What 30 Days of Real Scans Revealed: 730 Submissions, 9 Threats, 3 Surprises (June 2026)

This is the first time ScanTotal has published a transparency report. The numbers below are the unedited 30-day data from our scanners for the window ending 6 June 2026 — total scan volume, threat detections, daily trends, and the geographic distribution of who actually submitted scans. The data lives in our public dashboard at /threat-stats/; this post interprets what it actually means.

The dashboard view shows the headline figures clearly enough. What it doesn’t show is the texture — the three findings that make the data more interesting than the totals alone, including one that genuinely surprised us. This post walks through those.

The headline numbers

730 scans across 31 days is an average of ~24 scans per day. The actual daily range was 6 to 47 — meaning some days got 4× the traffic of others, with no obvious weekday/weekend pattern. URL submissions dominated (441 scans, 60% of volume); file submissions came second (289 scans, 40%). The other tools — email, SMS, QR, threat-intel search — logged smaller volumes in this period.

Nine threats from 730 scans is a detection rate of 1.2%. We’ll come back to what that number actually means — it’s neither a weakness nor a brag — in the methodology note below.

Daily scan volume & threats

Finding 1 — The file scanner caught zero threats

Across 289 file scans in the window, our file scanner reported zero confirmed threats. Across 441 URL scans in the same window, it caught nine. Same audience, same site, same 30 days — one tool finds the threats, the other doesn’t.

The reflex interpretation is "the file scanner is broken" or "the database needs more signatures". Neither matches what we see in the dataset. The likely explanation is upstream — the kind of submission each tool receives is fundamentally different.

People upload files they suspect are clean. Someone receives a PDF from a known contact and isn’t sure whether to open it. They upload it “just to check”. The base rate of actual malware in that population is genuinely low, because the user’s intuition has already filtered out most obviously dangerous files.

People paste URLs they suspect are dangerous. Someone gets a phishing SMS at 9pm. They paste the link into our scanner specifically because the surrounding context (urgency, unknown sender, claim of unpaid bill) has already triggered suspicion. The base rate of actual threats in this population is higher, because the user has self-selected for "something feels wrong about this".

The two tools are seeing two genuinely different sample distributions. The URL detection rate (2.0%) reflects "things people are already suspicious of, half-confirmed by us". The file detection rate (0%) reflects "things people thought were probably fine, confirmed by us as actually fine". Both numbers are correct; they’re measuring different upstream selections.

This matters for what we ship next. If we wanted to drive up file-scan detection, we’d have to change the user behaviour that brings files to us — e.g. promoting the file scanner specifically for "I just downloaded this and I’m not sure if it’s real" use cases rather than "double-check my legitimate download". That’s a positioning decision, not a detection-engine improvement.

Finding 2 — Threats arrived in 4 days, not 30

If you read "9 threats in 30 days", the intuition is roughly "one threat every 3-4 days". The actual distribution is nothing like that. Twenty-seven of the 31 days in our window saw zero threats. The other four days carried all nine. Two days were tightly clustered in late May, two more in early June.

This isn’t random scatter; it’s a real pattern. Threats arrive in waves, not as a steady drip. The most likely explanation: active phishing campaigns hit during specific windows — an attacker sends a million SMS in a few hours and the resulting traffic shows up at scanners within that same wave. The clean days aren’t the scanner missing things; they’re actually quiet days for the threat population our users encounter.

For users reading "low detection rate this month" anywhere in the security industry, the right framing isn’t "the scanner isn’t catching things". It’s “the population of submissions this month happened to be cleaner”. A scanner that reports 0 threats on a Tuesday and 4 threats on a Wednesday is most likely correct on both days, reflecting real differences in the threat campaigns active in each window.

This also means the right time horizon for evaluating a scanner’s catch rate is months, not days. Sampling a single quiet day proves nothing about the engine; sampling a single noisy day overstates it.

Finding 3 — The global spread was wider than the content strategy implies

ScanTotal’s content strategy in 2026 has tilted heavily toward Australian-Indian-diaspora scam coverage. Most of the blog posts target India-specific scams (UPI, EPFO, IRCTC, electricity, fake recruiters); the rest focus on Australia (Centrelink, Linkt, myGov). The implicit assumption is that’s where users are.

The actual scan-submission data shows a more globally distributed audience than the content would predict.

Three observations:

The US lead is the biggest non-surprise. The US dominates web traffic for almost every English-language site; we’re not exceptional. 27.8% is in the expected range for a free English-language consumer security tool.

The continental European representation was unexpected. Germany, France, the UK, Switzerland, the Netherlands, Poland, and Spain combined for 22.7% of scans — nearly equal to the US share alone. We have published almost no Europe-specific content. The presence of these users is driven by organic discovery of our general scam-protection content, plus the AI Scam Library entries published in late May which seem to have travelled across European tech-aware audiences fast.

The non-traditional markets are real. Colombia at 4.1%, Singapore at 3.7%, UAE at 3.7%, Brazil at 4.3% — these are not regions our content explicitly targets. They’re showing up because the underlying scams (UPI fraud is universal, AI voice-clone scams are universal, BEC emails are universal) cross borders even when the content was written for one geography.

The implication for our roadmap: at least some of our planned India-focused content might pull cross-traffic from other emerging markets too, particularly Colombia and the broader Latin-America audience. Worth tracking in the next 30-day window whether that pattern persists.

What this changes for what we ship next

Reading the three findings together, two things change:

The file-scanner positioning needs rethinking. Promoting the file scanner as “double-check your downloads” produces submissions where the base rate of malware is genuinely near zero. Promoting it as “you got a file from someone you don’t fully trust — check it before opening” would change the upstream sample. We don’t plan to ship a positioning change immediately, but it’s on the list.

We should track the European audience more deliberately. The 23% European share is too large to leave un-served. Whether that means English-language Europe-specific content (the GDPR-era phishing patterns, EU-specific scam categories like fake DHL Germany / La Poste France notices) or simply ensuring our existing content’s schema and translations work for European search engines — either way, this audience exists and we haven’t deliberately served it yet.

We’ll publish another report at the next 30-day window (~6 July 2026) and a 90-day rollup at the start of September. If patterns hold, the European observation moves from "interesting" to "act on it".

What the 1.2% detection rate actually means

Methodology & transparency notes

We expect to publish reports like this monthly, with a longer 90-day analysis at the end of every quarter. If you spot something in the data we should have noticed, or have questions about methodology, the contact form reaches Kumari directly.