If you build and maintain sites for clients, you are on the hook for security on properties you may not log into for weeks. A header gets dropped in a redesign, a certificate lapses, a staging subdomain is left exposed. The client will not catch it. You are expected to. Here is a simple, repeatable workflow that keeps that under control without it becoming a full-time job. Step 1: baseline every client site Scan each client domain once and note the score. You will usually find the same quick win