Measured, not assumed. We map live Nigerian infrastructure — banks, fintechs, healthcare, government, telecom, e-commerce — and publish the aggregate data so the country has an honest picture of where the attack surface actually is.
Most "Nigerian cybersecurity" coverage is either breach-chasing (what just happened to Sterling, Flutterwave, Patricia) or vendor-marketing (why you need our MSSP). Neither answers the foundational question: across the sectors that matter, what does Nigerian enterprise infrastructure actually look like?
We built the dataset to answer it. DNS enumeration, live-host probing, HSTS coverage analysis, legacy-stack flagging, ASN mapping — applied consistently to 96 Nigerian organizations across banking, fintech, healthcare, telecom, government, and e-commerce. What follows is the aggregate. No exploitation. No speculation. Just what a non-privileged observer can see.
| Sector | Orgs | Hosts | Avg HSTS coverage |
|---|---|---|---|
| Banking | 9 | 933 | |
| Telecom | 9 | 248 | |
| Government | 4 | 239 | |
| Healthcare | 4 | 122 | |
| Fintech | 4 | 117 | |
| E-commerce | 2 | 104 |
The punchline: healthcare is an outlier on the bad side (12.3% avg HSTS across 122 hosts — the sector of patient data is the sector with the worst baseline). Fintech is the outlier on the good side (51.3% — regulatory pressure from CBN appears to have moved the needle). Banking, telecom, government, e-commerce are all in the 30-37% range — comfortably below what "reasonable security hygiene" looks like in 2026.
The orgs below have 6+ live hosts AND measurable HSTS coverage. Sorted worst-first. This is the list that matters operationally — small orgs fly under any attacker's radar, but anyone with 10+ subdomains IS on the radar and low HSTS is where attackers pivot.
| Organization | Sector | Hosts | HSTS | Legacy IIS |
|---|---|---|---|---|
| Hygeia HMO | Healthcare | 54 | 0% | 0 |
| 54gene | Healthcare | 50 | 0% | 0 |
| NCC | Government | 103 | 5% | 14 |
| NITDA | Government | 90 | 6% | 2 |
| Zenith Bank | Banking | 59 | 10% | 18 |
| Helium Health | Healthcare | 6 | 16% | 0 |
| 9mobile | Telecom | 35 | 17% | 0 |
| Jumia | E-commerce | 79 | 17% | 0 |
| Kuda | Fintech | 44 | 25% | 3 |
| Reliance HMO | Healthcare | 12 | 33% | 0 |
| GTBank | Banking | 81 | 38% | 18 |
| Access Bank | Banking | 381 | 40% | 19 |
| Konga | E-commerce | 25 | 52% | 0 |
| First Bank | Banking | 51 | 58% | 14 |
| CBN | Government | 42 | 59% | 8 |
| MTN | Telecom | 56 | 69% | 1 |
| Flutterwave | Fintech | 37 | 89% | 1 |
| Paystack | Fintech | 35 | 91% | 0 |
What this table tells you: two healthcare orgs (Hygeia HMO + 54gene) have exactly zero HSTS coverage across 100+ hosts combined. Two government regulators (NCC + NITDA) are effectively unhardened at 5-6% coverage. The biggest Nigerian bank by host count (Access Bank at 381 live hosts) sits at 40% — better than peers, still not good. The fintech gap between Kuda (25%) and Flutterwave/Paystack (89-91%) shows what regulatory + institutional maturity does to a sector.
What we do: DNS enumeration (Amass + DNSX + crt.sh), live-host probing (httpx), HSTS + security-header coverage analysis (per-host), legacy-stack fingerprinting (ASP.NET / IIS version detection from response signatures), ASN ownership mapping, sector classification.
What we don't do: exploitation, authenticated scanning, internal-network probing, data extraction, or any form of active intrusion. Everything on this page is observable from a non-privileged outside position — the same position a potential attacker has on day one.
Cadence: portal refreshes weekly. Methodology details in the companion blog post. Quarterly deep-dive PDF reports start Q2 2026.
Your organization is on the list. The aggregate is public; the per-org detail is not. If you want the full 42-checkpoint scan for your organization — HSTS coverage per host, legacy-stack list, exposed-subdomain map, NDPA 2023 compliance gaps, remediation roadmap — that's our Securva Snapshot product. Starts at $10 USD.
The data is free to cite. Email [email protected] with the specific sector / time window you need and we'll send the backing data. We're also drafting a quarterly "State of Nigerian Infrastructure Security" PDF report — first edition lands Q2 2026. Email to be on the notification list.
Same email. We do coordinated first-party disclosure for free on request — no public shaming, no media, no monetization of the finding. Rotation window standard 14 days.
42-check security + NDPA 2023 audit for any Nigerian organization. PDF report delivered within 24 hours. Starts at $10 USD. Refundable if not useful.
See the Snapshot →This is a living dataset. It grows as we scan. Current coverage spans 6 sectors; Phase 4 (fintech deep-scan) is in progress and will add roughly 15-20 more organizations. Phase 5 (insurance) is next. Phase 6 (edtech) after that. Target: 200+ orgs by end of Q2 2026, 500+ by year-end. Every Phase-N run expands the public portal you're reading now.
If there's a specific organization or sector you think should be on the list, email [email protected]. Additions driven by user requests + our own breach-response rotation.