The InfoSec Website Paradox: Do Cybersecurity Companies Practice What They Preach?
"The cobbler's children have no shoes."
It's a centuries-old proverb, and in cybersecurity it's a running joke. InfoSec companies spend their days auditing other organizations' security posture, publishing best-practice guides, and selling trust. Their entire business model depends on demonstrating expertise, authority, and trustworthiness.
So what happens when you audit the auditors — not for security vulnerabilities, but for the quality of their own websites?
We analyzed 14,739 cybersecurity websites in LLMSE's database and cross-referenced them with SEO, EEAT, WCAG accessibility, readability, and GARM brand safety grades. Then we compared the results against the web-wide average and against other technology subcategories like Programming, Software, Cloud Computing, and Web Development.
The results confirm the proverb. The industry that sells trust and expertise is measurably worse at demonstrating trust and expertise than the average website on the internet.
The Data
We identified 14,739 domains classified under Computer & Electronics > Information and Network Security in LLMSE's database as of March 2026. An additional 1,936 domains are classified under Computer Security, bringing the combined cybersecurity universe to approximately 16,675 domains. This analysis focuses on the larger Information and Network Security subset.
These domains cover the full spectrum of cybersecurity: vendors selling security products, managed security service providers (MSSPs), security research blogs, vulnerability databases, threat intelligence firms, and industry organizations.
Demographics Snapshot
| Dimension | Value |
|---|---|
| Total Domains | 14,739 |
| Primary Language | English (87.4%) |
| Second Language | Chinese (3.5%) |
| Sentiment | Good (86.9%), Neutral (13.0%), Bad (0.1%) |
| Gender Target | Male (100%) |
| Age Target | 25-44 (100%) |
| GARM Brand Safety | A (100%) |
Two numbers stand out immediately. First, the gender targeting: 100% male. Every single one of the 14,554 cybersecurity sites with demographic data targets a male audience. Zero target female audiences. Zero target all genders. This is the most gender-skewed category in LLMSE's entire database.
Second, GARM brand safety is perfect — every cybersecurity site scores an A. This is expected: professional security content is inherently brand-safe. There's no controversy in explaining how firewalls work.
Language Distribution
| Language | Domains | Share |
|---|---|---|
| English | 10,951 | 87.4% |
| Chinese | 433 | 3.5% |
| German | 251 | 2.0% |
| French | 238 | 1.9% |
| Japanese | 140 | 1.1% |
| Spanish | 136 | 1.1% |
| Portuguese | 47 | 0.4% |
| Korean | 25 | 0.2% |
English dominance (87.4%) significantly exceeds the web average, reflecting the fact that cybersecurity tooling, vulnerability disclosures (CVEs), and industry conferences are overwhelmingly English-language. Chinese at 3.5% is consistent with China's large cybersecurity industry.
SEO: The Industry That Can't Be Found
| Grade | InfoSec Domains | InfoSec % | Web-Wide % |
|---|---|---|---|
| A | 2 | 0.02% | 0.05% |
| B | 22 | 0.26% | 0.42% |
| C | 110 | 1.32% | 1.53% |
| D | 329 | 3.95% | 4.00% |
| F | 7,872 | 94.44% | 94.00% |
| Total | 8,335 |
InfoSec SEO pass rate (A+B): 0.29%. The web-wide average is 0.48%.
Read that again: cybersecurity websites are 40% worse at SEO than the average website on the internet. In an industry where "being found" matters — where companies sell products that protect against threats people are actively searching for — only 24 out of 8,335 sites earn a passing SEO grade.
The 94.4% F rate means that for nearly every cybersecurity company, their website is essentially invisible to search engines beyond their brand name. If someone searches "endpoint detection and response" or "zero trust architecture," most InfoSec vendors' websites don't meet the basic structural requirements for competitive ranking.
How InfoSec Compares to Other Tech Subcategories
| Subcategory | Domains | SEO Pass (A+B) | SEO F Rate |
|---|---|---|---|
| InfoSec | 8,335 | 0.29% | 94.4% |
| Programming | 31,238 | 0.27% | 92.9% |
| Cloud Computing | 2,245 | 0.27% | 94.6% |
| Web Development | 25,771 | 0.19% | 94.7% |
| Software | 29,305 | 0.17% | 97.9% |
| Web-wide average | 864,867 | 0.48% | 94.0% |
The entire technology sector has terrible SEO, and InfoSec is roughly in line with its peers. But this context makes the problem worse, not better: these are companies staffed by technical professionals who build websites for a living. The bar for "companies that should know better" is higher than the web average, not equal to it.
EEAT: The Trust Gap
This is where the paradox becomes undeniable.
| Grade | InfoSec Domains | InfoSec % | Web-Wide % |
|---|---|---|---|
| A | 68 | 1.0% | 3.7% |
| B | 538 | 8.0% | 20.8% |
| C | 2,021 | 30.0% | 23.8% |
| D | 3,768 | 55.9% | 46.5% |
| F | 343 | 5.1% | 5.2% |
| Total | 6,738 |
InfoSec EEAT pass rate (A+B): 9.0%. The web-wide average is 24.5%.
Cybersecurity companies score 63% below the web average on demonstrating Experience, Expertise, Authoritativeness, and Trustworthiness. These are the companies that publish whitepapers about threat landscapes, hire PhDs in cryptography, and present at Black Hat. And their websites do a worse job of communicating expertise than the average recipe blog or furniture store.
The EEAT framework measures signals like author credentials, organization schema markup, trust badges, source citations, contact information, and privacy policies. It's ironic that an industry obsessed with privacy policies somehow fails to implement them in ways that search quality raters would recognize.
EEAT Across Tech Subcategories
| Subcategory | Domains | EEAT Pass (A+B) |
|---|---|---|
| InfoSec | 6,738 | 9.0% |
| Cloud Computing | 1,918 | 7.7% |
| Programming | 28,094 | 6.7% |
| Software | 26,551 | 4.5% |
| Web Development | 22,436 | 2.8% |
| Web-wide average | 673,921 | 24.5% |
InfoSec actually has the highest EEAT pass rate among technology subcategories — a relative win. Security companies try harder than software companies to demonstrate expertise, which makes sense given that trust is their product.
But "best in tech" still means less than 10% passing, compared to 24.5% web-wide. The entire tech sector has a trust communication problem, and InfoSec — despite its best efforts — hasn't solved it.
WCAG Accessibility: A Modest Bright Spot
| Grade | InfoSec Domains | InfoSec % | Web-Wide % |
|---|---|---|---|
| A | 188 | 24.0% | 18.3% |
| B | 66 | 8.4% | 12.1% |
| C | 193 | 24.6% | 22.2% |
| D | 174 | 22.2% | 17.8% |
| F | 163 | 20.8% | 29.6% |
| Total | 784 |
InfoSec WCAG pass rate (A+B): 32.4%. Web-wide: 30.5%.
Cybersecurity sites are slightly above the web average on accessibility — the only quality dimension where they outperform. The 20.8% F rate (vs 29.6% web-wide) suggests that InfoSec sites are less likely to have catastrophic accessibility failures, even if they don't consistently achieve top marks.
This likely reflects the technical sophistication of the sites themselves. Many cybersecurity tools and dashboards are built by developers who at least consider semantic HTML, even if they don't explicitly target WCAG compliance.
Readability: Writing for Insiders
| Grade | InfoSec Domains | InfoSec % | Web-Wide % |
|---|---|---|---|
| A | 166 | 20.0% | 21.7% |
| B | 105 | 12.6% | 13.7% |
| C | 206 | 24.8% | 29.1% |
| D | 112 | 13.5% | 14.1% |
| F | 243 | 29.2% | 21.5% |
| Total | 832 |
InfoSec readability pass rate (A+B): 32.6%. Web-wide: 35.4%.
The 29.2% F rate (vs 21.5% web-wide) tells the real story: nearly a third of cybersecurity sites write content that's rated as very difficult to read. This is the jargon problem. Terms like "SIEM," "SOAR," "XDR," "EDR," "CASB," and "ZTNA" are second nature to security professionals but impenetrable to the decision-makers who actually buy these products.
The irony is sharp: security vendors need to convince non-technical executives (CISOs, CIOs, CFOs) to spend budget on their products. But their website copy reads like it was written for the engineers who will implement it, not the people who will authorize the purchase.
The CMS Landscape: What InfoSec Sites Run On
| Platform | InfoSec Domains | Share |
|---|---|---|
| WordPress | 1,344 | 9.1% |
| jQuery | 647 | 4.4% |
| Jekyll | 546 | 3.7% |
| Hugo | 256 | 1.7% |
| Drupal | 147 | 1.0% |
| Next.js | 117 | 0.8% |
| React | 78 | 0.5% |
| Ghost | 33 | 0.2% |
| Vue.js | 17 | 0.1% |
| Gatsby | 12 | 0.1% |
WordPress leads, as it does everywhere, but its 9.1% share in InfoSec is dramatically lower than its ~33% share of the general web. The standout is static site generators: Jekyll (3.7%) and Hugo (1.7%) have a combined 5.4% share — roughly 6x their web-wide presence.
This makes sense. Security researchers and companies often prefer static sites for several reasons: no server-side attack surface, version-controlled content via Git, and the cultural alignment between the "infrastructure as code" mindset and static site generators. Many vulnerability disclosure blogs, security advisories, and CTF writeups live on Jekyll/Hugo sites hosted on GitHub Pages or Netlify.
CMS Impact on InfoSec SEO
| Platform | InfoSec Domains (SEO) | Pass (A+B) | F Rate |
|---|---|---|---|
| Hugo | 199 | 1.5% | 76.4% |
| WordPress | 589 | 0.5% | 89.0% |
| Jekyll | 519 | 0.4% | 81.3% |
| InfoSec average | 8,335 | 0.29% | 94.4% |
Hugo InfoSec sites have the best SEO at 1.5% pass rate — 5x the InfoSec average. Jekyll sites have a lower F rate (81.3%) than WordPress (89.0%), meaning they fail less catastrophically. WordPress InfoSec sites perform roughly at the InfoSec average, which is a disappointment given WordPress's extensive SEO plugin ecosystem (Yoast, RankMath, etc.).
The static site generators' lower F rates suggest that their clean HTML output and fast page loads provide a structural SEO floor that WordPress's plugin overhead sometimes undermines.
CMS Impact on InfoSec EEAT
| Platform | InfoSec Domains (EEAT) | Pass (A+B) |
|---|---|---|
| WordPress | 334 | 22.4% |
| Hugo | 174 | 16.1% |
| Jekyll | 471 | 14.2% |
| Next.js | 48 | 6.3% |
| InfoSec average | 6,738 | 9.0% |
WordPress InfoSec sites crush EEAT with a 22.4% pass rate — 2.5x the InfoSec average and nearly at the web-wide average of 24.5%. WordPress's ecosystem of schema markup plugins, author bio widgets, and trust badge integrations directly translates into higher EEAT signals.
Jekyll falls behind despite its popularity in InfoSec. Static site generators make it easy to publish content but don't automatically generate the structured data, author credentials, and organizational signals that EEAT scoring rewards. The 14.2% pass rate suggests that Jekyll InfoSec sites are well-written (contributing to Experience and Expertise) but lack the metadata that signals Authoritativeness and Trustworthiness.
Next.js InfoSec sites have the lowest EEAT at 6.3%. These are typically custom-built, JavaScript-heavy applications that focus on functionality over content signals — the React "SPA problem" where the technology that enables the best user experience produces the weakest quality signals for search engines.
Server Infrastructure
| Server | InfoSec Domains |
|---|---|
| nginx | 2,477 |
| Apache | 2,376 |
| Cloudflare | 2,300 |
| LiteSpeed | 554 |
The server landscape is relatively balanced. Cloudflare's strong presence (2,300 domains) reflects the industry's comfort with CDN-based security — these are, after all, companies that understand DDoS protection. nginx's lead (2,477) aligns with its general popularity in the tech sector.
Server Impact on InfoSec SEO
| Server | InfoSec Domains (SEO) | Pass (A+B) | F Rate |
|---|---|---|---|
| Cloudflare | 1,469 | 0.41% | 92.2% |
| nginx | 1,682 | 0.18% | 96.3% |
| Apache | 1,348 | 0.15% | 98.1% |
| LiteSpeed | 375 | 0.00% | 97.9% |
Cloudflare InfoSec sites have the best SEO at 0.41% — still terrible, but 2.3x better than nginx. Cloudflare's edge-side optimizations (automatic HTTPS, HTTP/2, Brotli compression, automatic WebP) provide SEO benefits that raw nginx and Apache deployments don't include by default.
Apache InfoSec sites have a 98.1% F rate, the worst among the major servers. Many Apache-hosted InfoSec sites are likely legacy installations with years of accumulated technical debt.
The Full Scorecard
| Metric | InfoSec | Web-Wide | Difference |
|---|---|---|---|
| SEO Pass (A+B) | 0.29% | 0.48% | -40% |
| EEAT Pass (A+B) | 9.0% | 24.5% | -63% |
| WCAG Pass (A+B) | 32.4% | 30.5% | +6% |
| Readability Pass (A+B) | 32.6% | 35.4% | -8% |
| GARM A Rate | 100% | 94.1% | +6% |
The pattern is clear: cybersecurity websites are adequate on accessibility, acceptable on readability, and failing on SEO and EEAT. They're technically competent enough to produce accessible HTML but haven't invested in the content strategy, structured data, and metadata that drive discoverability and credibility signals.
Why This Matters
The EEAT gap isn't just an SEO problem — it's a business problem. Google's search quality guidelines explicitly weight EEAT for "Your Money or Your Life" (YMYL) topics, and cybersecurity is unambiguously YMYL. When a company fails to demonstrate expertise on its own website, Google has less reason to surface that company's content in search results.
This creates a vicious cycle: InfoSec companies with poor EEAT signals get less organic search visibility, which means they depend more on paid advertising and conference sponsorships for lead generation, which means they invest less in content quality, which further degrades their EEAT signals.
The companies that break this cycle — the 9% with passing EEAT grades — have a structural advantage over the 91% that don't.
The Shoemaker's Children
The cybersecurity industry has a well-known cultural problem: security professionals are so focused on protecting their clients' infrastructure that they neglect their own. It's the reason penetration testing firms run unpatched WordPress installations and threat intelligence companies have expired SSL certificates.
This analysis shows the problem extends beyond security posture to basic website quality. The industry that sells trust has a measurable trust deficit. The industry that employs technical experts fails to communicate expertise through the signals that actually matter for search visibility.
The fix isn't technical — it's cultural. Adding schema markup, author bios, and structured data to a cybersecurity website takes less effort than conducting a penetration test. Writing readable content for decision-makers takes less time than writing a vulnerability advisory. The skills exist within these organizations. The priority doesn't.
Until that changes, the cobbler's children will keep walking barefoot.
This analysis was conducted using LLMSE, which has classified over 1.4 million websites across SEO, EEAT, WCAG accessibility, readability, and GARM brand safety dimensions. All data reflects the database as of March 2026. To analyze your own site, visit llmse.ai/classify.