.svg)
.svg)
🔎 Major Findings Across Sectors
- Expedia scored 90% and was the standout performer in the sector, despite the need for protection of PII and customer transactions for the major airlines.
- There was a sharp drop in performance, particularly for the non-transactional health sites, particularly the content site, but also the NHS and BUPA.
- The major airports were also similarly challenged, with noticeable gaps in performance.
⚠️ Threats & Weaknesses
- On the worst performing domains, automated bots were able to scan, map, and interact with authentication services without encountering rate limits, anomaly detection, or session validation controls. Infiltration rates reached up to 95% on some domains, confirming a near-total absence of active defensive interception.
- In many sites no behavioural response to bot-generated input or repeated access attempts was detected. Although all sites had Web Application Firewalls (WAFs) deployed, our simulations were able to complete reconnaissance and interaction phases without challenge - highlighting the limitations of legacy, perimeter-centric defence strategies.
- The weaker performances mostly showed exposure to account take-over attacks, which could lead to the exposure of PII and customer data, book details, bonus points etc.
🔓 Unlocking Results
VerifiedThreat assessments highlight which organisations:
- ✅ Have robust, resilient defences
- ⚠️ Are at risk of automation and bot-based exploitation
- 🚨 Face critical vulnerabilities if left unchecked
💡 Why This Matters
Understanding sector dynamics allows businesses to:
- Benchmark against industry peers
- Prioritise investment in external defence
- Strengthen customer trust by closing exposure gaps
