Back to news
Cybersecurity Alert
June 18, 2026 by EmailMeNow IT Consulting

Cybersecurity Audit of Nasdaq 100 Companies in 2026

Independent cybersecurity audits of 100 Nasdaq-100 constituents — scores range from 87% to 30%. Tech-heavy index shows wide gaps in DMARC, MTA-STS, transport security, and website headers.

Nasdaq 100NDXCybersecurityDMARCPublic CompaniesTechnology
Cybersecurity audit scores for Nasdaq 100 company domains in 2026

An independent cybersecurity review across 100 Nasdaq-100 index constituents — the largest non-financial companies listed on Nasdaq, heavily weighted toward technology and growth sectors — reveals a wide spread in domain and infrastructure posture. Names from NVIDIA, Microsoft, and Palantir to Costco, PepsiCo, and Marriott were evaluated on primary corporate domains.

Using data from audit.emailmenow.com, we scored each company’s primary domain across identity, transport, website, and endpoint security — SPF, DKIM, DMARC, MTA-STS/TLS, DNSSEC, and security headers (HSTS, CSP, clickjacking protection).

In this national audit, scores ranged from 87% to 30%42 of 100 (42%) scored 70% or above; 19 scored below 60%.

Cybersecurity Scores of Nasdaq 100 Companies

Overall compliance scores from audit.emailmenow.com. Re-run any domain at the link to verify.

RankCompanyDomainOverall ScoreWebsite ScorePerformance Level
1ASMLasml.com87%92%Strong
2Micron Technologymicron.com86%100%Strong
2Lindelinde.com86%100%Strong
2IDEXX Laboratoriesidexx.com86%100%Strong
5Palantir Technologiespalantir.com85%100%Strong
5Baker Hughesbakerhughes.com85%92%Strong
7PACCARpaccar.com84%92%Good
7Regeneron Pharmaceuticalsregeneron.com84%92%Good
9KLA Corporationkla.com80%100%Good
10Roper Technologiesropertech.com79%92%Good
11Fortinetfortinet.com78%92%Good
11GE HealthCaregehealthcare.com78%92%Good
13Diamondback Energydiamondbackenergy.com76%100%Good
13PayPalpaypal.com76%100%Good
13Zscalerzscaler.com76%100%Good
16Cintascintas.com75%92%Good
17Costcocostco.com74%45%Good
17Seagate Technologyseagate.com74%92%Good
17Marriott Internationalmarriott.com74%45%Good
17Airbnbairbnb.com74%45%Good
17Datadogdatadoghq.com74%92%Good
17Adobeadobe.com74%45%Good
17Old Dominion Freight Lineodfl.com74%92%Good
17Take-Two Interactivetake2games.com74%92%Good
25Microsoftmicrosoft.com73%45%Good
26Amgenamgen.com72%45%Good
26Paychexpaychex.com72%92%Good
28Applied Materialsappliedmaterials.com71%45%Good
28Palo Alto Networkspaloaltonetworks.com71%45%Good
28PDD Holdingspddholdings.com71%70%Good
28Thomson Reutersthomsonreuters.com71%45%Good
28Kraft Heinzkraftheinzcompany.com71%45%Good
33Lam Researchlamresearch.com70%45%Good
33Arm Holdingsarm.com70%100%Good
33T-Mobile USt-mobile.com70%45%Good
33Intuitive Surgicalintuitive.com70%45%Good
33Booking Holdingsbooking.com70%45%Good
33Automatic Data Processingadp.com70%45%Good
33Intuitintuit.com70%45%Good
33American Electric Poweraep.com70%45%Good
33Fastenalfastenal.com70%45%Good
33Xcel Energyxcelenergy.com70%45%Good
43AMDamd.com68%92%Above Average
43Netflixnetflix.com68%45%Above Average
43Monster Beveragemonsterbevcorp.com68%92%Above Average
43NXP Semiconductorsnxp.com68%92%Above Average
43Electronic Artsea.com68%92%Above Average
43Strategy (MicroStrategy)strategy.com68%100%Above Average
49Microchip Technologymicrochip.com67%70%Above Average
49Copartcopart.com67%70%Above Average
51Teslatesla.com66%45%Above Average
52CrowdStrikecrowdstrike.com65%45%Above Average
53Texas Instrumentsti.com64%45%Above Average
53Marvell Technologymarvell.com64%45%Above Average
53Western Digitalwdc.com64%92%Above Average
53Qualcommqualcomm.com64%45%Above Average
53AppLovinapplovin.com64%70%Above Average
53Starbucksstarbucks.com64%45%Above Average
53Mondelez Internationalmondelezinternational.com64%45%Above Average
53Monolithic Power Systemsmonolithicpower.com64%45%Above Average
53Exelonexeloncorp.com64%45%Above Average
53Cognizantcognizant.com64%45%Above Average
53Sandisksandisk.com64%92%Above Average
64Broadcombroadcom.com63%45%Above Average
64Honeywellhoneywell.com63%45%Above Average
66Intelintel.com62%92%Above Average
66DoorDashdoordash.com62%45%Above Average
66Warner Bros. Discoverywbd.com62%45%Above Average
69Comcastcomcast.com61%45%Above Average
69Axon Enterpriseaxon.com61%45%Above Average
71NVIDIAnvidia.com60%45%Above Average
71Walmartwalmart.com60%45%Above Average
71PepsiCopepsico.com60%45%Above Average
71Shopifyshopify.com60%45%Above Average
71Cadence Design Systemscadence.com60%45%Above Average
71MercadoLibremercadolibre.com60%45%Above Average
71O’Reilly Automotiveoreillyauto.com60%45%Above Average
71Ferrovialferrovial.com60%45%Above Average
71Workdayworkday.com60%45%Above Average
71DexComdexcom.com60%45%Above Average
71Verisk Analyticsverisk.com60%45%Above Average
82Analog Devicesanalog.com58%45%Average
82Ross Storesrossstores.com58%45%Average
82Lumentumlumentum.com58%92%Average
85Alphabet (Google)google.com57%45%Average
86Amazonamazon.com56%45%Average
86Keurig Dr Pepperkeurigdrpepper.com56%45%Average
86Autodeskautodesk.com56%45%Average
89Gilead Sciencesgilead.com55%45%Average
90Appleapple.com54%45%Average
90Ciscocisco.com54%45%Average
90Synopsyssynopsys.com54%45%Average
90CSX Corporationcsx.com54%45%Average
90Insmedinsmed.com54%45%Average
90Charter Communicationscharter.com54%45%Average
96Vertex Pharmaceuticalsvrtx.com51%70%Average
97Meta Platformsmeta.com44%45%Below Average
98Alnylam Pharmaceuticalsalnylam.com42%45%Below Average
99Constellation Energyconstellationenergy.com30%45%Weak
99Coca-Cola Europacific Partnerscoca-colaep.com30%45%Weak

Lowest Cybersecurity Scores (Bottom 5)

Companies at the bottom of the index — overall and website scores from audit.emailmenow.com.

RankCompanyDomainOverall ScoreWebsite ScorePerformance Level
96Vertex Pharmaceuticalsvrtx.com51%70%Average
97Meta Platformsmeta.com44%45%Below Average
98Alnylam Pharmaceuticalsalnylam.com42%45%Below Average
99Constellation Energyconstellationenergy.com30%45%Weak
99Coca-Cola Europacific Partnerscoca-colaep.com30%45%Weak

Website Security Scores

Scores ranged from 100% to 45%; 10 of 100 reached the 100% ideal and 64 scored below 60%.

RankCompanyDomainWebsite ScoreRating
1Micron Technologymicron.com100%Strong
1Lindelinde.com100%Strong
1IDEXX Laboratoriesidexx.com100%Strong
1Palantir Technologiespalantir.com100%Strong
1KLA Corporationkla.com100%Strong
1Diamondback Energydiamondbackenergy.com100%Strong
1PayPalpaypal.com100%Strong
1Zscalerzscaler.com100%Strong
1Arm Holdingsarm.com100%Strong
1Strategy (MicroStrategy)strategy.com100%Strong
11ASMLasml.com92%Strong
11Baker Hughesbakerhughes.com92%Strong
11PACCARpaccar.com92%Strong
11Regeneron Pharmaceuticalsregeneron.com92%Strong
11Roper Technologiesropertech.com92%Strong
11Fortinetfortinet.com92%Strong
11GE HealthCaregehealthcare.com92%Strong
11Cintascintas.com92%Strong
11Seagate Technologyseagate.com92%Strong
11Datadogdatadoghq.com92%Strong
11Old Dominion Freight Lineodfl.com92%Strong
11Take-Two Interactivetake2games.com92%Strong
11Paychexpaychex.com92%Strong
11AMDamd.com92%Strong
11Monster Beveragemonsterbevcorp.com92%Strong
11NXP Semiconductorsnxp.com92%Strong
11Electronic Artsea.com92%Strong
11Western Digitalwdc.com92%Strong
11Sandisksandisk.com92%Strong
11Intelintel.com92%Strong
11Lumentumlumentum.com92%Strong
32PDD Holdingspddholdings.com70%Good
32Microchip Technologymicrochip.com70%Good
32Copartcopart.com70%Good
32AppLovinapplovin.com70%Good
32Vertex Pharmaceuticalsvrtx.com70%Good
37Costcocostco.com45%Below Average
37Marriott Internationalmarriott.com45%Below Average
37Airbnbairbnb.com45%Below Average
37Adobeadobe.com45%Below Average
37Microsoftmicrosoft.com45%Below Average
37Amgenamgen.com45%Below Average
37Applied Materialsappliedmaterials.com45%Below Average
37Palo Alto Networkspaloaltonetworks.com45%Below Average
37Thomson Reutersthomsonreuters.com45%Below Average
37Kraft Heinzkraftheinzcompany.com45%Below Average
37Lam Researchlamresearch.com45%Below Average
37T-Mobile USt-mobile.com45%Below Average
37Intuitive Surgicalintuitive.com45%Below Average
37Booking Holdingsbooking.com45%Below Average
37Automatic Data Processingadp.com45%Below Average
37Intuitintuit.com45%Below Average
37American Electric Poweraep.com45%Below Average
37Fastenalfastenal.com45%Below Average
37Xcel Energyxcelenergy.com45%Below Average
37Netflixnetflix.com45%Below Average
37Teslatesla.com45%Below Average
37CrowdStrikecrowdstrike.com45%Below Average
37Texas Instrumentsti.com45%Below Average
37Marvell Technologymarvell.com45%Below Average
37Qualcommqualcomm.com45%Below Average
37Starbucksstarbucks.com45%Below Average
37Mondelez Internationalmondelezinternational.com45%Below Average
37Monolithic Power Systemsmonolithicpower.com45%Below Average
37Exelonexeloncorp.com45%Below Average
37Cognizantcognizant.com45%Below Average
37Broadcombroadcom.com45%Below Average
37Honeywellhoneywell.com45%Below Average
37DoorDashdoordash.com45%Below Average
37Warner Bros. Discoverywbd.com45%Below Average
37Comcastcomcast.com45%Below Average
37Axon Enterpriseaxon.com45%Below Average
37NVIDIAnvidia.com45%Below Average
37Walmartwalmart.com45%Below Average
37PepsiCopepsico.com45%Below Average
37Shopifyshopify.com45%Below Average
37Cadence Design Systemscadence.com45%Below Average
37MercadoLibremercadolibre.com45%Below Average
37O’Reilly Automotiveoreillyauto.com45%Below Average
37Ferrovialferrovial.com45%Below Average
37Workdayworkday.com45%Below Average
37DexComdexcom.com45%Below Average
37Verisk Analyticsverisk.com45%Below Average
37Analog Devicesanalog.com45%Below Average
37Ross Storesrossstores.com45%Below Average
37Alphabet (Google)google.com45%Below Average
37Amazonamazon.com45%Below Average
37Keurig Dr Pepperkeurigdrpepper.com45%Below Average
37Autodeskautodesk.com45%Below Average
37Gilead Sciencesgilead.com45%Below Average
37Appleapple.com45%Below Average
37Ciscocisco.com45%Below Average
37Synopsyssynopsys.com45%Below Average
37CSX Corporationcsx.com45%Below Average
37Insmedinsmed.com45%Below Average
37Charter Communicationscharter.com45%Below Average
37Meta Platformsmeta.com45%Below Average
37Alnylam Pharmaceuticalsalnylam.com45%Below Average
37Constellation Energyconstellationenergy.com45%Below Average
37Coca-Cola Europacific Partnerscoca-colaep.com45%Below Average

What the Results Reveal

  • ASML (87%), Micron Technology (86%), Linde (86%) lead the index on combined cybersecurity posture; the bottom tier ties at 30% overall with 45% website scores.
  • Website headers lag identity controls: only 10 domains reached the 100% ideal on website security; 64 scored below 60% (HSTS, CSP, clickjacking protection).
  • Cybersecurity vendors are not uniformly top-ranked: CrowdStrike (65%), Fortinet (78%), Palo Alto Networks (71%), and Zscaler (76%) span mid-pack to strong — configuration gaps persist even at security-first brands.
  • Mega-cap technology names show mixed results: Micron (86%) and Palantir (85%) rank near the top while Meta (44%), Alphabet (57%), and Apple (54%) sit well below the index leaders.
  • 19 companies scored below 60% — a range where spoofed executive communications, vendor-payment fraud, and credential phishing remain realistic threats.
  • Partners and enterprise buyers should verify DMARC enforcement, MTA-STS, and website hardening on any domain used for billing, wire instructions, or account recovery.

Attack exposure at the bottom of the index

Domains scoring near 30% combine weak identity enforcement, missing inbound transport protections, and sub-60% website hardening. Without naming specific constituents, organizations in that tier are disproportionately exposed to:

  • Business email compromise (BEC) — spoofed messages appearing to come from executives or accounts payable, used to redirect wires and ACH payments.
  • Brand impersonation phishing — fake billing, HR, and vendor notices that pass visual inspection because DMARC and SPF are not fully enforced.
  • Credential harvesting — login pages linked from forged @company.com mail aimed at employees, contractors, and customers.
  • Invoice and procurement fraud — altered payment instructions sent to finance teams and supply-chain partners who trust the corporate domain.
  • Account-recovery abuse — password-reset and MFA prompts triggered from impersonated sender addresses.
  • Inbound mail downgrade attacks — absence of enforced MTA-STS allows opportunistic TLS stripping on messages destined for the organization.
  • Clickjacking and session risks — missing HSTS, CSP, and frame protections on the public site increase browser-side attack surface for visitors and logged-in users.
  • Supply-chain targeting — partners who whitelist the domain for deliverability become secondary victims when spoofed mail originates unchecked.

These are not theoretical edge cases. State breach portals and FBI IC3 reporting consistently tie weak email authentication and header gaps to measurable financial loss at large enterprises.

Real attacks, told as stories

The stories below are made up, but they are based on real crimes that police and cybersecurity teams see every year. No Nasdaq-100 company is named. Each story shows how weak domain settings can hurt real people.


Story 1: Maria and the payment that was not real

Illustration: accountant reviewing a spoofed vendor payment email

Maria works in accounts payable at Midwest Parts, a supplier that has sold to a big national brand for ten years.

On a Tuesday morning, she gets an email that looks normal:

From: accounts-payable@bigbrand.com
Subject: New bank info for March invoices

The logo looks right. The tone sounds like past emails. A PDF lists a new routing number.

Maria does not know that bigbrand.com has weak email security. A stranger sent the message from their own server and pretended to be the big brand. That is called brand impersonation.

She approves a $284,000 wire. The money goes to the attacker, not the real company.

The next day, the same fake sender emails two more suppliers Maria knows from trade shows. One ignores it. One also changes bank details. That is supply-chain targeting — hurting partners by faking the main company’s name.

Attack vectors in this story: brand impersonation · invoice and procurement fraud · supply-chain targeting · business email compromise (BEC)

Simple fix: Strict DMARC (p=reject), SPF (-all), and a rule that every bank change needs a phone call to a known contact — not just email.


Story 2: Jordan clicks “reset password”

Illustration: employee facing a fake password reset email

Jordan is a facilities manager at a large tech company. On Wednesday at 2 p.m., his phone buzzes:

From: it-security@bigbrand.com
Subject: Reset your password in 2 hours or lose access

Jordan is busy. The email looks like IT mail he has seen before. He clicks the link.

The page looks like his company login. It is not. It is a copy on a similar-looking website (bigbrand-secure.com). He types his username and password. The attacker saves them.

This is account-recovery abuse and credential harvesting. The criminal used a fake “reset your account” message because people trust mail from @company.com.

That night, the attacker signs into Jordan’s mailbox and reads old threads about a possible acquisition. On Thursday, they email the CFO’s assistant:

From: cfo@bigbrand.com
Subject: Urgent — confidential wire for escrow

That is BEC — business email compromise. The assistant almost approves it. A bookkeeper asks, “Did you talk to the CFO on the phone?” The wire stops. Jordan still has to change every password he reused.

Attack vectors in this story: account-recovery abuse · credential harvesting · business email compromise (BEC)

Simple fix: DMARC p=reject, train staff that IT will never rush a reset by email alone, and require a callback before any wire.


Story 3: The contract email no one knew could be copied

Illustration: email traveling through an unencrypted network path

Priya is a lawyer at the same big brand. She emails a draft contract to her firm’s inbox at @bigbrand.com. The send button works. Her screen says Delivered.

What Priya cannot see: on part of the internet path, the mail server connection was downgraded from locked (TLS) to unlocked. Without MTA-STS set to mode=enforce, her company’s mail system still accepts the message. An attacker on that path can copy attachment text in plain form.

This is an inbound mail downgrade attack. Most people worry about fake outgoing email. MTA-STS protects incoming mail — mail sent to your company.

Priya’s IT team sees green checkmarks in their dashboard. Nothing looks wrong. Weeks later, a competitor seems to know bid details early. The leak might have started on the wire, not in someone’s inbox.

Attack vector in this story: inbound mail downgrade (no MTA-STS)

Simple fix: Publish MTA-STS in enforce mode and turn on TLS-RPT reports so IT gets alerted when encryption fails.


Story 4: Alex applies for a job online

Illustration: job seeker caught in a clickjacking trap on a fake careers page

Alex is a college senior. He is already logged into his school portal in one browser tab. In another tab, he opens a job post: “Big Brand — analyst role, fast track.

The site asks him to “confirm your profile” on what looks like the real company careers page. He clicks.

He does not know the page is a trap. The real login screen is hidden inside an invisible frame on a scam site. That trick is called clickjacking. The company’s website scored 45% on security headers — missing strong HSTS, CSP, and frame blocking.

Alex thinks he is on the real site. He is really interacting with a layer the attacker controls. If he had been logged into the company’s vendor portal in another tab, the same trick could hijack that session.

No phishing email was needed. The attack lived on the website, not in the inbox.

Attack vectors in this story: clickjacking · session risks (missing HSTS/CSP)

Simple fix: Add HSTS, Content-Security-Policy, and frame-ancestors / X-Frame-Options so login pages cannot be embedded on random sites.


How the stories connect

All four stories can hit one company with a weak audit score (near 30%):

StoryWho got hurtMain gap
Maria (supplier)Outside partnersFake mail from your domain
Jordan (employee)Inside staffFake password-reset mail
Priya (lawyer)Confidential data in transitIncoming mail not forced to stay encrypted
Alex (job seeker)Website visitorsLogin page can be framed by attackers

Together, that is not one bug — it is a pattern. Fixing it means better DNS (DMARC, MTA-STS), better website headers, and better office rules (call back before you wire).

Website stack highlights

A July 2026 passive website-stack check of Nasdaq-100 domains found three public CMS signals worth calling out:

CompanyDomainWhat we found
Ferrovialferrovial.comWordPress core behind current — running 6.9.4 while wordpress.org lists 7.0.1; Contact Form 7 and related plugins are visible in public assets
Diamondback Energydiamondbackenergy.comDrupal major version behind — public site reports Drupal 10; current major release is Drupal 11
Roper Technologiesropertech.comDrupal major version behind — public site reports Drupal 10; current major release is Drupal 11

Most other Nasdaq-100 sites hide CMS versions behind CDNs or managed platforms. These findings do not prove compromise — they are fixable public hygiene gaps next to the email-auth scores above.

Why This Matters

Nasdaq-100 companies drive global software, semiconductor, and platform ecosystems. Their domains send product updates, billing notices, investor communications, and vendor onboarding at massive scale. Weak cybersecurity configuration on a corporate domain is a direct path to business email compromise (BEC), fraudulent wire transfers, and credential phishing aimed at employees, customers, and supply-chain partners.

Check any company’s posture at audit.emailmenow.com.

See also — national audits

Recommendations

  • Enforce DMARC (p=reject), strict SPF (-all), and DKIM on all outbound mail domains.
  • Publish MTA-STS in enforce mode and harden website security headers on primary and subsidiary domains.
  • Require verified call-back for wire and ACH changes initiated by email.
  • Benchmark subsidiary and acquisition domains separately — many index members operate multiple customer-facing brands.

Methodology: Primary corporate domains for Nasdaq-100 constituents (June 2026 index composition, excluding financials per index rules) audited 2026-06-18 via audit.emailmenow.com. Alphabet is represented once on google.com (Class A/C share classes share corporate mail infrastructure).