Business
Business Security · Overview Scope · Domain Audit Shadow · Mailbox Forensics Monitoring · Continuous Coverage Fix Session · Implementation
Individual
Personal Protection · Overview Scope · Personal Credential Scan
Solutions
Dark Web Monitoring Domain Impersonation Protection Credential Breach Detection Compliance Monitoring
Intelligence
Threat Intelligence Global Breach Map Breach Feed
Company
Partners How It Works About Press & Media
Sign In
Threat Intelligence·Public Circulation·LT-Q3-2026-US
Threat Intelligence Report · Q3-2026

State of American Small Business Cybersecurity, Q3 2026

LeakTrace's Threat Intelligence Team has visibility across the American small business landscape through our ongoing monitoring pipeline, combining public corporate records, licensed breach databases, external attack surface scanning, and open-source intelligence tooling. Our monitoring spans sectors including healthcare, legal, financial services, professional services, and regional small business categories.

Our observations show critical exposure across the American small business landscape. The average external threat surface risk score for businesses in our monitoring pipeline is 95.1 out of 100, near the maximum severity. 96.8% of businesses classify as Critical or High risk based on combined infrastructure, DNS security, and public exposure factors.

This report summarizes the external attack surface dimension across the American small business landscape, along with sector and geographic breakdowns and recommended mitigation actions applicable across sectors.

Report ID
LT-Q3-2026-US-001
Published
2026-07-08
Region
Us
Distribution
Public
1.0 · Findings

Findings at a glance

Observations from LeakTrace's ongoing monitoring of the Us small business landscape across sectors including healthcare, legal, financial services, dental, and professional services. Percentages reflect the share of businesses in our monitoring pipeline exhibiting each condition.

Average external threat surface risk score
Composite score across DNS security, TLS configuration, exposed administrative interfaces, subdomain sprawl, and vulnerable framework detection. Scored 0-100 where higher indicates greater exposure surface.
95.1/100
Critical or High severity classification
Businesses whose external attack surface qualifies as Critical or High severity based on combined infrastructure, DNS security, and public exposure factors.
96.8%
Owner credentials appear in known breach databases
Businesses whose owner or executive email address surfaces in at least one credential dump.
66.7%
Password-class exposure
Credential material present in breach records. Enables credential stuffing and account takeover.
0.0%
Personally identifiable information exposure
Names, phone numbers, addresses, DOB, or equivalent identifiers surfaced in breach records.
66.7%
Financial data exposure
Credit card, bank account, or transaction data surfaced in breach records.
0.0%
2.0 · Infrastructure

External attack surface exposure

Distribution of external attack surface severity across the American small business landscape, derived from ongoing infrastructure scanning covering DNS security position, TLS/SSL configuration, exposed administrative interfaces, subdomain sprawl, and framework vulnerability detection. Severity bands are harmonized with credential exposure classifications.

Severity band Share
Critical
93.7%
High
3.2%
Moderate
3.2%
Low
0.0%
3.0 · Credentials

Credential exposure distribution

Distribution of credential exposure severity across the Us small business landscape. Bands defined by breach count and data-class weight: passwords + financial data outweigh PII, which outweighs usernames only.

Severity band Share
Severe
0.0%
Moderate
66.7%
Minor
0.0%
None identified
33.3%
4.0 · Attack Vectors

Prevalent attack vectors

Prevalence of specific exposure classes observed across the American small business monitoring pipeline. Each row reflects the share of scanned businesses where the described condition was detected at non-informational severity. Ranked by prevalence.

Vector Prevalence
Infrastructure misconfigurations
DNS, TLS/SSL, DMARC, SPF, or DKIM configurations flagged as high-risk during external scanning.
100.0%
JavaScript secret exposure
API keys, tokens, or credentials embedded in front-end JavaScript bundles reachable from the homepage.
73.0%
Registered typosquat domains
Look-alike domain variants already registered by third parties, brand impersonation and BEC infrastructure.
60.3%
WordPress user enumeration
WordPress installations leaking usernames through unauthenticated REST endpoints, enables targeted credential-stuffing.
41.3%
Exposed configuration endpoints
Publicly-accessible admin panels, config files, or unprotected API endpoints identified via non-invasive probing.
25.4%
Sensitive open ports (Shodan)
Internet-facing ports exposing services with known CVEs or authentication concerns, per Shodan telemetry.
20.6%
Vulnerable JavaScript libraries
Front-end libraries with known CVEs loaded on production pages, direct client-side attack surface.
15.9%
Cloud storage exposure
Publicly-listable S3/GCS/Azure buckets associated with the domain, data exfiltration risk.
15.9%
5.0 · Sectors

Sector breakdown

Exposure profile across sectors in our monitoring pipeline. Infrastructure score is on a 0-100 scale where higher indicates greater exposure surface. Credential exposure rate reflects the share of businesses per sector with owner or executive credentials appearing in known breach databases.

Sector Infra score Critical / High Credentials
Healthcare 96.0 /100 95.2% 100.0%
Legal 94.3 /100 100.0% None%
Dental 96.2 /100 100.0% None%
Other 95.2 /100 95.7% 0.0%
Law 91.2 /100 94.1% 100.0%
6.0 · Geography

Geographic distribution

Exposure profile by state across the American small business landscape. Regional variance reflects both differences in business composition and differences in ongoing infrastructure maintenance across regions.

State Infra score Critical / High Credentials
Texas 94.0 /100 95.5% 0.0%
Illinois 90.7 /100 92.9% 100.0%
Washington 100.0 /100 100.0% 100.0%
New York 99.1 /100 100.0% None%
Pennsylvania 98.1 /100 100.0% None%
California 100.0 /100 100.0% None%
7.0 · Methodology

Sources and methodology

Findings aggregate LeakTrace's ongoing observations across the Us small business landscape. Sources include licensed commercial breach databases, external attack surface scanning, and publicly-indexed corporate records. Individual business records are not published.

VISIBILITY LeakTrace maintains an ongoing threat intelligence pipeline monitoring American small businesses across sectors including healthcare, legal, financial services, and professional services. Our monitoring combines public data sources with proprietary discovery workflows and expands continuously as new prospects enter the pipeline. COVERAGE DIMENSIONS Infrastructure, external attack surface scanning covering DNS security posture, TLS/SSL configuration, exposed administrative interfaces, subdomain sprawl, and vulnerable framework detection. Credential exposure, matching owner and executive email addresses against consolidated breach databases and data-class exposure classification. Public web exposure, open-source intelligence aggregation covering code repository leaks, paste site mentions, and publicly-indexed disclosure activity. SOURCES Licensed commercial breach corpora Supplementary breach corpus (BreachDirectory) Open-source intelligence aggregation of publicly-indexed web content Publicly-available corporate registry data and business directories External attack surface scanning across DNS, TLS, subdomain, and framework layers METHODOLOGY For each business in our monitoring pipeline, we run parallel exposure scans across the coverage dimensions above. Infrastructure risk scores are computed on a 0-100 scale where higher indicates greater exposure surface. Severity bands are harmonized across dimensions. LIMITATIONS Public data only, no dark web or non-licensed sources Infrastructure scanning is non-invasive, passive external observation only Severity indicates exposure surface, not active threat targeting
8.0 · Recommendations

Recommended mitigations

Prioritized by time-to-mitigate and expected reduction in threat surface. Applicable across the sectors summarized in this report.

For American small businesses in this monitoring population: 1. IMMEDIATE, External attack surface remediation With an average external threat surface risk score of 95.1/100 and 96.8% of businesses classified as Critical or High risk, external attack surface reduction is the highest-leverage single investment. Priorities: enable DMARC enforcement, remediate SSL/TLS misconfigurations, retire exposed administrative interfaces, and audit subdomain sprawl. 2. IMMEDIATE, Force password rotation for owner/executive accounts Owner and executive credentials appearing in known breach databases enable credential stuffing attacks as a realistic near-term threat. Rotating passwords + enabling MFA closes this vector immediately. 3. NEAR-TERM (30 days), Deploy business email compromise (BEC) monitoring Owner email addresses in breach databases enable BEC / whaling attacks where attackers pose as the executive. Monitoring for spoofed sender activity + implementing DMARC enforcement mitigates this. 4. NEAR-TERM (30 days), Employee awareness training Given the elevated infrastructure risk profile observed across the American small business landscape, staff awareness training is the highest-leverage human-factor investment. Focus on recognizing phishing, verifying wire requests, and reporting suspicious contact. 5. QUARTERLY, Repeat the exposure scan Breach databases update continuously and infrastructure changes affect risk scores. Quarterly re-scanning is standard threat intelligence hygiene. 6. STRATEGIC, Cyber insurance review With the elevated infrastructure exposure profile observed across the American small business landscape, cyber insurance policies should be reviewed for adequate coverage. Current premiums assume active mitigation programs; documented mitigation reduces premiums.
About LeakTrace Threat Intelligence. LeakTrace operates an exposure intelligence platform monitoring Canadian and U.S. small business cybersecurity risk. Ongoing observations are aggregated into quarterly public research reports and per-principal confidential assessments. Press and research correspondence: [email protected] · Press & media resources.

Report reference: LT-Q3-2026-US-001 · Published 2026-07-08 · Prepared by the LeakTrace Threat Intelligence Team, Toronto.