Every other TLS scanner only sees the current cert. Cipherwake mines Certificate Transparency logs to track the actual private key behind every cert a domain has ever issued. These are the domains where 'cert rotation' didn't actually rotate the underlying key — meaning years of harvested traffic across multiple cert renewals all decrypt with one key compromise. This is the unique finding most ASM tools miss.
| # | Domain | Score | Grade | Key reuse (yrs) | Freshness |
|---|---|---|---|---|---|
| 1 | nissan.com | 3.5 | B | 1.6 (32 rotations) | stale (12d old) |
| 2 | monday.com | 5.3 | C | 1.6 (2 rotations) | verified 42m ago |
| 3 | uchicagomedicine.org | 4.9 | C | 1.5 (3 rotations) | verified 9h ago |
| 4 | vercel.com | 3.8 | B | 1.0 (33 rotations) | verified 42m ago |
| 5 | washingtonpost.com | 5.8 | C | 1.0 (32 rotations) | stale (3d old) |
| 6 | shield.ai | 4.6 | C | 0.5 (31 rotations) | verified 32h ago |
| 7 | wsj.com | 2.6 | B | 0.5 (32 rotations) | stale (4d old) |
| 8 | reuters.com | 5.0 | C | 0.5 (32 rotations) | stale (5d old) |
| 9 | bbc.com | 4.6 | C | 0.5 (31 rotations) | stale (9d old) |
| 10 | rtx.com | 5.0 | C | 0.5 (32 rotations) | verified 5h ago |
| 11 | ico.org.uk | 5.2 | C | 0.5 (31 rotations) | verified 9h ago |
| 12 | volkswagen.com | 4.8 | C | 0.5 (31 rotations) | verified 35h ago |
| 13 | github.com | 6.6 | D | 0.5 (33 rotations) | verified 42m ago |
| 14 | stripe.com | 6.6 | D | 0.3 (32 rotations) | verified 42m ago |
| 15 | tesla.com | 4.1 | C | 0.2 (32 rotations) | verified 35h ago |
| 16 | saic.com | 5.1 | C | 0.2 (31 rotations) | stale (2d old) |
| 17 | politico.com | 5.2 | C | 0.2 (31 rotations) | stale (6d old) |
| 18 | propublica.org | 4.4 | C | 0.2 (31 rotations) | stale (5d old) |
Run the same scan we use for this ranking. See your specific findings, get the migration steps, and track the domain so you know when your score improves.