Companies that use Cloudflare Turnstile

What this captures, and what it doesn't

We believe in being transparent about how we collect our data and what its limitations are, unlike most other data providers who operate as black boxes.

This methodology captures companies that have embedded the Turnstile script on a publicly reachable page. It is the most reliable signal that Turnstile is actually wired into a site's frontend, as opposed to merely being on a procurement list somewhere.

It does not capture a few important scenarios:

• Companies that have installed the Turnstile script but never actually trigger it. The widget is invisible until something on the page causes the challenge to render, so a script that sits dormant looks the same to us as one being actively used. We assume that if a company has gone to the trouble of embedding it, they intend to use it.
• Companies that only use Turnstile on pages behind a login or other authentication wall. Our crawl runs against publicly reachable URLs, so anything gated by a sign-in flow, an internal admin tool, or a customer dashboard is invisible to us.

We also do not track companies that use Cloudflare WAF features more broadly. WAF protects traffic at the network layer rather than through an embedded frontend script, so it requires a completely different detection approach and lives in its own dataset.

How we figured this out

We start with a list of the most popular domains belonging to roughly 3 million companies, ranked by headcount as reported on their LinkedIn company profiles. For each domain, we crawl the homepage and inspect the scripts loaded by the page.

1. Script source detection. Turnstile is delivered as a JavaScript file served from challenges.cloudflare.com. We check whether any <script> tag on the page loads a resource from that host. A hit tells us the page is pulling something from Cloudflare's challenge infrastructure, which is the first necessary signal.

2. Turnstile-specific verification. The challenges.cloudflare.com host serves more than just Turnstile, so a match on the hostname alone is not enough. We then verify that the script being loaded is specifically the Turnstile client (typically turnstile/v0/api.js or a closely related path) rather than a script tied to a different Cloudflare challenge product. Only domains that pass both checks make it into the dataset.