Skip to main content
Back to Home

REAL DATA · UPDATED CONTINUOUSLY

What 2,363 Real Scans Revealed

UNPWNED has scanned 2,363 distinct websites and surfaced 16,699 findings across 700+ security checks. This page publishes the aggregate, anonymized state of web security as we observe it. No site is identified by name.

THE EXPOSURE GAP

What Hackers Can See

74%

NO RATE LIMITING

Auth and API endpoints accept unlimited requests

72%

NO CSP HEADER

Content-Security-Policy is missing entirely

72%

NO DNSSEC

Domain has no DNSSEC, allowing DNS spoofing

47%

NO DMARC

Email domain can be spoofed at scale

96%

NO RATE LIMITING (any)

Across all forms, only 4% have proper rate limiting

68%

NO PRIVACY POLICY

No discoverable privacy policy at standard paths

ADOPTION OF BASIC SECURITY

What is Actually Working

80%

HAS VALID SSL/TLS

32%

HAS PRIVACY POLICY

28%

HAS CSP HEADER

4%

HAS RATE LIMITING

NOTABLE DETECTION

Real-World Cloaking Case Study

Site: nyaexp.com - first real cloaking detection by UNPWNED.

  • 75 sub-sitemaps, well above the 20-sitemap suspicion threshold.
  • Estimated ~64,680 ghost pages across sub-sitemaps.
  • Ghost page sample returned 404 to a normal browser, 200 with Funko Pop spam content to Googlebot.
  • Classic Japanese SEO Hack signature, completely invisible to the site owner browsing their own site.

Cloaking detection runs only on verified domains (Deep Scan), since it uses Googlebot user-agent emulation.

METHODOLOGY

How These Numbers Were Computed

Scan corpus: 2,363 distinct domains scanned by UNPWNED users between February 2026 and the present. Duplicate scans of the same domain are counted once. Subdomains of the same root domain are de-duplicated.

Boolean field method: All exposure percentages are computed from the scan_telemetry table boolean fields (e.g. has_csp, has_dmarc, has_rate_limiting) rather than findings-table derivations, to avoid double-counting.

Threat telemetry: Live numbers come from UNPWNED's own honeypot system, exposed at /api/public/threat-stats. Attack sessions are aggregated from attack_sessions with a 30-day rolling window. Source IPs are not published.

License: All aggregated statistics on this page are released under CC BY 4.0. Free to cite with attribution to UNPWNED.

See where your site sits

Run the same 700+ checks on your own domain. Free, no signup required.

Scan your domainWhat is UNPWNED?