Zscaler: 10% of sites are malicious, another 10% suspicious

Zscaler: 10% of sites are malicious, another 10% suspicious

Summary: Zscaler says the larger majority of websites are safe, but approximately 1 in every 5 of them can be classified as either malicious or suspicious. You can run the same tool on your own website.


How many websites on the Internet are malicious? How many of them aren't? While we'll never get exact numbers, one estimate says that almost 1 in 10 are malicious, while approximately 1 in 10 of them are suspicious.

So, where did those numbers come from? Zscaler developed a tool called Zulu, which runs the following tests on any URL you choose: External elements, Content checks, URL checks, and Host checks. It then gives a final security rating out of a score from 0 to 100. Between 0 and 49 is rated as Benign, between 50 and 74 is marked Suspicious, and between 75 and 100 is classified as Malicious.

Zscaler ran 27,000 website URLs through its tool to give you an idea of the security for the broader Web. 81 percent of sites were found to be Benign, 9.5 percent were found to be Suspicious, and another 9.5 percent were considered to be Malicious.

These numbers will of course vary based on the sample of websites chosen. I would say 27,000 is a decent size to test given there is no way to run the test on every single URL out there. I would assume Zscaler will keep us posted as more of users test their sites as well as others they stumble on.

I ran the tool on zdnet.com. The cool thing is that after Zulu runs once, you can share the results with anyone without having to run the tool again: report. As you can see in the screenshot above, ZDNet scored 13/100, giving it a Benign classification. On the flipside, sites change, so I would assume reports such as this one will expire.

Run Zulu on your website and let me know how it fares. It's not exactly the most accurate tool, but it gives you a good idea as to what you may want to fix.

See also:

Topics: Software Development, Banking, Browser, Security

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Pretty Useless due to false positives

    It will mark almost any site on shared hosting (GoDaddy, HostGator, etc) as suspicious. I also flags self-hosted WordPress sites as suspicious. If you host local jquery scripts, it will mark the site as malicious.
    • Wordpress

      Wordpress might be coming up as suspicious due to the big problems it had a couple of months ago. A lot of authors use wordpress for their blogs, and 3 that I follow had issues with malicious downloads showing up on their sites, and had to shut down for several days until the problem was resolved. I know one author dumped off her site entirely, and restored to a new site with her backups because they couldn't get it cleaned quickly enough.
  • I picked a site I knew was trouble

    I was on a site this weekend that tried to serve up the fake Antivirus Malware, so I ran that site through and it came up as suspicious. So, if anything, that particular evaluation erred on the low end. Let's just say that it's a site that is becoming popular, where it shows funny autocorrects... hint hint.

    Another site where I've gotten an infection in the past misses being suspicious by 1 point.