Every other TLS scanner only sees the current cert. Cipherwake mines Certificate Transparency logs to track the actual private key behind every cert a domain has ever issued. These are the domains where 'cert rotation' didn't actually rotate the underlying key — meaning years of harvested traffic across multiple cert renewals all decrypt with one key compromise. This is the unique finding most ASM tools miss.
| # | Domain | Score | Grade | Key reuse (yrs) | Freshness |
|---|---|---|---|---|---|
| 1 | nissan.com | 3.5 | B | 1.6 (32 rotations) | stale (12d old) |
| 2 | monday.com | 5.3 | C | 1.6 (2 rotations) | verified 2h ago |
| 3 | uchicagomedicine.org | 4.9 | C | 1.5 (3 rotations) | verified 8h ago |
| 4 | washingtonpost.com | 5.8 | C | 1.0 (32 rotations) | stale (2d old) |
| 5 | shield.ai | 4.6 | C | 0.5 (31 rotations) | verified 31h ago |
| 6 | wsj.com | 2.6 | B | 0.5 (32 rotations) | stale (4d old) |
| 7 | reuters.com | 5.0 | C | 0.5 (32 rotations) | stale (5d old) |
| 8 | bbc.com | 4.6 | C | 0.5 (31 rotations) | stale (9d old) |
| 9 | rtx.com | 5.0 | C | 0.5 (32 rotations) | verified 4h ago |
| 10 | ico.org.uk | 5.2 | C | 0.5 (31 rotations) | verified 8h ago |
| 11 | volkswagen.com | 4.8 | C | 0.5 (31 rotations) | verified 34h ago |
| 12 | tesla.com | 4.1 | C | 0.2 (32 rotations) | verified 34h ago |
| 13 | saic.com | 5.1 | C | 0.2 (31 rotations) | stale (2d old) |
| 14 | politico.com | 5.2 | C | 0.2 (31 rotations) | stale (6d old) |
| 15 | propublica.org | 4.4 | C | 0.2 (31 rotations) | stale (4d old) |
Run the same scan we use for this ranking. See your specific findings, get the migration steps, and track the domain so you know when your score improves.