State of American Small Business Cybersecurity, Q3 2026
LeakTrace's Threat Intelligence Team has visibility across the American small business landscape through our ongoing monitoring pipeline, combining public corporate records, licensed breach databases, external attack surface scanning, and open-source intelligence tooling. Our monitoring spans sectors including healthcare, legal, financial services, professional services, and regional small business categories.
Our observations show critical exposure across the American small business landscape. The average external threat surface risk score for businesses in our monitoring pipeline is 95.1 out of 100, near the maximum severity. 96.8% of businesses classify as Critical or High risk based on combined infrastructure, DNS security, and public exposure factors.
This report summarizes the external attack surface dimension across the American small business landscape, along with sector and geographic breakdowns and recommended mitigation actions applicable across sectors.
Findings at a glance
Observations from LeakTrace's ongoing monitoring of the Us small business landscape across sectors including healthcare, legal, financial services, dental, and professional services. Percentages reflect the share of businesses in our monitoring pipeline exhibiting each condition.
External attack surface exposure
Distribution of external attack surface severity across the American small business landscape, derived from ongoing infrastructure scanning covering DNS security position, TLS/SSL configuration, exposed administrative interfaces, subdomain sprawl, and framework vulnerability detection. Severity bands are harmonized with credential exposure classifications.
| Severity band | Share | |
|---|---|---|
| Critical | 93.7% | |
| High | 3.2% | |
| Moderate | 3.2% | |
| Low | 0.0% |
Credential exposure distribution
Distribution of credential exposure severity across the Us small business landscape. Bands defined by breach count and data-class weight: passwords + financial data outweigh PII, which outweighs usernames only.
| Severity band | Share | |
|---|---|---|
| Severe | 0.0% | |
| Moderate | 66.7% | |
| Minor | 0.0% | |
| None identified | 33.3% |
Prevalent attack vectors
Prevalence of specific exposure classes observed across the American small business monitoring pipeline. Each row reflects the share of scanned businesses where the described condition was detected at non-informational severity. Ranked by prevalence.
| Vector | Prevalence | |
|---|---|---|
| Infrastructure misconfigurations DNS, TLS/SSL, DMARC, SPF, or DKIM configurations flagged as high-risk during external scanning. | 100.0% | |
| JavaScript secret exposure API keys, tokens, or credentials embedded in front-end JavaScript bundles reachable from the homepage. | 73.0% | |
| Registered typosquat domains Look-alike domain variants already registered by third parties, brand impersonation and BEC infrastructure. | 60.3% | |
| WordPress user enumeration WordPress installations leaking usernames through unauthenticated REST endpoints, enables targeted credential-stuffing. | 41.3% | |
| Exposed configuration endpoints Publicly-accessible admin panels, config files, or unprotected API endpoints identified via non-invasive probing. | 25.4% | |
| Sensitive open ports (Shodan) Internet-facing ports exposing services with known CVEs or authentication concerns, per Shodan telemetry. | 20.6% | |
| Vulnerable JavaScript libraries Front-end libraries with known CVEs loaded on production pages, direct client-side attack surface. | 15.9% | |
| Cloud storage exposure Publicly-listable S3/GCS/Azure buckets associated with the domain, data exfiltration risk. | 15.9% |
Sector breakdown
Exposure profile across sectors in our monitoring pipeline. Infrastructure score is on a 0-100 scale where higher indicates greater exposure surface. Credential exposure rate reflects the share of businesses per sector with owner or executive credentials appearing in known breach databases.
| Sector | Infra score | Critical / High | Credentials |
|---|---|---|---|
| Healthcare | 96.0 /100 | 95.2% | 100.0% |
| Legal | 94.3 /100 | 100.0% | None% |
| Dental | 96.2 /100 | 100.0% | None% |
| Other | 95.2 /100 | 95.7% | 0.0% |
| Law | 91.2 /100 | 94.1% | 100.0% |
Geographic distribution
Exposure profile by state across the American small business landscape. Regional variance reflects both differences in business composition and differences in ongoing infrastructure maintenance across regions.
| State | Infra score | Critical / High | Credentials |
|---|---|---|---|
| Texas | 94.0 /100 | 95.5% | 0.0% |
| Illinois | 90.7 /100 | 92.9% | 100.0% |
| Washington | 100.0 /100 | 100.0% | 100.0% |
| New York | 99.1 /100 | 100.0% | None% |
| Pennsylvania | 98.1 /100 | 100.0% | None% |
| California | 100.0 /100 | 100.0% | None% |
Sources and methodology
Findings aggregate LeakTrace's ongoing observations across the Us small business landscape. Sources include licensed commercial breach databases, external attack surface scanning, and publicly-indexed corporate records. Individual business records are not published.
Recommended mitigations
Prioritized by time-to-mitigate and expected reduction in threat surface. Applicable across the sectors summarized in this report.
Report reference: LT-Q3-2026-US-001 · Published 2026-07-08 · Prepared by the LeakTrace Threat Intelligence Team, Toronto.