The questions I’d ask in the first thirty minutes of an engagement — distilled into a self-audit. Answer honestly; the report updates as you go. Nothing is submitted anywhere: the grading runs entirely on this page.
0 of 7 answered
the email button pre-fills a summary of your results — that’s the only way anything leaves this page, and only if you send it.
This is a screening tool, not a security assessment. It covers the failure modes I see most in small organizations and nonprofits: spoofable email, partial MFA, orphaned accounts, backups nobody has restored, origins one grudge away from a bad day. A real engagement verifies instead of asking — the domain health check is a small taste of that, and a case study shows where it leads.