The Multinational Posture Baseline measures the public-facing security posture of global mega-cap companies on their .com apex domains — including Australian-headquartered multinationals. Each quarterly edition scans a deterministic sample across the Security, Email and Domain categories of every Red Bridge Cyber scan. This is the top of the comparison ladder: the brands with the largest security budgets on the planet. Where they still miss the basics, the lesson for a small business is that posture is about discipline, not headcount — and where they get it right, the gap shows exactly what good looks like.
When an article on this site says something like (Red Bridge Cyber Multinational Posture Baseline, June 2026), this page is what that citation points to.
Current edition — June 2026
The June 2026 edition (the first) scanned a deterministic sample of 75 domains drawn from a validated pool of multinational .com domains, completing on 12 June 2026. Results below; how every number is produced is on the methodology section.
Executive summary of findings
The June 2026 edition scanned 75 global mega-cap companies on their .com apex domains — the brands with the largest security budgets on the planet. They are the best cohort measured, and the bar they set is an E: the median multinational website scores 47/100 for web security, with a B for email posture and an E (49/100) for DNS hardening.
- Best in class is still not good. Only 13% of scored sites reach security grade A or A+; 19% land in the F band.
- The deliberate controls lead everywhere. CSP missing on only 45% (every other cohort: 70%+), HSTS missing on just 23%, and 23% publish a security.txt — the strongest header discipline in the programme.
- Email enforcement is near-universal. 97% publish DMARC, 83% enforce it.
- Even here, DNS hardening lags. DNSSEC 7% and CAA 25% — the highest CAA adoption of any cohort, and still only one in four.
Full results tables below. 75 domains sampled, with every unscorable domain disclosed with its reason.
Email posture — can the domain’s mail be trusted, and can the domain be spoofed? Median grade B (87/100). Share of the cohort passing each check:
| Check | % passing |
|---|---|
| Mail-routed (MX with STARTTLS) | 91% |
| SPF | 87% |
| DMARC | 77% |
| DKIM | 83% |
| MTA-STS | 8% |
| TLS-RPT | 12% |
| DNSSEC | 7% |
| Reverse DNS | 85% |
All 75 sampled domains were scoreable for email.
Domain
Domain (DNS) posture — the records that protect the domain name itself. Median grade E (49/100). Share of the cohort with each control in place:
| Check | % with control |
|---|---|
| SPF record | 97% |
| DMARC published | 97% |
| DMARC enforced (quarantine/reject) | 83% |
| DNSSEC | 7% |
| CAA record | 25% |
| MTA-STS | 12% |
| IPv6 at the apex | 15% |
All 75 sampled domains were scoreable for domain.
Security
Web security posture — TLS configuration, security headers and the basics of a defensible website. Median grade E (47/100), the weakest category measured. Share of scored sites missing each control:
| Check | % missing |
|---|---|
| HTTPS enforcement | 10% |
| HSTS | 23% |
| Content-Security-Policy | 45% |
| X-Content-Type-Options (nosniff) | 47% |
| Referrer-Policy | 68% |
| Permissions-Policy | 82% |
| TLS 1.3 | 26% |
| security.txt | 77% |
73 of 75 sampled domains scored (2 redirect-only — see Commentary).
Commentary
This is the top of the comparison ladder, and the reading cuts both ways. Where the multinationals get it right — security headers, DMARC enforcement, certificate policy — the gap to everyone else shows exactly what disciplined operations produce, and none of it depends on headcount: every leading control here is a configuration a small business can ship in an afternoon. Where they still miss — a fifth of the cohort in the security F band, DNSSEC in single digits — the lesson is that scale does not finish the job either.
For a small business, the honest takeaway is that the distance to "world class" on the public surface is far shorter than the brand names suggest. The median multinational scores 47/100; the controls separating an Australian SMB from that number are one-line headers and a DMARC policy change, not a security team.
Two of the 75 sampled domains could not be scored for security because their apex permanently redirects to a different domain — routine at this tier, where brand and holding-company structures move sites around — and they are disclosed above rather than hidden. Exclusion is always decided on objective criteria before any score is read. Every measurement uses the public surface only: DNS lookups, a normal page fetch, and public scanning endpoints.
Methodology
Every cohort baseline is produced by the same methodology: quarterly cadence, a deterministic seeded sample drawn from a validated pool, and scan failures excluded before scoring — never on score. Read the full methodology on the research overview.
Previous editions
This baseline refreshes quarterly, and this page always carries the latest edition. As editions are superseded, their headline tables will be archived here so that any older citation can be checked against the edition it was drawn from.