Security Directory

A

Ant International

antglobal.com

58

Ant International is a global leader in digital payment and financial technology services, headquartered in Singapore with operations spanning Asia, Europe, the Middle East, and Latin America. The company offers a suite of fintech solutions including cross-border mobile payments, enterprise payment toolkits, AI-powered lending, and treasury services. It holds licenses in over 60 markets and partners with major global brands, positioning itself as a trusted and innovative digital partner for inclusive growth. Technically, the website leverages modern web frameworks such as Next.js and is hosted on Aliyun OSS with CDN support, ensuring fast performance and good mobile optimization. However, the security posture is weakened by an expired SSL certificate and lack of TLS protocol support, which poses significant risks. The absence of explicit privacy, cookie, and terms of service policies on the site further impacts compliance and trust. Strategic improvements in security configuration and transparency are recommended to enhance the overall risk profile and user confidence.

E

Essilor

essilor.com

77

Essilor is a global leader in the healthcare sector specializing in prescription lenses and vision care products. The company offers a wide range of innovative lenses designed to correct, protect, and enhance vision, targeting consumers seeking high-quality vision solutions. Their website demonstrates a strong market position with comprehensive product offerings, digital tools for lens personalization, and a store locator for partnered opticians. Technically, the site is built on modern frameworks such as React and Next.js, hosted likely on Microsoft Azure, and optimized for fast performance and excellent mobile experience. Security posture is strong with robust HTTP security headers and a valid SSL certificate, although the absence of enabled TLS protocols and DNS security features are notable gaps. Privacy policies and terms of service are present and comprehensive, but cookie consent mechanisms and vulnerability disclosure policies are lacking. Overall, the website reflects a mature digital presence with room for security enhancements and improved transparency in user consent.

R

RE/MAX Canada

remax.ca

63

RE/MAX Canada operates a comprehensive real estate platform focused on residential, commercial, and luxury property listings across Canada. Positioned as Canada's #1 Real Estate Brand, it serves home buyers, sellers, renters, and real estate professionals by providing extensive listings, agent search capabilities, and market insights. The website is well-branded, professionally designed, and targets a broad Canadian audience with bilingual support. Technically, the site leverages modern web technologies including Next.js and React, hosted on Amazon CloudFront with a valid SSL certificate, ensuring fast performance and good mobile optimization. However, the SSL configuration lacks modern TLS protocols and security headers could be improved. Security posture is moderate with no explicit incident response or security policies publicly disclosed. Privacy and terms of service policies are present and comprehensive, but cookie consent mechanisms are absent, which may impact GDPR compliance. Overall, the site is professional and trustworthy but could enhance security and privacy compliance to reduce risk and improve user trust.

Red Bull Wingfinder is a free, expert-backed personality assessment tool designed to help individuals identify and leverage their strengths for career success. The platform is supported by Red Bull's global brand and integrates psychological research from leading universities. Technically, the website is built on modern frameworks like Next.js and hosted on Vercel, ensuring fast performance and good mobile optimization. Security is solid with a valid SSL certificate and strict transport security, though it lacks modern TLS protocol support and visible privacy or cookie policies. The site uses Google Tag Manager for analytics and tracking, indicating moderate user tracking without explicit consent mechanisms. Overall, the site presents a professional and trustworthy user experience but would benefit from enhanced privacy disclosures and security protocol updates.

E

EssilorLuxottica

essilorluxottica.com

77

EssilorLuxottica is a global integrated leader in the eyecare and eyewear industry, offering a comprehensive portfolio of products and services including eyewear brands, eyecare solutions, and direct-to-consumer retail. The company targets consumers, investors, and partners with a strong emphasis on innovation, sustainability, and governance. Their digital presence is built on modern technologies such as React and Next.js, hosted on Microsoft Azure, and managed via CoreMedia CMS, reflecting a mature and scalable technical infrastructure. Security posture is strong with multiple security headers and a valid SSL certificate, although the absence of enabled TLS protocols and lack of a public vulnerability disclosure policy indicate areas for improvement. Overall, the website demonstrates high professionalism, excellent user experience, and consistent branding, supporting the company's market position and trustworthiness.

E

EssilorLuxottica

luxottica.com

77

EssilorLuxottica is a global leader in the eyecare and eyewear industry, integrating manufacturing, retail, and innovation to deliver comprehensive vision care solutions. The company operates a sophisticated digital presence with a modern tech stack including React and Next.js, hosted on Akamai and managed via CoreMedia CMS. The website demonstrates excellent design, user experience, and content quality, targeting consumers, investors, and partners worldwide. Security posture is strong with valid SSL certificates and robust security headers, although the lack of modern TLS protocols and absence of a vulnerability disclosure page indicate areas for improvement. Privacy and compliance policies are comprehensive and GDPR compliant, but cookie consent mechanisms could be enhanced. Overall, the site reflects a mature digital infrastructure supporting a large enterprise with a global footprint.

RE/MAX, LLC operates a large-scale real estate brokerage network with a significant global presence, offering comprehensive services including property listings, agent and office searches, and specialized real estate segments such as luxury and commercial properties. The company is recognized as a trusted brand in the U.S. real estate market, supported by a robust agent network and extensive resources. Technically, the website leverages modern web technologies such as Next.js and React, hosted on AWS infrastructure, with good performance and mobile optimization. Security posture is strong in terms of HTTP headers and content security policies, but the lack of modern TLS protocols and absence of DNSSEC indicate areas for improvement. The site integrates multiple marketing and analytics tools, resulting in extensive user tracking but lacks a visible cookie consent mechanism, which may impact privacy compliance. Overall, the website is professional, trustworthy, and well-branded, with clear contact and legal information.

Bang & Olufsen A/S is a renowned Danish company specializing in high-end audio and visual products, including headphones, speakers, and televisions. Established in 1925, the company holds a strong market position as a luxury brand with a focus on superior craftsmanship and innovative design. Their business model integrates e-commerce with rich brand storytelling and digital customization tools, targeting discerning consumers seeking premium sound and design experiences. The website demonstrates a mature digital infrastructure leveraging modern technologies such as React, Next.js, and Azure hosting, ensuring fast performance and excellent mobile optimization. Security measures include robust HTTP headers and a valid SSL certificate, though the absence of modern TLS protocols suggests room for improvement. Privacy and cookie policies are comprehensive and GDPR-compliant, supported by a consent management mechanism. Overall, the company maintains a high level of professionalism and trustworthiness in its online presence.

K

Kamstrup

mykamstrup.com

62

My Kamstrup is a service portal provided by Kamstrup, a company operating in the energy sector. The portal offers customers quick access to Kamstrup applications, encryption key management, and support resources, aiming to centralize essential services for users. The website is built using modern web technologies such as Next.js and React and is hosted on Vercel, ensuring a fast and responsive user experience. However, the site lacks visible privacy, cookie, and terms of service policies, which are critical for compliance and user trust. The SSL certificate is valid, but the absence of modern TLS protocols reduces the overall security posture. There are no visible contact details or social media links, limiting direct communication channels. Overall, the site demonstrates a moderate level of professionalism and technical maturity but requires improvements in security protocols and compliance documentation.

K

Kamstrup

kamstrup.com

71

Kamstrup is a well-established company specializing in smart metering solutions for utilities across water, heat, cooling, electricity, and submetering sectors. With nearly 80 years of experience, Kamstrup holds a strong market position as a leader in smart metering technology, offering advanced products and analytics to optimize resource management and energy efficiency. Their digital presence is supported by modern technologies including Next.js and Sitecore CMS, hosted on Vercel and Azure platforms, ensuring fast performance and good mobile optimization. Security posture is robust with strong SSL configuration, HSTS enforcement, and no detected major vulnerabilities. However, there is room for improvement in DNS security and explicit security policy publication. Overall, Kamstrup demonstrates a mature digital infrastructure and a professional, trustworthy online presence.

Ad-Virtua is a Japanese company specializing in metaverse and in-game advertising, targeting primarily Gen Z male audiences. Their platform offers video ad distribution across a wide range of games and metaverse environments, positioning themselves as a next-generation media channel with higher engagement and recall rates compared to traditional web ads. The company operates a modern web presence using Next.js and React, hosted likely on Google Cloud infrastructure, with a focus on mobile optimization and fast performance. Security posture is solid with valid SSL and HSTS enabled, but lacks modern TLS protocol support and DNSSEC, indicating room for improvement. Privacy policies and terms of service are present and comprehensive, though cookie policy and consent mechanisms are missing. Overall, the company demonstrates a professional and trustworthy digital footprint with clear business focus and technical maturity.

D

Dama N.V.

n1bet.com

69

N1Bet is an online sports betting and casino platform operated by Dama N.V., licensed under the Curacao Gaming Control Board. The company offers a modern, multilingual sportsbook with over 180 sports and esports disciplines, competitive odds, and various promotions including welcome bonuses and VIP cashback. The platform is built on Next.js and React, hosted behind Cloudflare, and integrates analytics and user engagement tools such as Datadog RUM, Intercom, and OneSignal. Security is well implemented with strong SSL configuration and security headers, although TLS protocols are not currently enabled, which is a notable gap. Privacy and cookie policies exist primarily on the casino subdomain, with no explicit consent mechanism detected on the sportsbook site. Contact information is primarily via social media and support pages, with no direct emails or phone numbers found. Overall, the platform demonstrates a solid technical foundation and a good user experience, but could improve transparency and compliance aspects.

I

ITVX

itv.com

69

ITVX is a leading UK-based streaming service offering a wide range of exclusive TV shows, films, live events, and curated channels. It operates under ITV Consumer Limited and targets UK consumers seeking both free ad-supported and premium subscription content. The platform leverages modern web technologies including React/Next.js and Express, supported by robust third-party analytics and marketing tools such as Google Analytics, Amplitude, and Hotjar. Security measures include a valid SSL certificate, Content Security Policy, and secure cookie handling, although improvements like enabling HSTS and DNSSEC are recommended. The site demonstrates a high level of digital maturity with excellent design, user experience, and content relevance, positioning it strongly in the competitive UK streaming market.

M

MongoDB, Inc.

mongodb.com

91

MongoDB, Inc. is a leading provider of modern, flexible, and AI-ready database solutions designed to help developers and enterprises build scalable applications. Positioned as a market leader in cloud database management systems, MongoDB offers a comprehensive suite of services including MongoDB Atlas, self-managed enterprise solutions, and developer tools. The company targets a broad audience ranging from startups and AI innovators to large enterprises across various sectors such as technology, financial services, healthcare, retail, automotive, and telecommunications. Their business model combines SaaS offerings with self-managed deployments, emphasizing flexibility and performance. Technically, MongoDB's website leverages modern web technologies including Next.js and React, hosted on AWS CloudFront CDN, and managed via Contentstack CMS. The site demonstrates fast performance, good mobile optimization, and strong SEO practices. Security-wise, MongoDB employs a valid SSL certificate but currently lacks modern TLS protocol support and HSTS enforcement, which are recommended for enhanced security. The site includes comprehensive legal and security policies, including a vulnerability disclosure policy, but lacks a visible cookie consent mechanism. Overall, MongoDB maintains a strong security posture with no detected vulnerabilities in SSL/TLS configurations and provides clear trust signals through customer case studies and industry recognitions. The company’s digital maturity is high, with a well-structured, professional website that supports its market leadership. Strategic improvements in security protocols and privacy compliance mechanisms would further strengthen their risk management and user trust.

N

NIFTY Corporation

nifty.com

82

NIFTY Corporation operates as a major Japanese internet service provider offering a wide range of broadband, mobile SIM, security, and media services primarily targeting Japanese consumers. The company maintains a strong market position with a comprehensive portfolio including @nifty光 broadband, NifMo mobile SIM, and various security and lifestyle services. Their digital presence is built on modern web technologies such as Next.js and is hosted via Amazon CloudFront, ensuring fast content delivery and good mobile optimization. However, the website currently lacks a valid SSL certificate, which is a critical security concern that undermines user trust and data protection. Security headers are partially implemented, but the absence of DNSSEC, CAA records, and HSTS reduces domain and transport security. The site uses multiple advertising and tracking services, with moderate user tracking and basic privacy compliance. Contact information is limited to a phone number with no visible email addresses or contact forms on the main page. Overall, the website is professionally designed with good content relevance and navigation clarity but requires urgent security improvements to protect users and enhance trust.

N

Nostra

nostra.gg

63

Nostra.gg is a large-scale media platform focused on gaming, providing a one-stop destination for gamers to discover, play, watch, and compete across games. The platform targets a broad audience of gamers, streamers, and eSports enthusiasts, offering access to over 500 games and hosting eSports tournaments globally. The website is built on modern web technologies, primarily Next.js, and is hosted on Google Cloud Platform with Azure DNS services. The SSL certificate is valid, ensuring encrypted communications, but lacks advanced security configurations such as HSTS and DNSSEC. No explicit privacy policy, terms of service, or contact information is present on the homepage, which may impact user trust and regulatory compliance. The site integrates with partner domain glance.com for app availability and branding. Overall, the platform demonstrates good technical maturity and user experience but requires enhancements in security posture and compliance transparency.

Glance operates a large-scale smart lock screen platform that personalizes mobile device lock screens with news, games, and entertainment content. With over 300 million users worldwide and partnerships with major Android OEMs, it holds a strong market position in the technology and media sectors. The company leverages modern web technologies including Next.js and React, hosted primarily on Google Cloud infrastructure, delivering a fast and mobile-optimized user experience. Security posture is solid with valid SSL certificates and no known vulnerabilities, though improvements such as enabling HSTS and DNSSEC could enhance protection. Privacy and legal compliance are well addressed with comprehensive policies and TRUSTe certification. Overall, Glance demonstrates a mature digital presence with strong branding and trust indicators.

S

SIA HELIO MEDIA

1188.lv

55

1188.lv is a Latvian online media portal operated by SIA HELIO MEDIA, offering news, entertainment, video content, and local services including traffic information and a business directory. The site targets Latvian-speaking users interested in current events, lifestyle, and local business information. It holds a solid market position as a recognized local media outlet with a diverse content offering including video streaming via its 1188 play platform. Technically, the site is built on modern web technologies including Next.js and React, with GraphQL for data fetching, and uses Google Tag Manager and Smart AdServer for analytics and advertising. The SSL certificate is valid, but the site lacks support for modern TLS protocols and DNS security features. Security headers are minimal but include HSTS. Privacy and cookie policies are present and appear GDPR compliant. Social media presence is strong, enhancing user engagement and trust. Overall, the site demonstrates good performance, mobile optimization, and SEO practices, supporting a positive user experience.

T

Triton Digital

tritonrankers.com

59

The website exhibits significant security and compliance deficiencies that expose the business to elevated risks, including data breaches, regulatory penalties, and reputational damage. Critical gaps exist in email authentication and security headers, leaving the platform vulnerable to phishing, cross-site scripting, and clickjacking attacks. Compliance with GDPR and NIS2 directives is notably weak, with missing privacy policies, lack of incident response procedures, and absence of documented security frameworks, which could result in legal consequences and loss of customer trust. While network security and DNS health show relatively strong postures, foundational elements like SSL/TLS management and security headers require urgent attention. The absence of key security headers and policies compromises data integrity and user privacy. Overall, the current posture demands immediate remediation to protect sensitive information, ensure regulatory compliance, and maintain business continuity. Failure to address these issues promptly could lead to operational disruptions and financial losses.

M

Meltwater

meltwater.com

69

The website demonstrates a generally stable security posture with no critical issues detected; however, significant gaps exist in key areas such as security headers, GDPR compliance, and NIS2 regulatory adherence. Missing essential security headers like Content-Security-Policy and X-Frame-Options expose the site to common web-based attacks including clickjacking and cross-site scripting. GDPR compliance is notably weak, lacking a cookie policy and consent mechanisms, which can lead to regulatory penalties and damage to customer trust. The absence of a formal information security framework, incident response procedures, and security policies under NIS2 requirements poses substantial operational and regulatory risks. While email security, SSL/TLS implementation, DNS health, and network security are relatively strong, some improvements are needed to maintain resilience. Overall, the business should prioritize addressing high-impact compliance and security policy gaps to mitigate legal exposure and enhance protection against cyber threats. Failure to act promptly may result in reputational damage, regulatory fines, and increased vulnerability to cyber incidents.

I

it4real

it4real.com

66

The website's overall security posture reveals significant vulnerabilities, particularly in foundational security controls and regulatory compliance. While no critical issues were found, there are nine high-severity issues that indicate gaps in web security headers, GDPR compliance, and information security governance. The lack of essential HTTP security headers exposes the site to risks like clickjacking, content injection, and cross-site scripting attacks. Compliance with GDPR is insufficient, risking legal penalties and reputational damage due to missing cookie consent and incomplete privacy documentation. The absence of an information security framework, incident response plans, and security policies undermines organizational readiness against threats and regulatory requirements such as NIS2. SSL/TLS configurations are weak, leading to potential data interception risks. Conversely, email security, DNS health, and network security show stronger postures but still need improvements. Immediate attention to governance, secure configurations, and compliance will mitigate business risks and improve trust with users and regulators.

V

Vinoga.lv

vinoga.lv

52

The website's overall security posture is weak, with critical gaps in data privacy compliance and foundational security controls. The absence of essential security headers and missing encryption best practices expose the site to risks like clickjacking, content injection, and interception attacks. GDPR non-compliance, including the lack of privacy policies and consent mechanisms, poses significant legal and reputational risks, especially for EU users. Additionally, the lack of an information security framework and incident response procedures undermines the organization's ability to handle security events effectively. Email security is relatively strong, but SSL/TLS and DNS configurations require urgent improvements. Network exposure such as SSH services without proper controls could be exploited by attackers. Immediate remediation is necessary to protect users, maintain regulatory compliance, and reduce potential financial and operational impacts.

M

Mondly by Pearson

mondly.com

64

The website demonstrates a moderately strong network and SSL/TLS security posture but exhibits significant gaps in privacy compliance and security governance. Critical issues were avoided, but the presence of multiple high-severity findings—particularly missing privacy policies, lack of security framework documentation, and DNS misconfigurations—pose substantial risks to regulatory compliance and operational security. GDPR non-compliance related to the absence of privacy and cookie policies, as well as missing consent mechanisms, exposes the business to legal penalties and reputational damage. Similarly, deficiencies in incident response, vulnerability disclosure, and business continuity planning highlight unpreparedness for cyber incidents, which can lead to prolonged outages and data breaches. The missing Content-Security-Policy header and weak HTTP security headers increase susceptibility to client-side attacks. DNS misconfigurations, such as an unregistered MX record, threaten email reliability and business communications. Immediate remediation in these areas will significantly reduce risk exposure and improve trust with users and regulators.

E

Everyday Rewards

everyday.com.au

66

The website demonstrates a strong foundation in network security and SSL/TLS implementation, scoring 100 in these areas, which ensures encrypted communication and robust network defenses. However, significant gaps exist in security headers, GDPR compliance, and adherence to the NIS2 directive, with scores ranging from 25 to 35 out of 100, exposing the business to regulatory, reputational, and operational risks. The absence of critical security headers like Content-Security-Policy and X-Frame-Options increases vulnerability to cross-site scripting and clickjacking attacks. Lack of privacy policies, cookie consent mechanisms, and third-party privacy disclosures pose serious compliance issues under GDPR, potentially resulting in fines and legal consequences. Deficiencies in information security frameworks, incident response plans, and business continuity preparations further heighten the risk of prolonged service disruptions and inadequate breach management. While email security and DNS health are relatively strong, enabling DNSSEC and configuring CAA records would enhance domain integrity and prevent abuse. Addressing these weaknesses promptly will protect customer trust, ensure regulatory compliance, and reduce the likelihood of costly security incidents.

E

Everyday Rewards

woolworthsrewards.com.au

66

The website's overall security posture reveals significant gaps in core security controls, particularly in security headers and compliance-related policies. While SSL/TLS and network security configurations are strong, critical deficiencies exist in privacy and data protection practices, exposing the business to regulatory risks under GDPR and NIS2 frameworks. Missing essential security headers such as Content-Security-Policy and X-Frame-Options increase vulnerability to web-based attacks, potentially compromising user data and trust. The absence of privacy, cookie policies, and consent mechanisms heightens legal liabilities and may damage brand reputation. Furthermore, the lack of documented information security frameworks and incident response plans suggests inadequate preparedness for cyber incidents. Email and DNS security are reasonably well implemented but can be further enhanced. Addressing these weaknesses promptly will reduce risk exposure, ensure regulatory compliance, and strengthen customer confidence.

Z

Zurich

zurich.co.nz

64

The website demonstrates a moderate security posture with no critical vulnerabilities detected, but several high-impact issues remain unaddressed. Key deficiencies are present in security headers, GDPR compliance, and adherence to NIS2 regulatory requirements, exposing the business to potential data breaches, regulatory fines, and reputational damage. Notably, missing essential headers like X-Frame-Options and Content-Security-Policy increase the risk of clickjacking and cross-site scripting attacks. The absence of privacy-related policies and consent mechanisms significantly undermines GDPR compliance, risking legal penalties and loss of customer trust. Furthermore, the lack of documented security frameworks, incident response plans, and vulnerability disclosure policies indicates immature governance and incident management capabilities. Email security and network infrastructure appear relatively robust, reducing exposure to phishing and network-level threats. Overall, urgent remediation is needed to strengthen compliance and protect sensitive data, while foundational security controls require enhancement to mitigate evolving cyber risks.

Z

Zurich Australia

zurich.com.au

65

The website demonstrates a moderate security posture with no critical issues but multiple high and medium severity concerns, particularly in security headers, GDPR compliance, and NIS2 regulatory adherence. While network security and SSL/TLS configurations are strong, significant gaps exist in privacy policies, incident response planning, and security framework documentation, which expose the business to regulatory risks and potential reputational damage. Missing key security headers such as Content-Security-Policy and X-Frame-Options increase the risk of client-side attacks like clickjacking and cross-site scripting. Non-compliance with GDPR due to absent privacy and cookie policies may result in legal penalties and loss of customer trust. Lack of incident response and vulnerability disclosure policies hinders effective risk management and timely breach response. Immediate attention is needed to align with NIS2 security requirements to ensure operational resilience and regulatory compliance. Addressing these gaps will safeguard customer data, reduce legal exposure, and strengthen overall cyber resilience.

M

Medibank

medibanklife.com.au

73

The website demonstrates a solid foundation in core technical security areas such as email security, SSL/TLS implementation, and overall network security. However, significant gaps exist in compliance with GDPR and NIS2 regulatory frameworks, with critical deficiencies in privacy policies, consent mechanisms, and documented security governance. The absence of key security headers, particularly the Content-Security-Policy, exposes the site to client-side attacks like cross-site scripting. Lack of incident response, vulnerability disclosure, and business continuity plans present operational risks that could escalate the impact of security events. Additionally, DNS security could be strengthened by enabling DNSSEC and configuring CAA records to prevent domain-based attacks. Overall, while the infrastructure is strong, the organization must urgently address policy, compliance, and procedural gaps to reduce legal, reputational, and operational risks.

N

Nationwide Building Society

nationwide.co.uk

73

The website demonstrates a solid foundation in network security, email security, and SSL/TLS implementation, reflected by high module scores in these areas. However, significant gaps exist in data privacy compliance (GDPR) and organizational security governance (NIS2), exposing the business to regulatory penalties and increased cyber risk. Missing critical policies such as Privacy Policy, Cookie Policy, and incident response procedures undermine trust and operational readiness. The absence of a Content-Security-Policy header and DNSSEC further increases exposure to web-based attacks. While no critical vulnerabilities were found, the presence of multiple high and medium issues indicates urgent remediation is necessary to reduce legal, reputational, and operational risks. Addressing these weaknesses will improve compliance, customer trust, and resilience against cyber threats. Immediate focus on governance and privacy compliance will yield the highest business impact. Overall, the posture is moderate but requires strategic enhancements to meet industry standards and regulatory demands.

U

United Internet for Unicef Stiftung

united-internet-for-unicef-stiftung.com

71

The website demonstrates a moderate security posture with no critical vulnerabilities detected, but several high and medium-risk issues remain unaddressed. The strongest areas are network security and SSL/TLS configurations, with near-optimal scores. However, significant gaps exist in compliance with GDPR and NIS2 regulatory requirements, including missing cookie policies, consent mechanisms, and absence of formal security and incident response documentation. Security headers are inconsistently implemented, leaving the site vulnerable to clickjacking and some cross-site scripting risks. Email security and DNS configurations are generally good but could be strengthened further. Failure to address these issues exposes the business to regulatory penalties, reputational damage, and increased risk of cyber incidents. Prioritizing compliance and security policy development will mitigate legal and operational risks while improving overall resilience.

V

Virgin Media O2

virginmediao2.co.uk

67

The website demonstrates a moderate security posture with no critical vulnerabilities but several high and medium severity issues that pose significant business risks. Key concerns include missing essential security headers, lack of GDPR compliance mechanisms such as cookie policies and consent banners, and absence of foundational NIS2 security governance like incident response and security policy documentation. These gaps increase exposure to web-based attacks, regulatory fines, and operational disruptions. While network security and SSL/TLS configurations are strong, DNS and email security require improvements to prevent spoofing and phishing risks. The low scores in GDPR and NIS2 compliance highlight urgent needs to align with legal and regulatory frameworks to avoid penalties and reputational damage. Addressing these issues promptly will strengthen trust, reduce liability, and protect business continuity.

S

STIFTUNG UNITED INTERNET FOR UNICEF

united-internet-for-unicef-stiftung.de

66

The website's overall security posture reveals significant compliance and security gaps, particularly in privacy and regulatory adherence, with a critical GDPR issue indicating non-compliance for an EU business. While foundational network and SSL/TLS security controls are strong, key security headers are missing, exposing the website to clickjacking and cross-site scripting risks. There is a notable absence of documented information security policies, incident response plans, and vulnerability disclosure processes, which hinders effective security governance and response. Email security is relatively well managed, but lack of DKIM records could impact email deliverability and phishing protection. DNS security measures are decent but could be improved by enabling DNSSEC and configuring CAA records. Overall, the most pressing risks are regulatory non-compliance and missing security governance frameworks, which could lead to legal penalties, reputational damage, and operational disruptions. Immediate attention to privacy policies, cookie management, and security documentation is essential to align with GDPR and NIS2 requirements.

T

Telefonica UK Limited

o2.com

70

The website's overall security posture shows no critical issues but reveals significant gaps in key areas such as security headers, GDPR compliance, and NIS2 regulatory adherence. High severity issues include missing essential HTTP headers that protect against common web attacks, absence of a cookie consent banner, and a lack of fundamental information security and incident response policies. While email security, SSL/TLS, DNS health, and network security are relatively strong, the deficiencies in governance and compliance expose the business to legal risks, regulatory penalties, and increased vulnerability to cyber threats. The low security header score (35/100) and poor NIS2 compliance (25/100) highlight urgent needs for improvement. Addressing these gaps will not only enhance protection against exploitation but also strengthen customer trust and regulatory standing. Prioritizing policy documentation and technical controls will reduce risk exposure and support business continuity. Overall, the assessment indicates a pressing requirement to integrate security best practices with compliance frameworks to safeguard business operations effectively.

X

Xodo

xodo.com

79

The website demonstrates a generally strong security posture in areas such as email security, SSL/TLS configuration, and network security, all scoring 100/100. However, critical gaps exist in compliance with GDPR and NIS2 regulations, with the NIS2 module scoring particularly low at 25/100, indicating insufficient governance and incident management frameworks. Missing key security headers and cookie consent mechanisms expose the site to client-side vulnerabilities and regulatory risks. The absence of documented security policies, incident response procedures, and vulnerability disclosure processes could lead to unmanaged security incidents and reputational damage. DNS security is moderately strong but can be improved by enabling DNSSEC and configuring CAA records. Overall, the site is operationally secure but requires urgent attention to governance, compliance, and security process maturity to mitigate legal and operational risks. Addressing these issues will enhance customer trust, legal compliance, and resilience against cyber threats.

A

Apryse

apryse.com

68

The website demonstrates a generally strong network and SSL/TLS security posture, scoring 100/100 in these areas, which reduces risk from external network threats and ensures secure data transmission. However, significant deficiencies exist in GDPR compliance and NIS2 security governance, with scores of 25/100 in both, indicating major regulatory and operational risks. High-severity issues such as missing privacy and cookie policies, lack of cookie consent mechanisms, and absence of incident response and security policy documentation expose the business to legal penalties and potential operational disruptions. Security headers are partially implemented but require strengthening to prevent common web-based attacks like clickjacking and MIME-type sniffing. Email security is relatively strong but requires improvements in DMARC enforcement to prevent phishing attacks. Immediate attention to regulatory compliance and formalizing security governance will mitigate legal exposure and enhance incident resilience. Overall, the website is vulnerable to compliance violations and operational risks despite good technical network defenses.

A

Apryse

pdfjs.express

56

The website's overall security posture is weak, with significant gaps in foundational security controls and regulatory compliance. Critical issues in email authentication pose severe risks of phishing and domain spoofing, potentially damaging brand reputation and customer trust. Missing key security headers expose the site to common web-based attacks such as clickjacking and cross-site scripting. GDPR non-compliance, including absence of privacy and cookie policies, risks regulatory penalties and undermines customer data protection assurances. The lack of an information security framework, incident response, and business continuity planning indicates poor operational resilience and readiness to handle security incidents. While network security and SSL/TLS configurations are relatively strong, critical gaps such as missing HSTS and DNSSEC reduce overall trustworthiness and increase vulnerability to man-in-the-middle attacks. Immediate remediation is necessary to protect customer data, meet regulatory requirements, and safeguard business reputation. Without swift action, the business faces elevated risk of data breaches, regulatory fines, and loss of customer confidence.

The website exhibits significant security and compliance gaps, particularly in GDPR adherence and NIS2 regulatory requirements, resulting in a low overall security posture. Critical issues include the absence of email authentication and a missing Content-Security-Policy header, increasing risks of phishing and cross-site attacks. The lack of a cookie policy and consent banner further exposes the business to regulatory penalties and reputational damage. While network security and SSL/TLS configurations are relatively strong, foundational controls such as incident response, security policies, and vulnerability disclosure are missing, impeding effective risk management. Insufficient email security measures also raise the likelihood of email spoofing and phishing. Immediate remediation is essential to prevent data breaches, ensure regulatory compliance, and maintain customer trust. Addressing these gaps will strengthen the business's resilience against cyber threats and regulatory scrutiny.

E

Eventive

eventive.org

65

The website demonstrates a moderate to low overall security posture with no critical vulnerabilities detected, but multiple high and medium risk issues that expose it to potential data breaches, compliance violations, and operational risks. Key weaknesses lie in missing essential security headers, lack of GDPR compliance artifacts such as privacy and cookie policies, and absence of fundamental NIS2 cybersecurity governance frameworks including incident response and security policy documentation. While network security, email security, SSL/TLS, and DNS configurations are relatively strong, significant improvements are needed in application-layer security and regulatory compliance to protect customer data and avoid legal penalties. The absence of cookie consent mechanisms and privacy policies poses substantial risks under GDPR regulations, potentially leading to fines and reputational damage. Furthermore, the missing security headers like Content-Security-Policy and X-Frame-Options increase susceptibility to cross-site scripting and clickjacking attacks. Addressing these vulnerabilities and compliance gaps promptly will enhance customer trust, reduce exposure to cyber threats, and ensure alignment with industry standards and regulations. Prioritizing governance and policy implementations alongside technical controls is essential for a comprehensive security posture improvement.

P

Paperflite

heysales.ai

63

The website's overall security posture is concerning, with multiple critical and high-severity issues that expose the business to significant risks including data breaches, compliance violations, and reputational damage. Key security headers are missing, leaving the site vulnerable to common web attacks such as clickjacking, cross-site scripting, and MIME-type sniffing. GDPR compliance gaps, including missing cookie consent and privacy policy concerns, put the business at risk of regulatory penalties. The absence of fundamental information security frameworks, incident response plans, and security policy documentation highlights a lack of mature security governance. Email security is critically weak due to missing authentication mechanisms, increasing phishing and spoofing risks. While network security shows strength, foundational SSL/TLS and DNS configurations require improvement to prevent man-in-the-middle attacks. Immediate remediation is essential to protect customer data, maintain legal compliance, and safeguard brand trust.

H

HandL Digital LLC

utmgrabber.com

71

The website demonstrates a mixed security posture with no critical vulnerabilities but several high and medium-risk issues that could expose the business to significant security and compliance risks. Key gaps in security headers and transport security headers reduce protection against common web-based attacks and data interception. Non-compliance with GDPR, notably lacking a cookie consent banner and incomplete privacy policies, risks regulatory penalties and undermines user trust. The absence of a formal information security framework, incident response procedures, and security policies indicates weak organizational security maturity, potentially leading to poor incident handling and increased downtime. While email, network security, SSL/TLS, and DNS configurations are relatively strong, critical improvements are needed in governance and application-layer protections. Addressing these vulnerabilities promptly will protect sensitive data, improve regulatory compliance, and strengthen overall cyber resilience. Prioritizing governance and security headers will provide the greatest immediate business value. Continuous monitoring and policy updates should follow to maintain security posture and compliance.

S

Smartshares Limited

smartinvest.co.nz

63

The website's overall security posture reveals significant gaps, particularly in foundational security headers, GDPR compliance, and NIS2 regulatory adherence. While there are no critical vulnerabilities, multiple high-severity issues expose the business to risks such as data breaches, regulatory penalties, and reputational damage. Missing key HTTP security headers and an impending SSL certificate expiration undermine secure communications and user trust. GDPR compliance deficiencies, including the absence of a cookie policy and consent mechanisms, present legal and operational risks, especially in European markets. The lack of documented information security and incident response policies indicates insufficient preparedness against cyber incidents. On a positive note, the network security and email security modules score relatively well, showing strengths in these areas. Immediate remediation is needed to protect sensitive data, ensure regulatory compliance, and maintain customer confidence.

S

Spotify AB

spotifyjobs.com

60

The website demonstrates significant security gaps, particularly in foundational security headers, data privacy compliance, and incident management frameworks. While no critical vulnerabilities were found, multiple high-severity issues indicate an elevated risk exposure that could lead to data breaches, reputational damage, and regulatory penalties. GDPR compliance is notably weak, lacking essential cookie policies and consent mechanisms, which threatens legal compliance and customer trust. The absence of a formal information security framework, incident response, and security policy documentation further exacerbates operational risks. Email security is suboptimal with missing DMARC and DKIM records, increasing the risk of phishing and spoofing attacks. SSL/TLS configurations are moderately healthy but require timely renewal and enabling of HSTS to ensure encrypted communications. DNS and network security are relatively strong, providing a solid foundation on which to build. Immediate remediation of critical governance and privacy controls will significantly reduce business risk and support regulatory adherence.

N

NZX Limited

nzx.com

65

The website demonstrates a concerning overall security posture with multiple high and medium risk issues primarily related to security headers, GDPR compliance, and NIS2 regulatory standards. While there are no critical vulnerabilities, the absence of key security headers and weak SSL/TLS configurations expose the site to common attacks like clickjacking, XSS, and data interception. GDPR compliance gaps, including missing cookie policies and consent mechanisms, pose legal and reputational risks, especially in regulated markets. The lack of documented information security frameworks, incident response procedures, and security policies further increases organizational risk and may hinder timely breach response. Positive aspects include strong network security and good email security practices, but these do not offset the critical gaps in web application and regulatory security controls. Immediate improvements are necessary to protect sensitive data, maintain customer trust, and ensure regulatory compliance. Without action, the business risks data breaches, regulatory fines, and damage to brand reputation.

S

Spotify AB

spotifyforbrands.com

65

The website demonstrates a moderate to weak security posture with no critical issues but several high and medium severity findings that could expose the business to significant risks. Key gaps include missing essential security headers, lack of GDPR compliance elements such as cookie policies and consent mechanisms, and absence of foundational NIS2 security governance documentation. Email and network security are relatively strong, but SSL/TLS configurations show weaknesses that could undermine data integrity and confidentiality. The absence of incident response and vulnerability disclosure policies increases the risk of prolonged breaches and reputational damage. Overall, the organization faces regulatory compliance risks, potential data breaches, and operational disruptions if these issues remain unaddressed. Immediate remediation will enhance customer trust, reduce legal exposure, and improve resilience against cyber threats. Prioritizing governance and technical controls will strengthen the security framework and align with industry best practices.

Z

Zillow, Inc.

zillowhomeloans.com

65

The website demonstrates a concerning security posture with significant gaps in fundamental protections and regulatory compliance. While there are no critical vulnerabilities detected, the presence of 11 high and multiple medium-severity issues indicates elevated risk exposure. Key deficiencies include missing essential security headers, lack of GDPR compliance elements such as privacy and cookie policies, and absence of core NIS2 security governance frameworks and incident response protocols. These lapses increase the risk of data breaches, regulatory penalties, and reputational damage. On a positive note, email security and network security configurations are robust, and SSL/TLS and DNS health are relatively strong but still require improvements. Immediate remediation is needed to address regulatory compliance and secure communication headers to reduce attack surfaces. Implementing structured security policies and response plans will enhance resilience and trust with customers and partners.

The website demonstrates a mixed security posture with strengths in network security, SSL/TLS configuration, email security, and DNS health. However, critical gaps exist in compliance with GDPR and NIS2 regulations, especially due to missing privacy policies, cookie consent mechanisms, and comprehensive security documentation. The absence of key security headers and vulnerability disclosure policies further exposes the site to preventable threats like clickjacking and content-type based attacks. These compliance and security shortcomings not only increase operational risk but could also result in regulatory penalties and damage to brand reputation. Immediate attention to privacy compliance and incident response readiness is crucial for business continuity and trust. While foundational security controls are in place, the lack of documented policies and frameworks leaves the organization vulnerable to evolving threats. Addressing these gaps will improve regulatory alignment, customer trust, and overall resilience against cyber threats.

C

Country Road

countryroad.co.nz

63

The website's overall security posture shows no critical vulnerabilities but reveals significant high and medium risks that could expose the business to compliance, operational, and reputational threats. Notably, the absence of foundational GDPR documentation and cookie consent mechanisms presents major regulatory compliance gaps, risking legal penalties and loss of customer trust. The missing core security headers and lack of an incident response framework further amplify exposure to common web-based attacks and operational disruptions. DNS and email configurations contain high-risk issues such as unregistered MX records and missing DKIM records, which could lead to email delivery problems and increased phishing risks. While network security and SSL/TLS configurations are generally strong, mixed content and incomplete HSTS policies reduce overall transport security effectiveness. Immediate remediation in governance, compliance, and core security controls is needed to safeguard customer data, ensure regulatory compliance, and maintain business continuity. Without addressing these, the business faces increased risks of data breaches, service interruptions, and regulatory fines.

The website demonstrates a generally sound network security and SSL/TLS posture, with strong email security and DNS health scores. However, significant shortcomings exist in privacy compliance and information security governance, notably lacking a privacy policy, cookie policies, and essential GDPR compliance elements. Critical NIS2 regulation adherence is absent, including no incident response plan, security policies, or business continuity planning, exposing the organization to regulatory and operational risks. Security headers are incompletely implemented, increasing the risk of common web attacks such as clickjacking and content sniffing. While there are no critical vulnerabilities identified, the high and medium issues collectively indicate a need for urgent remediation to reduce legal exposure, enhance customer trust, and safeguard against potential breaches. Addressing these gaps will improve regulatory compliance, reduce reputational risk, and strengthen the overall security posture. Prioritizing governance and compliance measures alongside technical controls is essential for sustainable business security.

The website demonstrates a moderate security posture with no critical issues but several high and medium-risk findings that could expose the business to regulatory, reputational, and operational risks. Key deficiencies include missing fundamental security headers, lack of GDPR compliance measures such as privacy and cookie policies, and the absence of essential NIS2 cybersecurity governance frameworks like incident response and security policy documentation. While email security, SSL/TLS, DNS health, and network security show strong maturity, the gaps in legal compliance and governance frameworks pose significant risks for regulatory penalties and customer trust erosion. Addressing these gaps is vital to reduce legal liability, improve customer confidence, and strengthen overall cybersecurity resilience. Immediate focus on privacy policy implementation and establishing security governance will enhance compliance with evolving legal and industry standards. Proactive communication of security policies and incident response readiness will also support business continuity and reputation management. Overall, the website requires targeted improvements to bridge compliance and policy deficiencies while maintaining its strong technical security controls.