist
- Tool detected — which parser was used (Burp, Nessus, ZAP, Generic)
- Test type — External, Internal, or Segmentation
- Severity breakdown — badge counts for High, Medium, Low
Apply to Requirement
Click Apply to Req 11.4 to auto-fill the assessment answer. The auto-fill maps the test type to the correct sub-requirement:
| Test Type | Target Sub-Requirement |
|---|---|
| External | 11.4.3 (External penetration testing) |
| Internal | 11.4.2 (Internal penetration testing) |
| Segmentation | 11.4.5 (Segmentation penetration testing) |
Managing Findings
Expand a result to view all findings with severity filter and pagination. Each finding displays:- Severity badge — High (orange), Medium (yellow), Low (blue)
- Title — vulnerability name
- Host — target URL or IP
- Confidence — Certain, Firm, or Tentative
- Remediation Status — dropdown to track fix progress
- Expandable detail — full description and recommended remediation (click the finding row)
Informational findings are parsed and stored but excluded from the PASS/FAIL determination and severity badge counts. Only Critical, High, Medium, and Low findings affect compliance status.
HTTP Header & DNS Checker
The Header & DNS Checker validates HTTP security headers and DNS security records for a domain, assigning a letter grade (A through F) and identifying PCI-relevant configuration gaps. All checks run server-side using Node.js built-ins — no external API dependencies.Running a Check
Click Run Check
The system performs two checks in parallel:
- HTTP headers — makes an HTTPS request to the domain and evaluates the response headers
- DNS records — queries DNS for SPF, DMARC, and CAA records
HTTP Security Headers
| Header | Expected Value | Status if Missing |
|---|---|---|
| Strict-Transport-Security (HSTS) | Present with max-age >= 31,536,000 | Fail |
| Content-Security-Policy (CSP) | Present (warn if contains unsafe-inline or unsafe-eval) | Fail |
| X-Content-Type-Options | nosniff | Fail |
| X-Frame-Options | DENY or SAMEORIGIN | Fail |
| Referrer-Policy | Present | Warn |
| Permissions-Policy | Present | Warn |
| Cache-Control | Contains no-store or no-cache | Warn |
DNS Security Records
| Record | What Is Checked | Status if Missing |
|---|---|---|
| SPF | TXT record starting with v=spf1 | Warn |
| DMARC | TXT record at _dmarc.{domain} | Warn |
| CAA | Certificate Authority Authorization records | Warn |
Grading
The overall grade is calculated from the pass/warn/fail distribution:| Grade | Condition |
|---|---|
| A | All checks pass |
| B | All checks pass or warn (no failures) |
| C | 1–2 failed checks |
| D | 3 or more failed checks |
| F | Critical failures (missing HSTS or missing CSP) |
PCI Compliance
The check is marked PCI Fail if any of these critical headers are missing:- Strict-Transport-Security (HSTS)
- Content-Security-Policy (CSP)
- X-Frame-Options
Remediation Dashboard
The Remediation Dashboard provides a unified view of all findings from all five security tools. It does not create new data — it aggregates and displays findings that already exist in the individual tool results.What It Shows
The dashboard is organized into five sections: Summary Cards| Card | Description |
|---|---|
| Total Findings | Count of all findings across all tools |
| Critical + High Open | Count of open findings with Critical or High severity (highlighted in red) |
| Remediation Rate | Percentage of findings that are Fixed or Accepted Risk. Color-coded: green (80%+), yellow (50–79%), red (below 50%) |
| Tools with Findings | Count of tools that have at least one finding (e.g., 5/5) |
The Remediation Dashboard updates in real-time as you change finding statuses in the individual tool tabs. Switch between tools and the dashboard to track remediation progress as findings are addressed.
Recommended Workflow
The security tools are designed to be used in a logical sequence during a PCI DSS assessment:SSL/TLS Checker
Start by checking SSL/TLS certificates for all in-scope domains. This establishes the cryptographic baseline and addresses Req 4.2.1.
Headers & DNS
Check HTTP security headers and DNS records on the same domains. This identifies server hardening gaps for Req 2.2.5.
CVE Lookup
Search for known vulnerabilities in any software identified during the assessment — web servers, databases, libraries, and frameworks. This addresses Req 6.3.
ASV Scan Import
Upload the quarterly ASV scan report from the organization’s scanning vendor. This provides the external vulnerability scan evidence for Req 11.3.2.
Pen Test Parser
Upload the most recent penetration test report. This provides testing evidence for Req 11.4 (external, internal, and segmentation testing).
Auto-Fill Summary
Each tool can auto-fill its corresponding PCI DSS requirement with a structured justification:| Tool | Target Requirement | Justification Includes |
|---|---|---|
| SSL/TLS Checker | 4.2.1 | Domain, grade, protocol version, PCI issues, compliance status |
| CVE Lookup | 6.3 | Product, version, CVE count, severity breakdown, CVSS scores |
| ASV Scan Import | 11.3.2 | Vendor, scan date, host count, finding count, PASS/FAIL |
| Pen Test Parser | 11.4.2 / 11.4.3 / 11.4.5 | Tool, tester, date, test type, finding count, severity breakdown |
| Headers & DNS | 2.2.5 | Domain, grade, headers passed/total, DNS records, PCI status |