Daily monitoring · 476 domains

The Fortune 500 Security Report

We continuously scan the public security configuration of the largest U.S. companies. This page tracks who's improving, who's slipping, and how the cohort as a whole is shifting on TLS, headers, and email auth.

Updated Jul 8, 2026 · 30-day rolling window

By the numbers

The cohort at a glance.

A snapshot across all 476 domains from each one's most recent scan.

Median grade

C

across the cohort

Behind a CDN/WAF

49%

233 of 476

Enforce HSTS

45%

214 domains

Ship a CSP

17%

81 domains

Prefer TLS 1.3

88%

420 domains

DNSSEC enabled

18%

86 domains

Grade distribution

How the whole cohort scores, A through F.

A
45 · 9%
B
159 · 33%
C
269 · 57%
D
3 · 1%
F
0 · 0%

Who's behind a CDN / WAF

Detected from response headers · 49% of domains show a known provider.

Cloudflare
76 · 16%
Fastly
46 · 10%
CloudFront
39 · 8%
Google
29 · 6%
Akamai
25 · 5%
Varnish
10 · 2%
Azure
8 · 2%

Header-based detection records one provider per domain, so this undercounts multi-CDN setups and sites that strip identifying headers.

Today's leaders

The best and worst graded right now.

Same grading formula we use on every individual scan: weighted across SSL, HSTS, CSP, headers, TLS strength, cookie security, DMARC, DKIM, DNSSEC, and more.

Top 5 · highest score

1 detik.com 98 A
2 discord.com 98 A
3 gizmodo.com 98 A
4 m.me 98 A
5 archives.gov 96 A

Bottom 5 · lowest score

1 abcnews.go.com 52 D
2 narod.ru 54 D
3 huawei.com 54 D
4 theglobeandmail.com 56 C
5 storage.googleapis.com 56 C

Where would your domain rank?

Run a free scan →

Last 30 days

Who moved?

Comparing each domain's current scan to its scan from ~30 days ago. 7 domains changed at least one security feature in that window.

Domains changed

7

Features added

+4

Features lost

−7

upenn.edu B
Jul 8
HSTS: off on X-Frame-Options: off on
linktr.ee B
Jul 8
HSTS: on off WAF detection: on off
washingtonpost.com C
Jul 8
CSP: off on WAF detection: on off
cpanel.net C
Jul 8
HSTS: on off X-Frame-Options: on off
sendspace.com C
Jul 8
WAF detection: on off
cpanel.com B
Jul 8
X-Frame-Options: on off
workspace.google.com A
Jul 8
X-Frame-Options: off on

Track your own domain

Get the same daily monitoring on your site.

Free scan, full report, no signup. Add scheduled monitoring to get alerted when your security config changes — the same way we caught every move on this page.

Scan your site free →