DEV Community

ComplianceLayer
ComplianceLayer

Posted on

We Scanned 200 SMB Domains. Here's What We Found.

#security #python #msp #cybersecurity

We Scanned 200 SMB Domains. Here's What We Found.

Published by the ComplianceLayer team | March 2026

Last quarter, we ran ComplianceLayer against 200 small and medium business domains — companies with 10 to 500 employees across industries including professional services, healthcare-adjacent (no PHI), retail, and technology. No one paid us to do this. We wanted to know: how is the average SMB actually doing on the fundamentals of external security?

The results were worse than we expected. And we expected bad.

Here's what we found.

Methodology

We used our own tool — ComplianceLayer — to run a full external security scan on each domain. Each scan checks four categories: SSL/TLS configuration, DNS/email authentication (SPF, DMARC, DKIM), HTTP security headers, and open port exposure. Domains were sourced from a mix of public business directories and submitted by MSP partners who gave permission to aggregate anonymized findings. No internal systems were tested. All scans were passive external assessments.

Domains were graded A through F per category.

SSL/TLS: Better Than Expected, But Fragile

The SSL picture was the most encouraging of the four categories — but the details tell a more complicated story.

71% of domains earned an A or B grade on SSL. The widespread adoption of Let's Encrypt and auto-renewing certificate providers has pushed basic SSL hygiene into the mainstream. Most domains had valid certificates.

But dig one layer deeper:

  • 23% were running TLS 1.0 or TLS 1.1 alongside modern TLS 1.3. Both older protocol versions have known vulnerabilities and were officially deprecated by the IETF in 2021. Supporting them for "compatibility" is a real risk.
  • 11% had certificates expiring within 30 days. These aren't companies that forgot to renew — they're companies where nobody is watching. For an MSP, that's a 2 AM emergency call waiting to happen.
  • 6% had expired certificates entirely. Fully expired. In production.
  • 4% were using SHA-1 signed certificates — an algorithm considered broken for over a decade.

The headline SSL number looks fine. The tail is ugly.

DNS & Email Security: The Worst Category by Far

If there's one finding we'd highlight in a conference talk, it's this: SMB email authentication is a disaster.

Email spoofing — where an attacker sends email pretending to be from your domain — is one of the most effective phishing vectors in existence. Three DNS records prevent it: SPF, DMARC, and DKIM. All three are free to configure. All three have been industry best practice for years.

Here's where 200 SMB domains stood:

  • SPF present: 64% ✓ — Better than average, but still 36% missing.
  • DMARC present: 31% ✓ — Over two-thirds of SMBs have no DMARC record.
  • DKIM present: 44% ✓ — Less than half have DKIM signing configured.
  • All three configured correctly: 18% ✓ — Only 1 in 5 SMBs has complete email authentication.

To be clear about what the missing 69% of DMARC means: anyone on the internet can send email that appears to come from their domain, and receiving mail servers have no policy-based mechanism to reject or quarantine it. That's the setup for CEO fraud, vendor impersonation, and credential phishing.

The fix is a DNS record. It takes 10 minutes. But without active monitoring, most SMBs will never notice it's missing.

HTTP Security Headers: Low-Hanging Fruit, Widely Missed

HTTP security headers are configurations added to web server responses that instruct browsers to enforce security policies. Most don't require application changes — just a web server configuration tweak. Yet the adoption rate among SMBs is remarkably low.

Results across our 200-domain sample:

Header Present Missing
HSTS (HTTP Strict Transport Security) 47% 53%
X-Frame-Options 38% 62%
X-Content-Type-Options 41% 59%
Content-Security-Policy (CSP) 19% 81%
Referrer-Policy 29% 71%
Permissions-Policy 11% 89%

Only 8% of domains had all six headers configured correctly.

Content-Security-Policy is the most complex to implement — it requires understanding what scripts your site loads — and its 19% adoption reflects that complexity. But HSTS, X-Frame-Options, and X-Content-Type-Options are one-line nginx or Apache config changes. There's no good reason for 53–62% of SMBs to be missing them.

The absence of X-Frame-Options leaves sites vulnerable to clickjacking. Missing X-Content-Type-Options can enable MIME-type sniffing attacks. These aren't theoretical — they show up in penetration test reports as exploitable issues.

Open Ports: A Few Alarming Findings

Open port analysis checks which network services are reachable from the public internet. Some open ports are expected (80/HTTP, 443/HTTPS). Others are not.

Unexpected open ports found across the dataset:

  • RDP (port 3389) exposed to internet: 14% of domains
  • SMB (port 445) exposed to internet: 7% of domains
  • Telnet (port 23) open: 3% of domains
  • FTP (port 21) open: 9% of domains
  • SSH on default port 22: 31% (elevated risk if using password auth)

RDP exposed to the internet is a well-documented ransomware entry point. The 14% figure is consistent with external research — RDP brute force has been the leading initial access vector in ransomware incidents for several consecutive years according to multiple incident response firm reports.

SMB exposed to the internet raises WannaCry-era memories. It should not be reachable from the public internet in any SMB deployment.

The good news: 62% of domains earned an A or B on port exposure, meaning most SMBs have at least the basics of network perimeter hygiene. The remaining 38% have at least one significant finding.

The Overall Picture

Scoring each domain across all four categories:

  • A overall: 4%
  • B overall: 23%
  • C overall: 38%
  • D overall: 27%
  • F overall: 8%

More than one-third of SMBs scored D or F on overall external security posture. The most common failure pattern was: decent SSL, missing email authentication, no security headers, one or two problematic open ports.

This isn't a technology problem. It's a visibility problem. MSPs managing these companies often don't have an automated way to track this across their client base. The clients themselves have no idea. Nobody is watching the dashboard that doesn't exist.

What We Recommend

Based on these findings, here's the priority order for any SMB or MSP addressing the gap:

  1. Fix DMARC immediately. It's free, it takes 10 minutes, and the blast radius of not having it is enormous. Start with p=none if you need to monitor before enforcing.
  2. Audit open ports. RDP should never be internet-facing. Use a VPN or jump host.
  3. Add HSTS and X-Content-Type-Options. Two header lines in your web server config.
  4. Check SSL expiry. Set up monitoring or use a cert provider with auto-renewal.
  5. Add CSP. More complex, but important for any site loading third-party scripts.

Try It Yourself

If you're an MSP or sysadmin who wants to know where your clients or your own domains stand, ComplianceLayer's free tier lets you run 10 domain scans per month with no credit card required. You'll get an A-F grade per category and a specific remediation checklist for every failing check.

Start scanning free →

We didn't write this to sell subscriptions (though we're happy if you upgrade). We wrote it because someone needs to show the actual numbers — and the numbers say most SMBs are one missed DMARC record away from a convincing phishing campaign.

Data collected Q1 2026. N=200 SMB domains. External passive scanning only. No internal systems accessed.

Built by ComplianceLayer — scan any domain for security compliance in seconds. Get your free API key.

Top comments (0)