Editorial visualization of small website attacks as a constant background hum against a black field
Cybersecurity • 5 min read

The Attack Baseline Every Small Website Already Faces

A newly exposed cloud server gets its first probe in about 52 seconds. Small website attacks are automated and constant, not a big-company problem. Secure-by-construction absorbs the baseline.

Small website attacks are not a big-company problem waiting to find you. Over one 30-day window at the edge, one small business we support saw 192,155 total requests, and 3,134 of those were attacks flagged and handled automatically. A newly exposed cloud server gets its first probe in about 52 seconds. That is the baseline, and every site sits on it from the moment it goes live.

Editorial visualization of small website attacks as a constant background hum against a black field
Automated probing is the constant background condition of the modern web, not a rare event.

I find the psychology here fascinating, because "we are too small to be a target" feels true and is almost never accurate. It confuses a low public profile with low exposure. Attackers are not reading your homepage and deciding whether you are worth their time.

Why small website attacks are arithmetic, not attention

Most automated attacks are not personal. They are enumeration. Scanners walk the whole IPv4 address space, read public certificate transparency logs, and pull DNS records to build a list of everything that exists, then poke each entry with the same handful of known exploits.

You do not get chosen. You get counted. A Sophos honeypot study measured an average of 13 attack attempts per minute per honeypot, from servers that were advertising nothing and known to no one.

The traffic mix tells the same story. In 2024, bots made up 51% of all web traffic, with bad bots at 37%, according to the Imperva 2025 Bad Bot Report. More than a third of what hits an average site is automated and not there to help you. That is why the analytics you watch are only a floor, a point worth understanding on its own in what the server sees that your dashboard does not.

What the baseline actually looks like from the edge

Here is one anonymized example, offered as illustration rather than a trophy. For a single small local-services business over 30 days, the edge layer recorded 192,155 total requests. Of those, 3,134 were attacks, flagged and handled before they reached anything that mattered.

At the time of the assessment, the site passed 213 of 220 hardening checks, roughly 97%, with zero known critical vulnerabilities. Those checks were benchmarked against the technical controls in recognized frameworks including CIS, PCI-DSS, SOC 2, ISO 27001, NIST 800-53, CMMC, and HIPAA. Benchmarking a system against a framework's controls is not the same as a formal audit or certification against that standard, and it is not a claim of compliance with any of them.

Abstract edge layer filtering small website attacks from legitimate requests in hot pink light
At the edge, roughly one in sixty requests to this small site was an attack, quietly filtered.

None of that required a heroic response. It is what happens when patched dependencies, least privilege, no default credentials, TLS, and rate limiting are in place before launch. The attacks arrive on schedule; the engineering decides whether they land.

Is the risk really the same for a tiny business?

The exposure is the same. The consequences are often worse, because smaller organizations absorb the hit with fewer reserves. Verizon's 2025 Data Breach Investigations Report found ransomware or extortion present in 88% of breaches at small and midsize businesses, versus 39% at large organizations.

The cost is concrete. Hiscox put the median cost of a cyberattack to a US small business at $8,300, against a median of four attacks per year. For contrast at the other end of the scale, IBM measured the global average data breach at $4.88 million in 2024, up 10% year over year.

Preparation is uneven. As reported by Embroker citing UpCity, about half of small businesses have no cybersecurity plan, only around 14% have a formal incident response plan, and 59% of those without one believe they are "too small to be a target." That belief is the measurement illusion, restated as a strategy.

Secure by construction beats security bolted on

The reassuring part is that surviving the baseline is not exotic. Security is a byproduct of good engineering, not a separate product you buy afterward. The same choices that make a site fast, correct, and maintainable are the ones that make it hard to exploit.

There is a plainer reason we build this way. We help good people do good things, and a small business owner who serves their neighbors should not lose a weekend, or their customers' trust, to an automated script that never knew their name.

Patched dependencies close the exact holes the scanners test for. Least privilege limits what a single compromised component can reach. No default credentials removes the first thing every bot tries. TLS keeps data honest in transit, and rate limiting blunts brute force. We build this way by default, an approach I describe more fully in designing security into the architecture first and in why compliance is a side effect of how you build.

Structural lattice representing secure by construction engineering that withstands small website attacks
Secure by construction: the ordinary engineering choices that quietly absorb the baseline.

Practical footholds help too. The five things every business should do first cover most of the easy wins, and a short set of HTTP security headers raises the floor with minimal effort. Because the math favors it: prevention costs far less than recovery, and it is worth knowing what recovery actually involves before you need to.

The frameworks, briefly

The benchmarks above are not interchangeable. Each answers a different question about how a system is built and run. A quick reference:

  • CIS Controls: a prioritized set of safeguards, a practical starting checklist for any organization.
  • PCI-DSS: the standard for anyone who handles payment card data.
  • SOC 2: an independent report on how a service provider manages customer data across security, availability, and privacy.
  • ISO 27001: the international standard for an information security management system.
  • NIST 800-53: a comprehensive catalog of security and privacy controls, widely used across US federal systems.
  • CMMC: the Department of Defense maturity model for contractors handling controlled information.
  • HIPAA: the US rules protecting health information.

You rarely need all of them. You do benefit from building as though someone might one day ask. That is the quiet advantage of teams like JDR Security Solutions, who run cloud health checks against exactly these standards, and it reflects how we approach engineering across the Kief Studio ecosystem.

Related reading

Frequently Asked Questions

Are small website attacks really automated rather than targeted?

Overwhelmingly, yes. Most probing comes from scanners that enumerate the entire internet and test every host for the same known weaknesses. You are counted in a list, not singled out, which is why even a brand new site with no visitors starts seeing traffic within minutes.

If my site is small and unknown, am I actually at risk?

Low profile does not mean low exposure. The same attacks reach every public site, and smaller organizations often feel the consequences more sharply. Verizon found ransomware or extortion in 88% of breaches at small and midsize businesses.

What is the single most effective thing to do?

Keep dependencies patched. Most automated attacks target known vulnerabilities that already have fixes available, so staying current closes the doors the scanners are checking. Pair that with removing default credentials and enabling TLS.

What does "secure by construction" mean in practice?

It means the engineering choices that make a site good also make it resilient: patched dependencies, least privilege, no default credentials, TLS, and rate limiting, all in place before launch. Security becomes a property of how the system is built rather than a layer added later.

How do you know a site is handling the baseline well?

Measure at the edge, where every request is visible, and benchmark against recognized frameworks. In the anonymized example here, that meant passing 213 of 220 hardening checks at the time of assessment, with zero known critical vulnerabilities, while attacks were flagged and handled continuously.

Cybersecurity Jun 6, 2026 6 min

Build Compliance In. Stop Bolting It On.

Non-compliance costs $14.82 million on average versus $5.47 million to maintain compliance, a 2.71x gap. Compliance engineering means building systems where evidence generates itself, not assembling it from memory before each audit.

Cybersecurity Jun 3, 2026 6 min

Your Lockfile Is a Threat Surface

Sonatype counted 1.23 million malicious packages. Your lockfile security posture determines whether those packages reach production or stop at the gate. The dependency layer is the attack surface now.

Work With Us

Need help building this into your operations?

Kief Studio builds, protects, automates, and supports full-stack systems for businesses up to $50M ARR.

Newsletter

New writing, straight to your inbox.

Strategy, psychology, AI adoption, and the patterns that actually compound. No spam, easy to leave.

Subscribe