Security Research

Certified Secure

We measured the external attack surface of 1,171 organizations. The ones advertising compliance certifications weren’t safer — they were, on average, more externally fragile.

A compliance badge attests that a company documented its controls. It doesn’t measure whether its attack surface can be broken into. This study quantifies that gap — anonymized, with no organization named and no exact vulnerability disclosed.

1,171
organizations analyzed
39%
rated high or critical fragility
More
fragile when certified — not less
Free download — corporate email required.

Free providers (gmail, outlook…) aren’t accepted.

No spam. We never share or sell your data.

Trusted by security, risk, and underwriting teams evaluating third-party exposure.

What’s inside

The compliance paradox

Why organizations publicly advertising SOC 2 / ISO / Vanta-style certifications scored measurably more fragile on their external attack surface.

The Fragility Index

The transparent scoring model behind the study — how severity counts and exploitability roll up into one comparable risk signal.

Weakness patterns

The anonymized categories that drove most of the risk — email/DNS hygiene, exposed services, cloud storage, and subdomain sprawl.

Breakdowns that matter

How fragility varied by sector, organization size, and region — and where the certified-but-fragile gap was widest.

Every finding is passive, external reconnaissance only — consent-gated, non-intrusive, and reported in aggregate. No organization is named; no exact vulnerability is disclosed. Fragility is a risk signal, not a verdict.

See where your own surface lands

Run a free, passive 2-minute scan and get your Fragility score and percentile against the 1,171 organizations in the study.

Scan my attack surface →