Cyber Resilience Challenge: Coke vs Pepsi

Last updated by UpGuard on January 15, 2020

scroll down

Few corporate rivalries are as legendary as these two enterprise contenders; admittedly, there have been more than a fair share of comparisons pitting the pair against each other over the last century. So we're offering a twist to the traditional cola challenge: how do Pepsi and Coke stack up in terms of cyber resilience? Read more to find out. 

Like many dominant brands, Pepsi and Coke are also comprised of a myriad of popular offerings that span the globe. For example, Coca-Cola also owns Sprite, Fanta, DASANI, and Minute Maid; similarly, PepsiCo owns Mountain Dew, Gatorade, Aquafina, Lipton, to name a few. Keep in mind that each has its own website with varying levels of cyber resilience—for this comparison, we'll focus solely on the flagship brands, Coke and Pepsi.

As they undergo digital transformation to provide more diverse, competitively-priced products and services, Coke and Pepsi—as well as other global enterprises—have also assumed varying amounts of digital risk. What do their CSR scores reveal about their cyber resilience postures and security fitness?


Coca-Cola's most recent security incident in 2014 involved a data breach of 74,000 employee records—employee social security numbers, driver's license numbers, financial data, and other information were exposed after a disgruntled employee stole dozens of laptops. 

CSTAR - Coke

Coke's low CSR score of 428 is a result of a myriad of flaws present in its website perimeter security, namely lack of sitewide SSL, lack of HTTP strict transport security, server information leakage, and disabled DMARC/DNSSEC.


Pepsi made cybersecurity news headlines back in 2008 when a missing storage device resulted in the exposure of employee data. Since then, however, the company has managed to steer clear of major cybersecurity incidents.

475 CSR Pepsi

Like Coke, Pepsi's low 475 CSTAR score reflect several critical security gaps in its website security posture, including lack of sitewide SSL, disabled HTTP strict transport security, and missing DMARC/DNSSEC/SPF.

Side-by-Side CSR Scoring:
Coke vs. Pepsi

When it comes to enterprise cyber resilience, the world's two largest beverage vendors suffer from similar website perimeter security issues such as lack of DMARC/DNSSEC and missing HTTP strict transport security. A lack of sitewide SSL on both companies' websites could lead to a man-in-the-middle (MiTM) attack


Screen Shot 2017-03-07 at 6.16.50 AM.png


Screen Shot 2017-03-07 at 6.18.05 AM.png


Curious about how well your favorite brands perform when it comes to critical measures of cyber resilience and security fitness? Try out our free CSR Chrome Extension or sign up for an in-depth customized demo of UpGuard's cyber resilience platform today.

Related posts

Learn more about the latest issues in cybersecurity