Measured, not assumed. We map live Nigerian infrastructure - banks, fintechs, healthcare, government, telecom, e-commerce, ISPs - and publish the aggregate data so the country has an honest picture of where the attack surface actually is.
Most "Nigerian cybersecurity" coverage is either breach-chasing (what just happened to Sterling, Flutterwave, Patricia) or vendor-marketing (why you need our MSSP). Neither answers the foundational question: across the sectors that matter, what does Nigerian enterprise infrastructure actually look like?
We built the dataset to answer it. DNS enumeration, live-host probing, HSTS coverage analysis, legacy-stack flagging, ASN mapping - applied consistently to 116 Nigerian organizations across banking, fintech, healthcare, telecom, government, e-commerce, and ISPs. What follows is the aggregate. No exploitation. No speculation. Just what a non-privileged observer can see.
| Sector | Orgs | Hosts | Avg HSTS coverage |
|---|---|---|---|
| Healthcare | 10 | 1,790 | |
| Banking | 9 | 1,005 | |
| Telecom | 17 | 947 | |
| Government | 5 | 472 | |
| E-commerce | 11 | 360 | |
| Fintech | 4 | 210 | |
| ISP | 8 | 164 |
The punchline: healthcare is the worst-of-the-worst (10 orgs, 1,790 hosts, 18.2% avg HSTS coverage - the sector holding the most patient and HMO records is also the sector most behind on basic transport security). Government is second-worst (24%). Fintech is the outlier on the good side (48.5% - CBN pressure appears to have moved the needle). Banking has improved meaningfully since prior refresh (now 46.6%, up from 36.6%). Telecom and e-commerce sit in the 28-35% range - still below what "reasonable security hygiene" looks like in 2026. ISPs don't have HSTS-measured data because the infrastructure they operate differs from the customer-facing web estates of the other sectors.
The orgs below have 6+ live hosts AND measurable HSTS coverage. Sorted worst-first. This is the list that matters operationally - small orgs fly under any attacker's radar, but anyone with 10+ subdomains IS on the radar and low HSTS is where attackers pivot.
| Organization | Sector | Hosts | HSTS | Legacy IIS |
|---|---|---|---|---|
| Hygeia HMO | Healthcare | 54 | 0% | 0 |
| 54gene | Healthcare | 50 | 0% | 0 |
| NCC | Government | 103 | 5% | 14 |
| NITDA | Government | 90 | 6% | 2 |
| Zenith Bank | Banking | 59 | 10% | 18 |
| Helium Health | Healthcare | 6 | 16% | 0 |
| 9mobile | Telecom | 35 | 17% | 0 |
| Jumia | E-commerce | 79 | 17% | 0 |
| Kuda | Fintech | 44 | 25% | 3 |
| Reliance HMO | Healthcare | 12 | 33% | 0 |
| GTBank | Banking | 81 | 38% | 18 |
| Access Bank | Banking | 381 | 40% | 19 |
| Konga | E-commerce | 25 | 52% | 0 |
| First Bank | Banking | 51 | 58% | 14 |
| CBN | Government | 42 | 59% | 8 |
| MTN | Telecom | 56 | 69% | 1 |
| Flutterwave | Fintech | 37 | 89% | 1 |
| Paystack | Fintech | 35 | 91% | 0 |
| No organizations match your filters. Clear all filters | ||||
What this table tells you: two healthcare orgs (Hygeia HMO + 54gene) have exactly zero HSTS coverage across 100+ hosts combined. Two government regulators (NCC + NITDA) are effectively unhardened at 5-6% coverage. The biggest Nigerian bank by host count (Access Bank at 381 live hosts) sits at 40% - better than peers, still not good. The fintech gap between Kuda (25%) and Flutterwave/Paystack (89-91%) shows what regulatory + institutional maturity does to a sector.
What we do: DNS enumeration (Amass + DNSX + crt.sh), live-host probing (httpx), HSTS + security-header coverage analysis (per-host), legacy-stack fingerprinting (ASP.NET / IIS version detection from response signatures), ASN ownership mapping, sector classification.
What we don't do: exploitation, authenticated scanning, internal-network probing, data extraction, or any form of active intrusion. Everything on this page is observable from a non-privileged outside position - the same position a potential attacker has on day one.
Cadence: portal refreshes weekly. Methodology details in the companion blog post. Quarterly deep-dive PDF reports start Q2 2026.
Your organization is on the list. The aggregate is public; the per-org detail is not. If you want the full 42-checkpoint scan for your organization - HSTS coverage per host, legacy-stack list, exposed-subdomain map, NDPA 2023 compliance gaps, remediation roadmap - that's our Securva Snapshot product. Starts at $10 USD.
The data is free to cite. Email [email protected] with the specific sector / time window you need and we'll send the backing data. We're also drafting a quarterly "State of Nigerian Infrastructure Security" PDF report - first edition lands Q2 2026. Email to be on the notification list.
Same email. We do coordinated first-party disclosure for free on request - no public shaming, no media, no monetization of the finding. Rotation window standard 14 days.
42-check security + NDPA 2023 audit for any Nigerian organization. PDF report delivered within 24 hours. Starts at $10 USD. Refundable if not useful.
See the Snapshot →This is a living dataset. It grows as we scan. Current coverage spans 6 sectors; Phase 4 (fintech deep-scan) is in progress and will add roughly 15-20 more organizations. Phase 5 (insurance) is next. Phase 6 (edtech) after that. Target: 200+ orgs by end of Q2 2026, 500+ by year-end. Every Phase-N run expands the public portal you're reading now.
If there's a specific organization or sector you think should be on the list, email [email protected]. Additions driven by user requests + our own breach-response rotation.