Research · April 2026

What 351 Australian business scans revealed

Cyber Node ran the Cyber Exposure Snapshot across 351 Australian SMB domains between March and April 2026. 78% were rated HIGH or CRITICAL. 99% had at least one high-severity exposure. 1,787 actionable findings in total. No credentials. No intrusive testing. Just the drive-by view an attacker already has.

By Matt Breuillac, Director, Cyber Node · Dataset published to WA Leaders and FACCI WA members

rated HIGH or CRITICAL overall risk (274 of 351)

had at least one high-severity exposure (300 of 303)

carried five or more distinct findings in a single scan

had at least one finding — only 4 of 351 came back clean

351 domains scanned
1,787 actionable findings surfaced
548 high-severity exposures
~6 average findings per scan

The findings

Six themes account for the bulk of the 1,787 findings

None are exotic. All are fixable — usually by your existing IT provider, in days, once they know the issue exists. These are the categories that recurred across almost every scan in the dataset.

  1. 01

    Email impersonation wide open

    Missing or weak SPF, DKIM and DMARC. Anyone on the internet can send mail that looks like it came from the domain. Invoice fraud begins here — the single most common cyber loss for Australian SMBs.

  2. 02

    Staff credentials in breach corpora

    Corporate logins and, in many cases, their passwords already searchable in public breach databases. Business email compromise often starts with a password a staff member reused in 2021.

  3. 03

    Login portals and admin panels exposed

    VPN portals, CMS admin pages, network appliances, camera systems, development environments left accessible to the public internet. Usually advertising the exact software version, which is a free roadmap for an attacker.

  4. 04

    End-of-life software on the perimeter

    Known, published CVEs sitting unpatched on internet-facing systems. Not zero days. Not nation-state material. Ordinary patch gaps that a commodity scanner finds in minutes.

  5. 05

    Hosting and control panels reachable globally

    cPanel, WHM, Plesk, Directadmin, registrar control panels, DNS management consoles — a single compromise here hands over the website, the email and the DNS in one move.

  6. 06

    Forgotten subdomains and staging environments

    The digital side gate nobody remembers installing. Dangling DNS, abandoned staging sites, old marketing microsites pointing to cloud resources that no longer exist. Ready to be claimed by any attacker who notices.

Role boundary

Why this isn't your IT provider's job

Your IT provider keeps things working — uptime, backups, email flowing. Cyber Node looks at what could break the business, from the outside, the way an attacker does. Different trade, different mindset.

The Snapshot gives your MSP a prioritised, attacker's-eye to-do list. It makes their job easier, not harder. Most fixes are configuration changes, not capital projects.

What it costs the business if ignored

The exposures above translate into real losses, every week

  • Invoice fraud and payment redirection

    The single most common cyber loss for Australian SMBs. Starts with a spoofed email that SPF/DMARC should have blocked.

  • Business email compromise via reused passwords

    Once a staff credential is in a breach corpus, every system that accepts that reused password is one login away from compromise.

  • Reputational damage from phishing sent under your domain

    Your customers receive convincing phishing with your branding. You find out when they call to complain.

  • Cyber insurance friction

    Australian cyber insurers increasingly check external posture before paying claims. Exposed admin panels and missing DMARC are reasons to decline cover.

What to do this week

The exposure window closes the moment you look

  1. 1

    Run your own Snapshot

    Two minutes, non-intrusive, passive. Nothing touches your infrastructure. No credentials required.

  2. 2

    Hand the report to your IT provider

    A prioritised, attacker's-eye to-do list. Most fixes are configuration changes your MSP can close in days.

  3. 3

    Re-run quarterly

    Exposure isn't static. Staff change, domains move, subdomains get forgotten. The drive-by view changes.

Scan my domain for A$399 Talk to us first

Passive external scan. Read-only. No credentials, no agents, nothing installed on your infrastructure. Australian-hosted. GST included.

Cost of doing nothing

What a single exposed service can cost

Event Typical cost
Ransomware recovery (SMB, 50–200 staff)$250k – $1.2m
Business email compromise (single fraudulent transfer)$50k – $500k
OAIC notifiable data breach response$100k+
CES scanA$399

Figures drawn from publicly reported Australian incidents and OAIC Notifiable Data Breaches reports.

Not sure what you need?

Start with a scan. Move to a manual test if you need depth.

Run CES now Scope a pen test