I Audited 17 Cybersecurity Companies (Average: 73/100)
We benchmarked 17 Swedish cybersecurity companies using our website security score system. The average was 73/100. Here is what we found and what it means for NIS2 compliance.
60,000 Hacking Attempts Per Day
Four months ago, I started my self-hosting journey. The reason was simple: I wanted to cut costs on tools. But what I discovered changed everything.
I ran a command in my terminal to see how many login attempts were being made against my server. The number gave me panic: over 60,000 attempts per day. Automated attacks, constant, around the clock.
Reality hit hard: I had no idea how exposed I was. My server was like a house with open doors. Thousands were trying to get in every hour.
That started a deep dive. I began systematically going through how I could defend my server, mask the sensitive stuff from the outside world, and understand what was actually wrong with my setup.
The Scanner Born Out of Necessity
In the hunt to secure my own infrastructure, I built a tool to test myself. A scanner that checks 16 different security parameters: SSL configuration, security headers, email authentication, certificate management, and more.
The more I improved my own setup, the more I started wondering: what does it look like for others?
Social media algorithms had started showing me cybersecurity companies, my "competitors" in the industry. Companies holding training sessions and seminars on IT security and compliance. I put their domains into my scanner.
It didn't look good. Most hovered around 40-50 points. The same companies preaching to the masses about security, but hadn't fixed their own infrastructure. Expertise behind a facade.
Cybersecurity Benchmark Results
I expanded the audit to 17 Swedish cybersecurity companies and generated a website security score for each. The results:
Audit Results:
73
Average Score
81
Highest Score
59
Lowest Score
100
My Own Site
I was shocked. Not because I expected perfection, but because I, who had just started diving into this world, demonstrated higher security and compliance than established players.
I felt like an impostor. I hadn't been entrenched in the industry as long as the others. Sure, I had GDPR and deliverability expertise from my time at Efficy and Apsis. But IT security was new to me.
How Could I Outpace the Experts?
It turned out to be surprisingly easy to understand the concepts. And with AI as an accelerator, I could speed up the process dramatically.
Most Common Issues I Found
- • Missing or misconfigured security headers
- • Outdated TLS configuration
- • Incomplete email authentication (SPF, DKIM, DMARC)
- • Unnecessarily exposed services
None of this is rocket science. Most configurations take just a few hours to implement. Email authentication maybe a day if you want to be thorough.
My first reaction? Disappointment. And honestly, a bit laughable.
NIS2 Compliance Is Driving Change
Here's the positive news: since I conducted the initial audit, several companies have improved their scores significantly. Some by over 20 points.
The NIS2 directive went live on January 15, 2026. There's a clear cascade effect from the new NIS2 requirements. Companies have started acting, but it took time. Which tells me they take far too long on critical decisions when the solutions often take just a few hours.
I haven't been in contact with any of the 17 companies. Maybe I should? However, I've noticed that some now have bot defense activated, so my IP has been blocked from further scans. But to me, that's just a healthy sign they're expanding their security.
From Cloud Swamp to Freedom
My journey started with buying a server to cut costs. But I discovered something bigger: the value of open source.
Fully functional tools that can replace everything you buy today. The scanner became one of the products I built, first to monitor myself, then as something I want to help others with.
The Truth About Cloud vs Self-Hosted:
There's so much hype around cloud solutions. But if you're a service-based company without extreme traffic volumes, you can manage on 1-2 larger servers and possibly a smaller one to create a private cloud.
Cost: €100-200/month. No user caps. The only limiting factor is competence and willingness.
The funny thing? You're actually more free in the VPS world than in the cloud swamp.
Why I Sleep Well at Night
2-4% of your annual revenue in fines. That's what GDPR violations can cost. Brutal.
I'd rather sleep well at night by being able to produce evidence and show my back is covered. I wish the same for my clients.
What I Want to Achieve:
- 1. Get better at what I do myself
- 2. Lead by example when I reach out to other companies
- 3. Help others fix what's so simple but so important, to avoid attacks and unnecessary fines
What This Means for You
If you're an IT manager or business owner, here are some takeaways:
Audit Your Vendors
Before buying security services, check how the vendor's own website performs. It says something about their culture.
You Don't Need Cloud
For most service companies, self-hosted is cheaper, more secure, and gives you more control. The only cost is competence.
Start with the Basics
Start with a basic website security checklist: security headers, SSL configuration, and email authentication. These three areas of security hardening provide the biggest impact for the least effort.
Want to know where your site stands? I offer complimentary SVAR scans for companies who want to understand their current state. Book a review →