What Attackers See When They Scan a Business They Decide Not to Attack

-


Thought Leadership Attack Surface
May 2026  ·  8 min read

Attackers don't choose their targets the way you might imagine — a person researching your business, deciding you're worth their time. Most SMB targeting is fully automated. A scanner runs. It finds gaps or it doesn't. What it doesn't find is what keeps you off the list.

Somewhere right now, an automated tool is scanning your domain. It's not a person — it's a script running across thousands of businesses simultaneously, looking for the same handful of gaps it always looks for. Open RDP port. Missing DMARC enforcement. Credentials in a breach database. Admin panel exposed to the public internet. Known unpatched CVE on an internet-facing service.

If it finds any of those, your domain goes into a queue. If it doesn't, it moves on. The decision takes milliseconds and involves no human judgment whatsoever.

This is the most important and least understood fact about how SMBs get attacked in 2026: targeting is automated, not curated. Attackers aren't choosing you because they know who you are. They're choosing you because your scan results looked like an easy entry. The businesses that don't get attacked aren't necessarily running enterprise security programs. They're the ones whose scan results gave the automated tool nothing to work with.

Minutes how long automated tools take to scan thousands of businesses — looking for open ports, exposed credentials, weak authentication empist.com / NinjaOne 2026
43% of all cyberattacks in 2026 target SMBs — despite representing only 30% of the business landscape alphacis.com 2026
78% of SMBs fear a major incident could put them out of business — yet most have never seen their own scan results ConnectWise / NinjaOne 2026
The assumption that costs SMBs the most: "We're too small to be a target." Attacks against small and mid-sized businesses are growing three times faster than attacks against large enterprises. The attackers know you think that — and they're acting on it. Size doesn't protect you. Clean scan results do.

What the automated scan actually looks for

Here is what a standard automated reconnaissance scan checks when it hits your domain. These are the specific signals that appear in documented SMB breach investigations, the items cyber insurers verify before issuing policies, and the checks in the 30-minute audit earlier in this series. The scan takes minutes. The gaps take minutes to find.

Automated Reconnaissance — yourcompany.com
$scanning domain credentials against breach databases...
⚠ 3 email addresses found in breach corpus — passwords in active circulation
$checking DMARC enforcement policy...
⚠ p=none — domain spoofing possible, emails not rejected
$checking open ports (RDP:3389, SMB:445, Telnet:23)...
⚠ port 3389 open — RDP exposed to public internet
$checking for exposed admin panels...
~ admin login page indexed publicly — no VPN requirement detected
$checking known CVEs on internet-facing services...
⚠ 2 unpatched critical CVEs detected — active exploits in wild
$checking MFA enforcement signals...
~ MFA detected on primary domain — legacy protocols not assessed
RESULT: TARGET ADDED TO QUEUE — 4 high-value entry points identified
→ moving to next target...

That scan ran against thousands of businesses in the time it took you to read this far. Most of them failed it. The ones that didn't fail it didn't get added to the queue. Now here's what the same scan looks like on a business that passes it.

Automated Reconnaissance — cleanbusiness.com
$scanning domain credentials against breach databases...
✓ no domain credentials found in breach corpus
$checking DMARC enforcement policy...
✓ p=reject — domain spoofing blocked at receiver
$checking open ports (RDP:3389, SMB:445, Telnet:23)...
✓ no high-risk ports exposed to public internet
$checking for exposed admin panels...
✓ no publicly accessible admin interfaces detected
$checking known CVEs on internet-facing services...
✓ no unpatched critical CVEs on public-facing services
$checking MFA enforcement signals...
✓ MFA enforced — no legacy protocol bypass detected
RESULT: NO VIABLE ENTRY POINTS — target skipped
→ moving to next target...
That second scan result is the finish line. Not zero vulnerabilities forever. Not enterprise-grade security infrastructure. Just clean results on the six checks that automated reconnaissance runs first — the ones that determine whether your domain goes into the queue or gets skipped. Most SMBs have never seen either of these scan results on their own domain.

The six checks — what clean looks like on each one

1. Credential exposure

✓ Clean
What clean looks like: No email addresses at your domain appear in known breach databases. HIBP domain monitoring is set up with no alerts in the last 90 days. Any previously exposed credentials have been changed.

How to get there: haveibeenpwned.com domain search → set up free notifications → change exposed passwords → deploy a password manager so reuse can't recur.

2. Email authentication

✓ Clean
What clean looks like: DMARC is set to p=reject. SPF and DKIM are both configured and passing. mxtoolbox.com shows all green. No attacker can send email that appears to come from your domain.

How to get there: Check current policy at mxtoolbox.com/DMARC.aspx → work with your DNS provider to set p=reject → verify with mxtoolbox.

3. Perimeter ports

✓ Clean
What clean looks like: No RDP, SMB, or Telnet exposed to the public internet. Remote access goes through VPN. Admin panels are not publicly accessible. Shodan shows no high-risk open ports.

How to get there: Search your domain at shodan.io → identify open high-risk ports → route remote access through VPN → close or restrict public-facing ports.

4. Patching discipline

✓ Clean
What clean looks like: No known Critical CVEs on internet-facing systems. Critical patches applied within 48–72 hours of release. Automatic updates enabled on all internet-facing services.

How to get there: Enable automatic updates on internet-facing systems → prioritize Critical CVEs within 48 hours → minimize the number of services with public internet presence.

5. MFA coverage

✓ Clean
What clean looks like: MFA enforced on every system — not just available, enforced. Legacy protocols disabled. Number matching enabled on push notifications. Admin accounts included without exception.

How to get there: Audit every system for MFA enforcement → enable number matching in your identity provider → block legacy authentication protocols → include all admin accounts.

6. Access hygiene

✓ Clean
What clean looks like: No active accounts belonging to former employees. No stale vendor accounts with lingering access. Admin privileges limited to accounts that require them. Quarterly access review completed within last 90 days.

How to get there: Pull active user list → compare against current roster → disable unnecessary accounts → check email forwarding rules in your admin console.

What your CyberScore actually measures

This is the positive version of every post in this series. The password policy post, the MFA bypass post, the credentials for sale post, the 60-minute attacker timeline — all of them described what happens when one of these six checks fails. This post describes what it looks like when they all pass.

6/6

What a clean scan result looks like

No credentials in breach databases. DMARC at p=reject. No high-risk open ports. No unpatched critical CVEs. MFA fully enforced with number matching. No stale accounts or excess access. The automated scanner finds nothing to work with. Your domain gets skipped. The attacker moves on to the next target — which is almost certainly one of the 43% of SMBs that failed one of these checks today.

Platforms like Veriti Spottr are built to give SMBs a continuous view of exactly this scan — an outside-in assessment of your attack surface that surfaces the same signals an automated reconnaissance tool would find, before the attacker's scanner gets there. The CyberScore isn't a grade on how sophisticated your security is. It's a measure of how clean your scan results are — the six things that determine whether the automated queue picks you up or passes you by. That's the finish line. Veriti Spottr tells you how close you are to it, and what to fix first to get there.

The question that changes how you think about security

Most SMB owners think about cybersecurity as a question of spending. How much do we invest? What tools do we buy? How does our budget compare to the threat?

The automated scanner doesn't care about your budget. It cares about your scan results. A business spending $500/month on a password manager, DMARC enforcement, MFA with number matching, and continuous credential monitoring can pass all six checks. A business spending $5,000/month on endpoint detection and response but leaving RDP open and DMARC at p=none will fail two of them before the scan gets to anything sophisticated.

The question isn't "how much are we spending on security?" It's "what does our scan result look like right now, today, to the automated tool that just ran against our domain?"

If you don't know the answer — and most SMB owners don't — you don't know whether the next automated scan adds you to the queue or moves on.

📚 Credential Security Series — Read the full series

Part 1 → Your Password Policy Isn't Protecting You. Your Employees' Habits Are. Part 2 → Your Credentials Are Already For Sale. Here's How to Find Out in 60 Seconds. Part 3 → You Turned MFA On. Attackers Already Have Three Ways Around It. Part 4 → What Attackers Do With Your Data in the First 60 Minutes Part 5 → The 30-Minute Security Audit Every SMB Owner Should Do This Week Part 6 → The First 24 Hours After You Discover a Breach

See your scan results before the attacker does. Veriti Spottr's beta is free.

Join the free beta →
VS
Veriti Spottr Team AI-powered cyber risk clarity for SMBs  ·  veritispottr.com

Comments

Post a Comment

Popular posts from this blog

Your Password Policy Isn't Protecting You. Your Employees' Habits Are.

-
Image
Thought Leadership Credential Risk May 2026  ·  8 min read 94% of leaked passwords are reused or duplicated. Employees reuse the same password an average of 13 times. And by 2026, nearly half of all successful cyberattacks on SMBs will originate from credential reuse. Most businesses have a password policy. Almost none have visibility into whether anyone follows it. Think about the password you use for your personal email. Now think about whether any of your employees use that same password — or a variation of it — to log into your business systems. You don't know. And that uncertainty is the problem. In 2024, a security researcher analyzed 19.03 billion leaked passwords from breach databases and found that only 6% were unique. The other 94% had been used before — on another account, at another company, in another breach. Every one of those reused credentials is a master key that attackers test systematically...
Read more

What Attackers Do With Your Data in the First 60 Minutes

-
Image
Thought Leadership Incident Response May 2026  ·  8 min read In 2025, the fastest attacks moved from stolen credential to complete data exfiltration in 72 minutes — 4x faster than the year before. Most businesses discover breaches 292 days later. Here is exactly what an attacker does in that window — and what it means for your business before anyone has noticed. At 11:43pm on a Tuesday, an automated tool tests a stolen credential against your email platform. It matches. A session token is issued. In the next 72 minutes — while you sleep, while your team sleeps, while your IT provider sleeps — a sequence of events unfolds that will take your business an average of 292 days to discover. This is not a hypothetical. The 2026 Unit 42 Global Incident Response Report — Palo Alto Networks' annual analysis drawn from hundreds of real-world breach investigations — found that the fastest 25% of attacks in 2025 reached full da...
Read more

Your Biggest Cyber Risk Isn't Outside Your Firewall. It's on Your Payroll.

-
Image
Thought Leadership Insider Threat May 2026  ·  8 min read Most small businesses invest in perimeter security and assume the threat is outside. The data tells a different story. The most financially damaging cyber incidents don't break through your defenses — they walk past them, using legitimate access your own employees already have. In May 2025, Coinbase discovered that cyber attackers had recruited a group of their own customer support agents — employees with legitimate system access — and bribed them to hand over customer data. The attackers then used that data to impersonate Coinbase representatives, manipulating customers into sending them cryptocurrency. When the attackers contacted Coinbase demanding a $20 million ransom, the company refused to pay. The total cost — including customer reimbursements, security upgrades, and regulatory response — ran significantly higher. Coinbase isn't a naive startup. They're one of...
Read more