Daily monitoring · 476 domains

The Fortune 500 Security Report

We continuously scan the public security configuration of the largest U.S. companies. This page tracks who's improving, who's slipping, and how the cohort as a whole is shifting on TLS, headers, and email auth.

Updated Jun 18, 2026 · 30-day rolling window

By the numbers

The cohort at a glance.

A snapshot across all 476 domains from each one's most recent scan.

Median grade

across the cohort

Behind a CDN/WAF

49%

233 of 476

Enforce HSTS

45%

215 domains

Ship a CSP

17%

80 domains

Prefer TLS 1.3

88%

420 domains

DNSSEC enabled

18%

84 domains

Grade distribution

How the whole cohort scores, A through F.

47 · 10%

157 · 33%

269 · 57%

3 · 1%

0 · 0%

Who's behind a CDN / WAF

Detected from response headers · 49% of domains show a known provider.

Cloudflare

78 · 16%

Fastly

45 · 9%

CloudFront

40 · 8%

Google

29 · 6%

Akamai

24 · 5%

Varnish

10 · 2%

Azure

7 · 1%

Header-based detection records one provider per domain, so this undercounts multi-CDN setups and sites that strip identifying headers.

30-day trends

The cohort, day by day.

Each chart is the percentage of Fortune 500 domains shipping that feature, sampled daily for the last 30 days.

TLS 1.3 adoption

Domains preferring TLS 1.3

86.8%

-0.2pp · 30d

HSTS adoption

Domains enforcing HSTS

43.9%

-0.6pp · 30d

Content-Security-Policy

Domains shipping CSP

16.6%

-0.4pp · 30d

X-Frame-Options

Clickjacking protection

23.9%

-0.9pp · 30d

DMARC

Email auth: DMARC record

81.7%

-0.4pp · 30d

DNSSEC

DNSSEC enabled at the registrar

17%

-0.2pp · 30d

Today's leaders

The best and worst graded right now.

Same grading formula we use on every individual scan: weighted across SSL, HSTS, CSP, headers, TLS strength, cookie security, DMARC, DKIM, DNSSEC, and more.

Top 5 · highest score