We Analyzed 2.7 Billion SSL Certificates to Detect Technologies No One Else Can See
We process 80% of global CT logs — 2.7B certificates/month — to detect backend technologies invisible to competitors. See the full 2026 CA market share, RSA vs ECDSA trends, and what certificates reveal about tech stacks.
Published •20 min read
The internet issued 3,411,665,749 SSL/TLS certificates between February 14 and March 16, 2026. That's roughly 1,316 certificates every second. As CTO of TechnologyChecker.io, I lead the engineering team that processes approximately 80% of all global certificate transparency log data — about 2.7 billion certificate records per month — as part of our technology detection pipeline. This gives us direct visibility into the infrastructure decisions behind every HTTPS connection on the web, and it's the most technically demanding part of our entire technology lookup stack.
Key findings from our analysis of SSL certificate transparency data in 2026:
- 3.41 billion certificates logged in 30 days, down 7.5% from the prior period (3.69B), according to Cloudflare Radar Certificate Transparency
- Let's Encrypt controls 51.5% of all issuance but dropped from 55.2%, while Sectigo/ZeroSSL surged 27.5%
- ECDSA now accounts for 45.8% of all certificates, closing the gap on RSA (54.2%)
- 85.6% of certificates have 47-100 day lifetimes (the 90-day standard)
- 96.5% are Domain Validated (DV), and only 62,626 used Extended Validation
- Microsoft Corporation certificates grew 52.8% month-over-month, signaling accelerating Azure adoption
- ZeroSSL leads .com with 120.3M certificates, overtaking Let's Encrypt on the web's most popular TLD
This report breaks down the full SSL certificate transparency data for 2026: who issues these certificates, which cryptographic algorithms dominate, what durations are standard, and why these shifts matter for website operators, security teams, and anyone selling into the infrastructure layer. I've spent 15 years building large-scale data systems — including five years on Google's Search team working on crawling and indexing infrastructure — and after architecting TechnologyChecker.io's detection pipeline that scans 50 million+ domains monthly, I can say with confidence that certificate transparency logs are among the richest and most underused signals in technology intelligence. Our competitors, as we've documented in our BuiltWith alternatives analysis, still rely primarily on frontend signals. They're missing the infrastructure layer entirely.
How many SSL certificates are issued per month in 2026?
Between February 14 and March 16, 2026, certificate transparency logs recorded 3,411,665,749 new SSL/TLS certificates. The previous 30-day window (January 15 to February 14) logged 3,687,914,234, a 7.5% month-over-month decrease. That still translates to over 113 million certificates per day.
Certificate transparency has been mandatory for all publicly trusted certificates in Chrome since April 2018. Every certificate issued by a public CA gets recorded in append-only logs that anyone can audit. Our team at TechnologyChecker.io uses CT logs to identify hosting infrastructure and CDN providers across 50 million+ domains we scan monthly. It's one of our most reliable data sources.
Why does this matter beyond security? Certificate metadata tells you things that JavaScript fingerprinting can't. Which CA a company picked. Which algorithm. Whether they use wildcards. How often they rotate. These choices map directly to cloud providers and automation maturity.
According to Mordor Intelligence, the global Certificate Authority market is valued at $232.27 million in 2026 and projected to reach $396.58 million by 2031, growing at 11.32% CAGR. The sheer volume of certificate issuance we're tracking confirms this isn't slowing down.
Who are the largest Certificate Authorities in 2026?
Nine organizations control most of the global certificate issuance. We pulled this from Cloudflare Radar certificate transparency data for the 30-day period ending March 16, 2026:
| CA Owner | 30-Day Volume | Market Share | Previous 30d | MoM Change |
|---|---|---|---|---|
| ISRG (Let's Encrypt) | 1,758,012,128 | 51.5% | 2,034,877,996 | -13.6% |
| Google Trust Services | 528,054,991 | 15.5% | 639,807,216 | -17.5% |
| Sectigo (ZeroSSL) | 495,989,180 | 14.5% | 388,885,241 | +27.5% |
| DigiCert | 238,692,343 | 7.0% | 249,349,307 | -4.3% |
| GoDaddy | 208,869,821 | 6.1% | 213,434,658 | -2.1% |
| Amazon Trust Services | 145,254,746 | 4.3% | 127,310,673 | +14.1% |
| IdenTrust Services | 9,919,670 | 0.3% | 10,085,477 | -1.6% |
| Microsoft Corporation | 8,930,954 | 0.3% | 5,842,103 | +52.8% |
| SSL.com | 8,607,929 | 0.3% | 9,672,219 | -11.0% |
Three trends stand out:
Let's Encrypt still issues more than all competitors combined at 51.5%, but that's down from 55.2% in the prior period. 277 million fewer certificates in one month. That said, renewal timing and short-lived certificate rotation cause natural month-to-month swings, so one data point doesn't mean Let's Encrypt is losing ground.
Sectigo/ZeroSSL is surging. Up 27.5% month-over-month to nearly 496 million certificates. They're within striking distance of Google Trust Services now. ZeroSSL has been pushing hard on free tier expansion and hosting panel integrations, and it's paying off.
Microsoft nearly doubled. 52.8% jump from 5.8 million to 8.9 million certificates. That tracks with Azure's growth. When we see a Microsoft Corporation CA on a domain, it almost always means ASP.NET infrastructure behind it.
We feed CA distribution directly into our detection engine. Amazon Trust Services certificates mean AWS. Google Trust means GCP. Microsoft Azure CAs mean Azure. It's not a guess. Competitors focused on frontend JavaScript detection can't do this.
What are the top issuing Certificate Authorities by volume?
Parent CA owners operate multiple issuing CAs. Looking at the issuing level reveals the RSA-to-ECDSA shift happening in real time:
| Issuing CA | Parent | 30-Day Volume | Previous 30d | MoM Change |
|---|---|---|---|---|
| R13 (RSA) | Let's Encrypt | 540,739,968 | 690,958,064 | -21.7% |
| R12 (RSA) | Let's Encrypt | 540,528,184 | 690,972,709 | -21.8% |
| WE1 | Google Trust | 403,748,680 | 506,002,347 | -20.2% |
| ZeroSSL ECC Domain Secure | Sectigo | 372,596,469 | 277,122,925 | +34.5% |
| E7 (ECDSA) | Let's Encrypt | 330,058,440 | 320,631,554 | +2.9% |
| E8 (ECDSA) | Let's Encrypt | 329,949,030 | 320,558,765 | +2.9% |
| Go Daddy Secure CA - G2 | GoDaddy | 143,495,148 | 211,322,372 | -32.1% |
| Encryption Everywhere DV TLS CA - G2 | DigiCert | 124,678,019 | 147,581,646 | -15.5% |
| WR1 | Google Trust | 90,268,955 | 97,232,265 | -7.2% |
The pattern is clear. Let's Encrypt's RSA issuers (R12 and R13) each dropped over 21% while their ECDSA issuers (E7 and E8) grew 2.9%. ZeroSSL's ECC (ECDSA) issuer surged 34.5%. The migration from RSA to elliptic curve cryptography is accelerating, and it's visible in raw issuance numbers.
Why should you care about which issuing CA shows up on a domain? Because it tells you more than "this site has HTTPS." An R13 certificate means Let's Encrypt RSA, and that correlates heavily with WordPress on shared hosting. A ZeroSSL ECC Domain Secure certificate usually means Cloudflare-integrated hosting. The issuing CA narrows the backend down before we even look at HTTP headers.
What is the single point of failure risk for Let's Encrypt?
ISRG (the parent of Let's Encrypt) issues 51.5% of all SSL/TLS certificates on the internet. One organization controls certificate issuance for more than half the web. That concentration creates real risk.
Let's Encrypt certificates have 90-day lifetimes, which means millions need to be renewed every single day. The renewal process is automated through ACME clients like Certbot, and that automation works well. Until it doesn't.
Here's the problem: most ACME client configurations don't include automatic failover to an alternative CA. If Let's Encrypt experiences an extended outage, or a policy change forces revocation at scale (as happened with their CAA rechecking bug in March 2020, which affected 3 million certificates), millions of sites would face certificate expiry with no automated backup plan.
For security teams and site reliability engineers, this is worth tracking. At TechnologyChecker.io, we monitor CA distribution across domains as part of our infrastructure resilience assessment. A client running 100% of their properties on a single CA has a different risk profile than one distributing across two or three providers. We surface this data as part of our technology detection data intelligence.
I'm not saying Let's Encrypt is unreliable. They've built impressive infrastructure. But 51.5% market concentration in any system deserves attention. Diversification isn't paranoia. It's engineering.
Which Certificate Authorities dominate which TLDs?
TLD-level CA distribution doesn't get much attention, but it should. We queried TLD-specific certificate transparency data and the results are worth a close look:
| TLD | #1 CA | Volume | #2 CA | Volume | Key Insight |
|---|---|---|---|---|---|
| .com | ZeroSSL ECC Domain Secure | 120.3M | R13 (Let's Encrypt) | 55.7M | ZeroSSL leads the most popular TLD by 2:1 |
| .org | R13 (Let's Encrypt) | 5.7M | R12 (Let's Encrypt) | 5.6M | LE dominates non-profit/open-source |
| .io | R13 (Let's Encrypt) | 4.5M | R12 (Let's Encrypt) | 4.5M | Developer/startup TLD heavily relies on LE |
| .net | ZeroSSL ECC Domain Secure | 17.5M | Microsoft Azure RSA TLS CA 03 | 10.4M | Microsoft Azure CAs rank #2 and #3 |
| .dev | WE1 (Google Trust) | 19.2M | Amazon RSA 2048 M01 | 10.4M | Google + Amazon dominate dev ecosystem |
A few things jumped out:
ZeroSSL dominates .com with 120.3 million certificates, more than double Let's Encrypt's 55.7 million on the same TLD. Given that .com is the web's largest TLD, ZeroSSL's lead here carries weight that their overall second-tier position obscures. This is partly driven by Cloudflare's integration with Sectigo/ZeroSSL for their universal SSL product.
Microsoft Azure controls .net infrastructure. Azure CAs collectively issued 20.8 million certificates on .net, placing #2 and #3 behind ZeroSSL. When we detect a Microsoft Azure CA on a .net domain, the probability of an ASP.NET backend exceeds 85%. We've validated that number by cross-referencing with HTTP header analysis.
Google and Amazon own .dev. Google Trust's WE1 issuer leads with 19.2 million certificates, while Amazon RSA issuers combine for 20.7 million. The .dev TLD (operated by Google) naturally attracts GCP-hosted projects, but Amazon's strong presence confirms that .dev is a multi-cloud TLD, not a Google monoculture.
The .io TLD is almost entirely Let's Encrypt. Developer-oriented startups and SaaS products that register .io domains overwhelmingly choose Let's Encrypt, which makes sense given the technical audience and the prevalence of React and Vue frontend frameworks in that ecosystem.
These TLD-CA correlations feed directly into our tech stack predictions. You can't get this from scanning HTML source code.
What percentage of certificates use RSA versus ECDSA in 2026?
The gap between RSA and ECDSA is closing fast:
| Algorithm | 30-Day Volume | Market Share |
|---|---|---|
| RSA | 1,849,341,321 | 54.2% |
| ECDSA | 1,562,324,428 | 45.8% |
RSA still leads, but ECDSA has grown from roughly 35% to 45.8% in under two years. The signature algorithm breakdown tells a more detailed story:
| Signature Algorithm | Volume | Share |
|---|---|---|
| RSA SHA-256 | 1,771,229,811 | 51.9% |
| ECDSA SHA-384 | 1,045,040,149 | 30.6% |
| ECDSA SHA-256 | 498,812,588 | 14.6% |
| RSA SHA-384 | 96,512,742 | 2.8% |
| RSA SHA-512 | 97,490 | ~0% |
| RSA SHA-1 | 11 | ~0% |
Only 11 certificates used SHA-1 in the entire 30-day period. SHA-1 is effectively dead for TLS.
The technical advantages of ECDSA are measurable. A 256-bit ECDSA key provides equivalent security to a 3,072-bit RSA key, with much smaller certificate sizes. According to SSL.com's ECDSA vs RSA comparison, ECDSA delivers 5-10x faster TLS handshakes and lower bandwidth consumption. That speed difference (100-300 milliseconds per handshake) matters for Largest Contentful Paint. Sites near the 2.5-second LCP threshold can pass or fail Core Web Vitals based on their certificate algorithm alone.
Algorithm choice tells us a lot about the infrastructure behind a domain. ECDSA with SHA-384 usually means modern cloud hosting and automated certificate management. RSA SHA-256 is more common on legacy hosting and shared environments where nobody changed the defaults.
I've been tracking this shift since we first started processing CT logs at scale. ECDSA will likely overtake RSA within the next 12-18 months based on current trajectory. The ZeroSSL ECC issuer's 34.5% growth rate is a strong leading indicator.
How long do SSL certificates last in 2026?
Certificate lifetimes tell you how automated an organization's infrastructure is:
| Duration | Volume | Share |
|---|---|---|
| 47-100 days | 2,921,971,228 | 85.6% |
| 100-200 days | 368,908,646 | 10.8% |
| 200+ days | 74,281,506 | 2.2% |
| 10-47 days | 18,032,123 | 0.5% |
| 3-7 days | 16,838,730 | 0.5% |
| 3 days or less | 11,526,143 | 0.3% |
| 7-10 days | 114,240 | ~0% |
The 90-day certificate (47-100 day bucket) dominates at 85.6%. This is the standard for Let's Encrypt, Google Trust Services, and ZeroSSL. These three CAs together represent over 81% of the market, so their 90-day default sets the industry norm.
The 11.5 million certificates with lifetimes of 3 days or less are primarily from CDN providers. Cloudflare, for example, rotates edge certificates very frequently as part of their security model. When we detect ultra-short-lived certificates on a domain, it's a reliable signal for CDN-fronted architecture.
The 74.3 million certificates lasting 200+ days (2.2% of total) represent a shrinking segment of manually managed certificates. These are typically from organizations using legacy hosting environments or commercial CAs like DigiCert that still offer 1-year certificates. This number will decrease further: according to SSL.com, effective March 11, 2026, SSL/TLS certificate maximum durations reduced to 200 days under the new CA/Browser Forum ballot, with further reductions to 47 days planned by 2029.
Certificate duration tells us about automation maturity. 90-day certificates with ACME renewal? Modern deployment practices, almost guaranteed. 398-day certificates? Manual renewal, or a hosting provider that bundles long-lived certs. The correlation is strong enough that we use it as a detection signal.
What validation levels do certificates use?
The validation level data confirms what many of us in the security industry have been saying for years: Extended Validation is effectively dead.
| Validation Level | Volume | Share |
|---|---|---|
| Domain Validated (DV) | 3,292,099,038 | 96.50% |
| Organization Validated (OV) | 119,078,107 | 3.49% |
| Unknown | 425,978 | 0.01% |
| Extended Validated (EV) | 62,626 | 0.002% |
Only 62,626 Extended Validation certificates were issued out of 3.41 billion total. That's 0.002%. Chrome and Firefox removed the green address bar for EV certificates in 2019-2020, and usage has cratered since. Users can't visually distinguish DV from EV in modern browsers, which eliminates the primary value proposition EV certificates once offered.
From an SEO perspective, HTTPS is a confirmed Google ranking signal (since 2014), but there's no differentiation between DV, OV, and EV. A free Let's Encrypt DV certificate has the same ranking value as a $1,000 EV certificate. The Google Content Warehouse API leak revealed hasSecureUrl as a binary attribute. It's on or off. No bonus for spending more.
OV certificates at 3.49% serve a different purpose. They're used by organizations that need verified identity in their certificate metadata, often for compliance requirements in finance, healthcare, and government. This is one of our detection signals: an OV certificate on a financial services domain correlates with regulated industry infrastructure.
How do wildcard certificates factor into the market?
Nearly a third of all certificates are wildcards:
| Wildcard Status | Volume | Share |
|---|---|---|
| Without wildcards | 2,391,096,802 | 70.1% |
| With wildcards | 1,020,595,989 | 29.9% |
A wildcard certificate (*.example.com) covers all subdomains under a single domain. 29.9% is a lot. It tells us that nearly a third of the web runs multi-subdomain architectures: enterprise SaaS platforms, CDN providers, organizations with multiple customer-facing services under one domain.
We use wildcards as a detection input. A wildcard from Amazon Trust Services using ECDSA? Almost always AWS-hosted SaaS on Application Load Balancers. A wildcard from Let's Encrypt using RSA? More likely WordPress multisite or shared hosting. The CA + algorithm + wildcard combination narrows the stack prediction fast.
The wildcard split also tells us about operational maturity. Managing dozens of subdomains with individual certificates is expensive. Wildcards mean centralized infrastructure management, which correlates with DevOps practices and infrastructure-as-code. When we see wildcards, we know the team has invested in automation.
What do certificate expiration patterns reveal?
Most certificates are logged in a valid state, but the expired certificates are where the problems live:
| Status | Volume | Share |
|---|---|---|
| Valid | 3,384,919,869 | 99.2% |
| Expired at time of logging | 26,800,702 | 0.8% |
26.8 million certificates were already expired when they appeared in CT logs. That's 893,000 per day. Every one is a problem. Browser warnings scare visitors. API integrations break. Google Search Console flags the domain.
For us, expired certificates are useful in a different way. When a domain's certificates consistently lapse, it's a leading indicator of the domain going dark or changing ownership. We track that as part of our infrastructure health signals.
What does certificate entry type data show?
Certificate transparency logs accept two types of entries: final certificates and pre-certificates.
| Entry Type | Volume | Share |
|---|---|---|
| Certificate | 2,136,085,718 | 62.6% |
| Pre-certificate | 1,275,607,073 | 37.4% |
Pre-certificates get submitted to CT logs before the final certificate is issued, as defined in RFC 6962. A 37.4% pre-certificate rate means the CT ecosystem is healthy. CAs submitting pre-certificates let monitors catch misissued certificates before they go live.
The combined logging gives us an RFC 6962 compliance rate of 74.2% (precerts / (total - precerts) * 100). Why do we care? Pre-certificates give us advance notice. New domains, new certificates being provisioned, often hours or days before anything goes live. That early signal feeds into our real-time detection pipeline.
Why certificate transparency data matters for technology detection
This is where we do something nobody else does. We process about 2.7 billion certificate records per month from CT logs. That's roughly 80% of all global CT log data. No competitor touches this data.
Here's what CT data actually tells our detection engine:
CA selection maps to hosting providers. Amazon Trust Services = AWS. Microsoft Azure CAs = Azure. Google Trust Services = GCP. We've validated these mappings across millions of domains by cross-referencing with DNS records and HTTP headers. It's deterministic, not probabilistic.
Algorithm choices reveal platform age. ECDSA with modern hash algorithms? Updated platform, automated certificate management. RSA SHA-256 on a long-lived certificate? Probably a legacy system nobody's touched in a while.
Certificate duration tells us about automation. 90-day certs with ACME renewal mean modern DevOps. 398-day manually managed certs mean something very different.
Wildcard patterns expose architecture. A wildcard paired with specific CA and algorithm metadata tells us if a domain runs microservices, a CDN-fronted monolith, or a multi-tenant SaaS platform.
TLD-CA correlations predict stacks. Microsoft Azure CA on a .net domain? Over 85% confidence it's an ASP.NET backend. Let's Encrypt on a .io domain with certain HTTP headers? We can narrow the stack to a handful of candidates.
Most technology detection platforms check frontend signals: JavaScript libraries, HTML meta tags, cookies, and HTTP headers. Those are valid signals, and we use them too. But they miss the infrastructure layer entirely. You can't see from a page's HTML whether it's hosted on AWS or Azure. You can't tell from a JavaScript bundle whether the organization uses automated certificate management. Backend services like n8n — workflow automation tools that never expose a single line of client-side code — are completely invisible to frontend-only scanners. Our CT log pipeline, combined with DNS and header analysis, detects these backend technologies across thousands of domains. Certificate transparency data gives us that infrastructure visibility, and it's a major reason our technology detection covers 40,000+ technologies while competitors top out at a fraction of that depth.
I've led the engineering effort on this SSL certificate transparency data pipeline since we started building it over two years ago. Drawing on my experience designing crawling infrastructure at Google Search, we architected a distributed stream processing system that handles 2.7 billion records per month. The engineering cost is significant, but the detection accuracy gains are worth it. This is original data and analysis that can't be replicated by scraping homepages.
How does HTTPS adoption affect SEO rankings?
HTTPS has been a confirmed Google ranking signal since 2014. But the relationship between certificates and search rankings is more specific than most guides acknowledge.
HTTPS is a baseline, not a differentiator. According to SSL Dragon, 88% of websites now use SSL/TLS certificates. With that level of adoption, having HTTPS doesn't give you a competitive edge. Not having it penalizes you. The Google Content Warehouse API leak revealed hasSecureUrl as a binary attribute. There's no gradient. It's simply present or absent.
Expired certificates actively hurt rankings. When a certificate expires, browsers display interstitial warnings. Visitors bounce. Those bounces register as badClicks in Google's NavBoost system, which directly demotes pages. An expired certificate doesn't just lose your HTTPS signal. It creates negative engagement signals that compound over time.
Mixed content degrades rankings. A page served over HTTPS that loads images, scripts, or stylesheets over HTTP triggers mixed content warnings. Modern browsers block some mixed content entirely, which can break page functionality and increase Core Web Vitals errors. Google's crawlers check for this.
CA choice doesn't affect rankings. A Let's Encrypt DV certificate and a DigiCert EV certificate have identical ranking value. Google doesn't differentiate between CAs or validation levels for search purposes.
TLS configuration affects Core Web Vitals indirectly. ECDSA certificates with TLS 1.3 produce faster handshakes than RSA with TLS 1.2. The difference is 100-300 milliseconds. For sites near the 2.5-second LCP threshold, that can mean passing or failing Core Web Vitals. We track this in our analytics detection pipeline because sites optimizing for performance tend to adopt modern TLS configurations alongside their frontend optimizations.
For B2B sales teams using technographic data, certificate configuration is a qualifying signal. An organization running ECDSA with automated renewal is more likely to be a mature technology buyer with real budget for developer tools.
Will SSL/TLS certificates last 47 days max by 2029?
Yes. The CA/Browser Forum has approved a phased reduction in maximum certificate lifetimes. According to SSL.com, certificates already dropped to a 200-day maximum as of March 11, 2026. The timeline moves to 100 days by 2027 and 47 days by 2029.
This will force every organization to adopt automated renewal. Manual certificate management can't handle 47-day rotations at scale. The 85.6% of certificates already at 90-day lifetimes won't feel much impact since they're already automated. The 13% at 100+ days will need to modernize.
For us, shorter lifetimes mean better data. A domain rotating certificates every 47 days gives us 8 data points per year instead of 1 (for annual certs). More data points mean we can detect technology stack changes, hosting migrations, and infrastructure upgrades faster.
What are certificate transparency logs?
Certificate transparency logs are append-only, cryptographically verifiable records of every SSL/TLS certificate issued by participating Certificate Authorities. Defined by RFC 6962, CT logs were designed to make certificate issuance auditable. If a CA issues a fraudulent or unauthorized certificate for your domain, CT logs provide a public record that monitoring tools can detect.
According to Secybers, there are over 40 active CT logs maintained by organizations including Google, Cloudflare, DigiCert, and others as of 2026. Major logs include Google's Argon, Xenon, and Icarus shards, Cloudflare's Nimbus, and DigiCert's Yeti and Nessie logs.
We ingest data from most of these logs. Processing 2.7 billion records per month requires distributed stream processing, and we've built custom ingestion pipelines that parse certificate metadata in real time: CA information, algorithm details, domain names, validity periods. All of it gets cross-referenced with our DNS resolution, HTTP header analysis, and JavaScript fingerprinting systems.
What tools are available for certificate transparency monitoring?
Several tools provide certificate transparency search and monitoring capabilities, though at very different scales:
- Cloudflare Radar Certificate Transparency provides aggregate statistics and search across CT logs. It's the data source for much of the analysis in this report.
- crt.sh offers free certificate transparency search by domain, operated by Sectigo. Good for individual domain lookups.
- SSLMate Cert Spotter provides monitoring and alerting for certificate changes on domains you own.
- Google Certificate Transparency maintains the specification and operates several CT log shards.
These tools serve different purposes. For individual domain monitoring, crt.sh and Cert Spotter work well. For aggregate analysis at our scale (80% of global CT log data, 50 million+ domains), there's nothing off-the-shelf. We built our pipeline from scratch.
According to CSC Global research, 60% of businesses use three or more SSL providers, and 72% of respondents didn't know the details of upcoming certificate lifetime changes. That gap between complexity and awareness is exactly where monitoring tools and technology intelligence platforms provide value.
Methodology
The data in this report comes from Cloudflare Radar Certificate Transparency monitoring, accessed on March 17, 2026. The primary analysis period covers February 14 to March 16, 2026, with month-over-month comparisons against the January 15 to February 14, 2026 period.
Cloudflare Radar monitors major CT logs including Google's Argon, Xenon, and Icarus shards, Cloudflare's Nimbus logs, and DigiCert's Yeti and Nessie logs. TLD-specific data was queried separately through the same interface.
TechnologyChecker.io's CT data processing ingests about 80% of global CT log data (roughly 2.7 billion certificate records per month). Our pipeline cross-references CT data with DNS records, HTTP headers, JavaScript fingerprints, and HTML patterns across 300 million+ unique domains to detect 40,000+ technologies. All proprietary detection data in this report comes from our internal systems. Market share and volume figures come from Cloudflare Radar.
Certificate Authority market valuations are sourced from Mordor Intelligence (January 2026 report). SSL certificate adoption statistics are from SSL Dragon, sourcing data from January 2026. Enterprise SSL usage statistics are from CSC Global's published research.
David Thomson
CTO