REAL DATA · UPDATED CONTINUOUSLY
What 2,656 Real Scans Revealed
UNPWNED has scanned 2,656 distinct websites and surfaced 18,709 findings across 700+ security checks. This page publishes the aggregate, anonymized state of web security as we observe it. No site is identified by name.
THE EXPOSURE GAP
What Hackers Can See
NO RATE LIMITING
Auth and API endpoints accept unlimited requests
NO CSP HEADER
Content-Security-Policy is missing entirely
NO DNSSEC
Domain has no DNSSEC, allowing DNS spoofing
NO DMARC
Email domain can be spoofed at scale
NO RATE LIMITING (any)
Across all forms, only 4% have proper rate limiting
NO PRIVACY POLICY
No discoverable privacy policy at standard paths
ADOPTION OF BASIC SECURITY
What is Actually Working
HAS VALID SSL/TLS
HAS PRIVACY POLICY
HAS CSP HEADER
HAS RATE LIMITING
LIVE THREAT TELEMETRY · LAST 30 DAYS
Attacks Against UNPWNED Itself
We run our own honeypot. These numbers are the actual attack traffic UNPWNED receives, refreshed hourly via /api/public/threat-stats. Open data, free to cite.
Attack Classification
Top Source Countries
Tools Used by Attackers
NOTABLE DETECTION
Real-World Cloaking Case Study
Site: nyaexp.com - first real cloaking detection by UNPWNED.
- 75 sub-sitemaps, well above the 20-sitemap suspicion threshold.
- Estimated ~64,680 ghost pages across sub-sitemaps.
- Ghost page sample returned 404 to a normal browser, 200 with Funko Pop spam content to Googlebot.
- Classic Japanese SEO Hack signature, completely invisible to the site owner browsing their own site.
Cloaking detection runs only on verified domains (Deep Scan), since it uses Googlebot user-agent emulation.
METHODOLOGY
How These Numbers Were Computed
Scan corpus: 2,656 distinct domains scanned by UNPWNED users between February 2026 and the present. Duplicate scans of the same domain are counted once. Subdomains of the same root domain are de-duplicated.
Boolean field method: All exposure percentages are computed from the scan_telemetry table boolean fields (e.g. has_csp, has_dmarc, has_rate_limiting) rather than findings-table derivations, to avoid double-counting.
Threat telemetry: Live numbers come from UNPWNED's own honeypot system, exposed at /api/public/threat-stats. Attack sessions are aggregated from attack_sessions with a 30-day rolling window. Source IPs are not published.
License: All aggregated statistics on this page are released under CC BY 4.0. Free to cite with attribution to UNPWNED.
See where your site sits
Run the same 700+ checks on your own domain. Free, no signup required.