Certified ≠ Secure
We measured the external attack surface of 1,171 organizations. The ones advertising compliance certifications weren’t safer — they were, on average, more externally fragile.
A compliance badge attests that a company documented its controls. It doesn’t measure whether its attack surface can be broken into. This study quantifies that gap — anonymized, with no organization named and no exact vulnerability disclosed.
- 1,171
- organizations analyzed
- 39%
- rated high or critical fragility
- More
- fragile when certified — not less
Trusted by security, risk, and underwriting teams evaluating third-party exposure.
What’s inside
The compliance paradox
Why organizations publicly advertising SOC 2 / ISO / Vanta-style certifications scored measurably more fragile on their external attack surface.
The Fragility Index
The transparent scoring model behind the study — how severity counts and exploitability roll up into one comparable risk signal.
Weakness patterns
The anonymized categories that drove most of the risk — email/DNS hygiene, exposed services, cloud storage, and subdomain sprawl.
Breakdowns that matter
How fragility varied by sector, organization size, and region — and where the certified-but-fragile gap was widest.
Every finding is passive, external reconnaissance only — consent-gated, non-intrusive, and reported in aggregate. No organization is named; no exact vulnerability is disclosed. Fragility is a risk signal, not a verdict.
See where your own surface lands
Run a free, passive 2-minute scan and get your Fragility score and percentile against the 1,171 organizations in the study.