This platform is for authorized security research and educational purposes ONLY. Scanning assets without explicit permission is illegal.
This report analyzes transport layer cryptographic configurations across 10,000 public corporate web domains to establish a baseline of modern transport security. Our findings show that while TLS 1.3 adoption has risen to 85.2%, a minor subset of systems still allow legacy TLS 1.0 or TLS 1.1 fallback.
The majority of scanned servers negotiate the TLS 1.3 protocol by default.
A significant portion of servers still allow fallback to TLS 1.2 for legacy clients.
A residual fraction of hosts permit deprecated TLS 1.0 or 1.1 handshakes.
Only 45% of surveyed domains enforce HSTS headers, leaving clients open to SSL stripping.
Our scanning telemetry analyzed the public key sizes used in leaf certificates:
To mitigate downgrade threats, security teams should immediately enforce TLS 1.2 as the minimum protocol version and disable all CBC-mode ciphers in web-facing server blocks. Ensure HSTS is enabled with a minimum duration of one year.
Data was compiled by running non-intrusive SSL/TLS handshake queries against 10,000 randomly selected domains from public web-rank lists. Handshake requests targeted port 443 to extract protocol versions, negotiated cipher suites, and certificate metadata.
ReconShield Active Telemetry Network and public certificate logs.