Skip to main content
Back to Home

REAL DATA · UPDATED CONTINUOUSLY

What 2,656 Real Scans Revealed

UNPWNED has scanned 2,656 distinct websites and surfaced 18,709 findings across 700+ security checks. This page publishes the aggregate, anonymized state of web security as we observe it. No site is identified by name.

THE EXPOSURE GAP

What Hackers Can See

74%

NO RATE LIMITING

Auth and API endpoints accept unlimited requests

72%

NO CSP HEADER

Content-Security-Policy is missing entirely

72%

NO DNSSEC

Domain has no DNSSEC, allowing DNS spoofing

47%

NO DMARC

Email domain can be spoofed at scale

96%

NO RATE LIMITING (any)

Across all forms, only 4% have proper rate limiting

68%

NO PRIVACY POLICY

No discoverable privacy policy at standard paths

ADOPTION OF BASIC SECURITY

What is Actually Working

80%

HAS VALID SSL/TLS

32%

HAS PRIVACY POLICY

28%

HAS CSP HEADER

4%

HAS RATE LIMITING

LIVE THREAT TELEMETRY · LAST 30 DAYS

Attacks Against UNPWNED Itself

We run our own honeypot. These numbers are the actual attack traffic UNPWNED receives, refreshed hourly via /api/public/threat-stats. Open data, free to cite.

1,000
ATTACK SESSIONS
8
AUTO-BLOCKED
5
COUNTRIES
5
TOOLS DETECTED

Attack Classification

recon
882 (88%)
bot_scan
87 (9%)
manual_probe
27 (3%)
targeted
2 (0%)
autofill_suspect
1 (0%)

Top Source Countries

United States302
Singapore279
Germany260
Australia154
France3

Tools Used by Attackers

browser991
unknown4
curl3
python-requests1
go-http-client1

NOTABLE DETECTION

Real-World Cloaking Case Study

Site: nyaexp.com - first real cloaking detection by UNPWNED.

  • 75 sub-sitemaps, well above the 20-sitemap suspicion threshold.
  • Estimated ~64,680 ghost pages across sub-sitemaps.
  • Ghost page sample returned 404 to a normal browser, 200 with Funko Pop spam content to Googlebot.
  • Classic Japanese SEO Hack signature, completely invisible to the site owner browsing their own site.

Cloaking detection runs only on verified domains (Deep Scan), since it uses Googlebot user-agent emulation.

METHODOLOGY

How These Numbers Were Computed

Scan corpus: 2,656 distinct domains scanned by UNPWNED users between February 2026 and the present. Duplicate scans of the same domain are counted once. Subdomains of the same root domain are de-duplicated.

Boolean field method: All exposure percentages are computed from the scan_telemetry table boolean fields (e.g. has_csp, has_dmarc, has_rate_limiting) rather than findings-table derivations, to avoid double-counting.

Threat telemetry: Live numbers come from UNPWNED's own honeypot system, exposed at /api/public/threat-stats. Attack sessions are aggregated from attack_sessions with a 30-day rolling window. Source IPs are not published.

License: All aggregated statistics on this page are released under CC BY 4.0. Free to cite with attribution to UNPWNED.

See where your site sits

Run the same 700+ checks on your own domain. Free, no signup required.