You're Not a Target. You're Infrastructure. Here's What We Built When We Realized That.
Reader, you're Not a Target. You're Infrastructure.
---
## The Question That Stops Every Conversation
Every small business owner I have ever sat down with eventually asks some version of this.
"I am nobody. From a nobody place. I run a nobody small business with a few employees. I do not have anything of value. I am the noise. What do I have that anyone really wants? I see data brokers selling search-by-name-and-state for a dollar. Databases all over the place. This is not for me. I literally do not have anything anyone could possibly care about."
Some version of that sentence. Every conversation. Every customer.
The reason this question stops every conversation is that the customer is mostly right. They are not a Fortune 500 company. They do not have proprietary research. They are not handling classified material. They are not in the top wealth bracket. Their personal information is being sold for a dollar on data broker sites right now. They have seen the headlines about the big breaches and correctly identified that they are not in that category.
When I respond with "but you are valuable," the customer hears me trying to sell them something. They tune out. The "you are more valuable than you think" pitch fails because the customer knows in their bones that they are not.
So I am going to stop making that pitch. I am going to make a different one. One that actually answers the question instead of arguing against it.
---
## Who Is SmiteByte, And Why Should Anyone Listen To Us
Before going further, the honest framing.
I am not Vectra. I am not Darktrace. I am not Corelight. I do not have a sales team, a marketing department, a Gartner Magic Quadrant placement, or a Fortune 500 customer logo wall. SmiteByte is a small operation building network security tools for businesses that look like ours — small, regional, operating on thin margins, with no in-house security staff and no realistic path to affording the products the big vendors sell.
I run SmiteByte out of Imperial County, California. Cattle country. Agricultural country. The kind of place where if your operation goes down for a week, the bank has questions. Operational margins are thin and mistakes are costly. That is the environment that shaped how I think about security. Not as a checkbox compliance exercise. Not as a feature list. As a question of whether a business survives the week when something goes wrong.
What I have is roughly thirty-five years of IT and operations work, including running networks for small businesses that could not afford enterprise tools, including being a pen-tester who sat across from owners and explained why their NVR was visible to the entire internet, and including being the guy who got the call at 2 AM when a server stopped responding. I built SmiteByte because I kept watching small businesses get sold security products that either did not fit them or cost more than the business made in a year.
The pitch I am going to make in this post is not "we are the best." The pitch is "we built something specifically for businesses that the big vendors do not actually serve, and here is what it does, and here is why we think it matters." You can decide whether it is for you.
---
## What The Customer Is Actually Saying
When a small business owner says "I am nobody, who would target me," they are saying several things at once. Each of them has a kernel of truth.
A genuine observation about scale. They look at the headlines — Colonial Pipeline, Change Healthcare, MGM, the latest major breach — and they correctly recognize they are not in that category. They are not wrong.
A psychological defense. Believing you are a target is exhausting and frightening. Believing you are invisible is calming. The brain prefers calm.
A fairness claim. "I work hard. I pay my taxes. I treat my employees well. Why would anyone come after me?" The implicit framing is that victimhood requires deserving — and they do not deserve it, therefore it will not happen.
An economic argument. "Defending myself costs money. The likelihood of an incident is low. Insurance might cover it if something happens. Doing nothing is rational." This one is actually a serious argument and deserves a serious answer, not a dismissal.
Learned helplessness. They have seen larger companies with bigger budgets get breached. If Target and Equifax cannot protect themselves, what hope does a 12-employee operation have? Doing nothing feels like the only honest response.
Every one of these has a kernel of truth in it. That is why "you are more valuable than you think" lands flat as a counterargument — because the customer knows they are not, in fact, a high-value individual target. They are right about that.
The pitch cannot be "you are valuable." It has to be a different pitch entirely.
---
## The Real Answer — You Are Not The Target. You Are The Vehicle.
Here is the reframe that I think actually works, because it stops trying to convince the customer of something they do not believe and starts telling them something that is actually true.
The modern attack economy is mostly not interested in individual small businesses as targets. It is interested in small businesses as infrastructure.
That is a different sentence than "you are a target." Let me unpack what it means in practice, because this is the framing customers have not heard before and that I think can actually land.
### Your Network Is A Stepping Stone To Someone Bigger
A nation-state operator or sophisticated criminal group does not need to compromise the Fortune 500 company directly. They need to compromise a small vendor that emails invoices to the Fortune 500 company — because that small vendor's email gets through enterprise spam filters automatically and the contracts and invoices look completely legitimate.
Your business is a vendor to somebody. That somebody has value, even if you do not.
This is the SolarWinds attack model applied at small business scale. SolarWinds itself had nothing the attacker wanted. SolarWinds' customers — US federal agencies, Fortune 100 companies — had everything the attacker wanted. The supply chain was the attack vector.
A cattle operation in Imperial County does not have anything an attacker wants directly. But that cattle operation sells to a packing plant that supplies a national grocery chain. The packing plant's procurement systems trust emails from the cattle operation. Compromising the cattle operation creates a route into the packing plant's systems. The attacker does not care about the cattle operation. They care about the packing plant.
This is also how every operation involving agricultural water rights, land sales, or commodity hedging works. Small operators are connected to bigger operators by trust relationships that an attacker can exploit. You do not have to be valuable to be useful.
### Your Devices Are Someone's Botnet Capacity
Every internet-connected device on a small business network — the security cameras, the VoIP phones, the router, the network printer, the IoT sensor on the irrigation pump — is potential capacity for someone else's operation.
The Kimwolf botnet's roughly 2 million infected Android devices includes thousands of small business deployments. The IPIDEA proxy network's 9 to 11 million daily proxies includes endpoints in every conceivable small business.
The customer does not lose anything they value when their devices get conscripted. Their cameras still record. Their phones still ring. Their irrigation still works. But somebody else is using their devices to do things — scan other networks, route credential-stuffing traffic, deliver DDoS attacks against targets the customer has never heard of.
When the FBI eventually traces an attack back to its origin, the IP address might trace to your small business. Not because you did anything. Because your router was somebody else's relay.
This is not theoretical. The 911 S5 case documented bomb threats made through compromised home networks. The homeowners had no idea. They were the unwitting infrastructure for someone else's operation. The same model operates at the small business scale right now.
### Your Credentials Are The Entry Point To A Larger Fraud Operation
Your bookkeeper has access to your bank account. The bookkeeper's email password got compromised in a LinkedIn breach in 2022 and they never changed it. The credential is now in the criminal database, and at some point an automated tool will try it against your bank.
You do not have millions in the bank. But you have enough that a successful wire fraud — initiated by an attacker who has the bookkeeper's email credentials and can intercept email-based payment confirmations — could destroy the business. The attacker does not need to specifically target you. They just need an automated workflow that tries leaked credentials against business banking endpoints. Your account is one of tens of thousands they try.
The FBI's IC3 reports on Business Email Compromise document this exact pattern. The average BEC loss for a small business in 2024 was over $125,000 per incident. Not a Fortune 500 problem. A small-business problem. You do not have to be valuable to the attacker. You just have to be reachable by an automated process.
### Your Obscurity Is An Attacker Advantage, Not A Defense
This one is counterintuitive and worth thinking through carefully.
When a major hospital gets breached, the FBI, CISA, the state Attorney General, the insurance carrier, journalists, and a dozen security vendors all show up. The attacker has hours, maybe days, before law enforcement is in the building. The risk of getting caught is real because the victim has resources to fight back.
When a small business in Imperial County gets breached, nobody shows up. The owner calls their IT guy. The IT guy does not know what to do. They restore from a backup if they have one. They might or might not report it to anyone. They might or might not call their insurance company, assuming they have cyber coverage, which most do not. The attacker faces essentially zero accountability risk because the victim does not have the resources to mount an investigation.
Small businesses are not safer because they are obscure. They are easier targets because they are obscure. The attacker's risk-adjusted return per attack is often higher against small businesses than against large ones, because the loss per incident is smaller but the probability of getting caught is much lower.
This is why ransomware groups have steadily shifted toward small-business targeting over the past three years. The math works better.
### Your Data Is Somebody Else's Data
You say you do not have anything of value. But you hold your employees' personal information — Social Security numbers, addresses, banking info for payroll. You hold your customers' personal information — names, addresses, payment information, in some cases health data. You hold your vendors' contact information, which the attacker uses for the next round of attacks. You hold your financial records, used for tax fraud, business loan fraud, identity theft. You hold your email archive, used for blackmail in some cases but more commonly used to build context for the next attack.
You are not valuable. The data you hold on other people is valuable, in small dollar amounts per record, multiplied across millions of records aggregated from millions of small businesses. This is the data broker economy operating from the criminal side.
That $1 record you mentioned seeing on a data broker site? That record exists because somebody, somewhere, got breached and the data leaked into the commercial market. You might be one of those somewhere's without knowing it.
---
## The Sentence That Cuts Through
If I had to compress the answer to "I have nothing anyone wants" into one sentence the customer would actually hear, it would be this.
You are right — you are not a target. You are infrastructure. And in 2026, infrastructure is what gets attacked, because targets are too well-defended.
That sentence agrees with the customer's premise instead of arguing with it. It reframes the threat — they are not the destination, they are the route. It acknowledges the change in the attack economy — major targets have hardened, so the attack surface has shifted to the soft middle. It does not try to scare them. It is just honest about what is actually happening.
---
## A Real-World Example, Two Hours Old
I got a threat-intelligence email from AlienVault while I was finishing this article. The headline was about a new piece of malware called TencShell that Cato Networks intercepted in April 2026 — a customized Go-based implant suspected to be linked to a China-based threat actor, used against the Indian branch of an unnamed global manufacturer.
The detail that stopped me was one sentence buried in the report. "The activity appeared in traffic associated with a third-party user connected to the customer environment."
The attacker did not come through the front door of the global manufacturer. The attacker came through somebody the manufacturer trusted enough to give network access. A vendor, a contractor, a partner, an integrator — somebody smaller, somebody less defended, somebody who almost certainly did not know they were the vector and may still not know.
The manufacturer is who the attacker wanted. The third party is how the attacker got there.
That is this entire article in one sentence, written by a different company, about a different incident, on a different continent, two hours before I clicked send.
The third party in that report does not get named. The third party does not get a writeup. The third party probably did not get a phone call from Cato — Cato was contracted to the manufacturer, not to them. The manufacturer gets the incident report, gets the remediation, gets to write a board memo about resilience. The third party finds out later, or never, depending on how the manufacturer handles their vendor relationships afterward.
That is what "you are infrastructure" actually looks like in practice. You do not get a seat at the table when the attack against you gets documented. You get referred to as "third-party user" in somebody else's incident writeup.
That happened this month. To a real third-party business. Somewhere.
---
So if that is the new framing, the next question is — how does this actually work? How does an attacker who has never heard of you decide you are worth conscripting into their operation? How fast can it happen? And what does the existing security stack do about it?
The answers to those questions are why I built Nora.
---
## The Internet Has Already Been Scanned. Yours Included.
Here is how this used to work, as a pen-tester.
A new customer engagement starts. You get the public IP block. You sit down at the laptop and you fire up nmap. First you scan from outside — what does the internet see when it looks at this customer's perimeter? Open ports, service banners, version strings, anything that is leaking out. Then you scan from inside — what does this network actually look like when you are behind the firewall? Internal hosts, exposed services, lateral movement paths, what is broadcasting that should not be.
You take that data and you start closing things down. Block the port that does not need to be open. Turn off the IoT device that is screaming on UDP 1900. Patch the vulnerable service version. Document the perimeter. Hand the customer a hardened network.
I have been doing this for years. Standard pen-tester workflow. Nothing exotic about it.
Here is what I did not fully grasp until recently. Every single customer I have ever worked with had already been scanned. Not once. Not by accident. Systematically. For over a decade. By organizations running infrastructure I cannot compete with.
When I run nmap against a customer's public IP block, I am not the first person to look. I am just the first person they hired to look. The actual first scan of their perimeter happened years ago, was run by software dozens of times more sophisticated than nmap, used clusters of IPs that rotated faster than any reputation system could track them, and the results were stored in commercial databases that anyone with a credit card and an internet connection can query.
The customer's perimeter is already in someone's database. Probably several someone's databases. The only question is whether they have also been catalogued by the someones who plan to use the data for harm versus the someones who plan to use it for research, attribution, or sales.
That realization is what made Nora necessary.
---
## The Scale — What Mass Scanning Actually Means In 2026
GreyNoise published a report in April 2026 titled "The Invisible Army: Residential Proxy Abuse in Internet-Scale Attack Traffic." Their methodology was to deploy passive sensors across 80+ countries, observe all unsolicited internet traffic hitting those sensors for 90 days, and classify what they saw. The dataset excludes known benign scanners like Shodan and Censys and excludes spoofable protocols. The numbers below describe the malicious or suspicious end of the spectrum.
Four billion sessions. That is 4,020,000,000 distinct connection attempts hitting their sensor network in 90 days.
5.72 million unique source IPs. Each one a distinct attacker, scanner, or compromised device.
39% of those source IPs originate from residential internet connections — home internet service, small business broadband, mobile data connections. Not data centers. Not hosting providers. Houses and apartments.
78% of residential IPs are invisible to reputation feeds. They rotate faster than any commercial threat intelligence service can catalog them. By the time an IP shows up on a blocklist, that IP has been retired and 50 new ones are in use.
89.7% of residential attacker IPs are active for under a month. Only 8.7% remain visible for 2 months. Only 1.6% persist for 3 months. The entire attack infrastructure rotates faster than most organizations rotate their employees.
GreyNoise's CEO summarized it bluntly. Nearly 4 in 10 IPs hitting their sensors are residential IPs, indicating the scale at which home internet gear has been compromised. Attackers have weaponized the infrastructure we trust most, and every organization that relies on IP reputation as a primary defensive layer is exposed right now.
For a small business, that means when something scans your network, there is a meaningful chance it came from a compromised home Wi-Fi router in a country you have never been to, owned by someone who has no idea their internet connection is being used to probe your VPN appliance.
---
## Who Is Actually Doing This — The Three Layers Of The Scanning Economy
When we talk about mass internet scanning, we are talking about three different industries with three different sets of incentives.
### Layer 1 — Legitimate Research And Commercial Intelligence
Shodan is the granddaddy of internet-wide scanning. Founded in 2009. Continuously scans the entire IPv4 internet, fingerprints every service it finds, and sells access to the resulting database. Pricing is published — $59 per month for the freelancer tier, $899 per month for corporate access. The enterprise data license is custom-priced for organizations and provides bulk access to the entire database plus the ability to use Shodan's infrastructure to scan networks on demand.
Anyone with a credit card can query Shodan and ask things like "show me every Hikvision security camera in Riverside County, California" or "show me every Modbus industrial controller exposed to the internet in Germany." The results come back in seconds.
Censys is the academic-pedigree competitor. Started as a research project at the University of Michigan in 2015, spun out as a commercial company in 2017. Built on the open-source ZMap scanner, which can scan the entire IPv4 internet in under an hour from a single fast machine. Four tiers — Free, Starter, Search, and Enterprise. Enterprise pricing requires contacting sales. Opaque, custom-quoted, typically used by Fortune 500 security teams and government agencies.
Google buys Censys data. Their threat intelligence team ingests it and combines with internal signals. The CEO of Censys confirmed this publicly. The same scan data your business shows up in is being used by Google's threat hunters. Whether that makes you feel better or worse probably depends on your assumptions about Google.
GreyNoise is the third major player but focuses on a different question — instead of "what is exposed on the internet," they ask "who is scanning the internet right now, and what are they scanning for?" They publish free spot lookups for individual IPs. Bulk API access for automated classification is in the $15,000-$50,000 per year range, depending on volume.
These three companies — Shodan, Censys, GreyNoise — operate the legitimate, commercially-disclosed end of the mass scanning economy. They scan, they catalog, they sell. They have published pricing, ethics policies, terms of service, and law-enforcement cooperation protocols. They are the visible part of the iceberg.
### Layer 2 — Criminal Residential Proxy Networks
The same architecture — scan everything, sell the access — exists in a much larger criminal version.
911 S5 was the largest example for many years. The U.S. Treasury sanctioned its operators in May 2024 and the FBI dismantled the infrastructure. At its peak, 911 S5 controlled 19 million compromised IP addresses in 190 countries. Confirmed victim losses ran into the billions of dollars.
The 911 S5 business model was to distribute free VPN applications — MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, ShineVPN — that secretly installed proxy backdoors on the user's device. The user thought they were getting a free VPN. They were actually being enrolled as an exit node in a global criminal infrastructure. Their home internet connection then got sold as "residential proxy access" to other criminals, who used it for fraud, identity theft, credential stuffing, and reconnaissance scanning. The FBI documented bomb threats made through 911 S5's network, attributed by IP to the unwitting homeowners whose laptops were the unknowing relays.
After 911 S5 went down in 2024, the market reorganized within weeks. By 2026, the dominant successor was IPIDEA, with 9 to 11 million daily active proxies. In one week of January 2026, over 550 distinct threat groups used IPIDEA's network. Nation-state actors from China, Russia, Iran, and North Korea were among them.
Google's Threat Intelligence Group disrupted IPIDEA in late January 2026. The disruption reduced IPIDEA's available proxy pool by about 40%. Within weeks, the market absorbed the lost capacity through other providers. The total demand for criminal residential proxy infrastructure did not decrease. It just routed around the damage.
The IPIDEA investigation also revealed something important about the criminal market structure. What looked like dozens of independent proxy services were actually different brand names for the same underlying network. Google's researchers identified 360 Proxy, 922 Proxy, ABC Proxy, Cherry Proxy, Door VPN, Galleon VPN, IP2World, Luna Proxy, PIA S5 Proxy, PY Proxy, Radish VPN, and Tab Proxy as IPIDEA-affiliated or operated brands. The customer thinks they are shopping a competitive marketplace. They are actually shopping the same wholesaler under different storefront names.
Another notable example is Kimwolf, an Android botnet that grew to over 2 million infected devices in 2026, primarily Android TV set-top boxes deployed in residential networks. Kimwolf's operators sell residential proxy bandwidth at $0.20 per gigabyte — making criminal residential proxy access cheaper than most legitimate commercial proxy services. They also use the same compromised devices for DDoS attacks of around 30 Tbps in volume. Synthient researchers estimated up to 12 million unique IPs per week associated with the Kimwolf infrastructure.
The economic structure is the inverse of legitimate scanning services. Shodan charges its customers more for more access. Criminal proxy services charge their customers less because their underlying labor — the infected home devices doing the actual relay work — is unpaid and unwilling.
### Layer 3 — Commercial Scan Operators And Specialized Scanners
Between the legitimate research companies and the criminal proxy networks sits a middle layer. Commercial scanner operations that focus on specific niches.
Recyber and Stretchoid are the two operators that triggered the original Nora investigation, which I will get to in a moment. Both are commercial scanner services operating from European hosting infrastructure. They run automated probes against millions of internet-connected devices, catalog the results, and sell access to clients who want to know "show me every exposed NVR on the internet that responds on TCP 35000."
Spur.us, IPinfo.io, Bright Data, and dozens of others operate similar models — perpetual scanning combined with database sales, often with specialized angles like compliance auditing, attack surface management, proxy detection, IP geolocation enrichment.
The legitimate operators in this layer maintain abuse contact addresses, comply with takedown requests, and publish methodology documents. They argue their services improve overall internet security by giving defenders the same visibility attackers have. That argument is true. It is also true that attackers can buy the same data, often for less than what enterprise customers pay.
---
## The Hardware Question — Are These Supercomputers?
When people imagine an organization scanning the entire internet, the mental picture tends toward something exotic — racks of specialized hardware in a temperature-controlled data center, custom silicon, an army of engineers operating it.
The reality is closer to a single 1U server with a 10 gigabit Ethernet card, sitting in a normal hosting facility, running open-source software a graduate student wrote.
ZMap, the open-source scanner that powers a substantial portion of internet-wide research and a substantial portion of Censys's underlying infrastructure, can scan the entire IPv4 internet in under 45 minutes from a single commodity machine over a 1 Gbps connection. The same tool, running over a 10 Gbps connection with optimized kernel bypass drivers, completes a full IPv4 scan in 4 minutes 29 seconds.
Masscan, a competing open-source scanner written by Robert Graham, can sustain 1.6 million packets per second on a stock Linux machine, or 25 million packets per second on a system with an Intel 10 Gigabit Ethernet card and PF_RING kernel-bypass drivers. The hardware Graham documented in his original benchmark publication was a SuperMicro server worth about $340, an Intel quad-core CPU worth about $240, and an Intel 10GbE network card worth about $490. Roughly $1,100 in commodity hardware can scan the entire IPv4 internet in under 5 minutes.
That price was from 2013. The same capability today costs less. You can scan the internet from a $200 per month dedicated server rental at any major hosting provider.
This is the foundation of the modern mass scanning economy. Not specialized hardware. Not supercomputers. Not exotic infrastructure. Commodity equipment running well-engineered open-source software, operated by anyone with basic networking knowledge and a hosting bill they can pay.
The criminal residential proxy networks take a different approach. Instead of paying for hosting, they harvest free scanning capacity from millions of compromised home devices. Each individual device contributes only a small amount of capacity, but with millions of devices, the aggregate scanning throughput exceeds what any commercial operation can purchase. Kimwolf alone has 12 million unique IPs per week available for scanning duties. No commercial operation can match that scale on a hosting budget. The criminal operations have effectively externalized their hardware costs onto the rest of the world's broadband customers.
So the honest answer to "what kind of hardware do these people use" is — the legitimate commercial operations use commodity servers in normal hosting facilities. The criminal operations use your neighbor's compromised router. Neither requires anything that looks like a supercomputer.
This is the more disturbing answer than the supercomputer mental model, because it means the capability is broadly accessible. A small criminal organization with an engineering hire can operate at the same scale as Shodan. A single skilled individual with patience and a hosting account can build a working internet-scale scanner over a weekend. The mass scanning economy is not gatekept by money or by exotic technology. It is gatekept by knowing what to do, and that gate is leaking badly.
---
## The Bread Recipe — How Scan Data Becomes A Target Dossier
Mass scan data by itself is not a complete attack tool. It tells you what is exposed on the internet. It does not tell you who owns the exposed thing, how much they are worth, what industry they are in, who their employees are, who their customers are, what their cyber insurance posture looks like, whether they have been breached before, who their IT provider is, or any of the other context that turns "an exposed Lorex NVR" into "a high-value target worth attacking."
But all of those other data layers exist as separate, commercially-available products. And the operationally significant move is combining them.
Going to the grocery store and buying eggs alone does not make bread. But eggs plus milk plus flour plus a recipe and an oven produces bread. Mass internet scan data is the flour. There are many other ingredients on sale.
Let me walk through the actual data layers a sophisticated targeting operation can purchase or obtain. All of these exist as commercial or semi-commercial products in 2026.
Internet scan data. Every internet-connected device, what ports it has open, what services it runs, what versions of those services, what their banner strings say. Sources include Shodan, Censys, BinaryEdge, Spyse, Netlas, and a dozen others. Cost ranges from $59 per month to query manually, up to hundreds of thousands per year for bulk data licenses.
Reverse-IP hostname data. Every domain name and subdomain pointing at each IP, including stale DNS records that reveal organizational structure. Sources include SecurityTrails, DNSDB, VirusTotal, and Microsoft Defender External Attack Surface Management. Cost is $50-$500 per month at the lower tiers, much higher at enterprise.
Whois and registration data. Who registered each domain, when, with what contact email, what billing address. Sources include DomainTools, WhoisXML API, and public whois servers. Free at low volume, $99-$1,500 per month for commercial API access.
Corporate registration data. Business entity registrations, officers, directors, registered agents, filing history, annual report data. Sources include OpenCorporates, Dun & Bradstreet, and state Secretary of State databases. Often free for individual lookups, $1,000-$50,000 per year for bulk access.
Employee and workforce data. Who works where, what their job titles are, what email addresses they use, what their LinkedIn says, their professional history. Sources include LinkedIn Sales Navigator, ZoomInfo, Apollo.io, Lusha, RocketReach. Cost is $99 per month at the freelancer tier, $25,000-$200,000+ per year for enterprise sales-intelligence platforms.
Data breach compilations. Every email address, password, and personal record that has ever been leaked in any major data breach, indexed and searchable by person, organization, and domain. Sources include HaveIBeenPwned (free), DeHashed ($5 per month), LeakCheck, IntelX, and various darker markets. Free for spot-checks, $5-$500 per month for commercial bulk access.
Threat intelligence feeds. Which IP ranges and domains are known to be malicious, which are known to be benign scanners, which are known to be used by specific threat actor groups. Sources include GreyNoise, AlienVault OTX, Recorded Future, ThreatConnect, Mandiant. Free at the basic tier, $50,000-$500,000+ per year for enterprise CTI platforms.
Geographic and demographic data. Who lives where, who works where, what the local economy looks like, which businesses operate in which counties and zip codes. Sources include U.S. Census Bureau, state and county business registries, and commercial data brokers like Acxiom and Experian. Free at the public source level, expensive at the enriched commercial level.
Financial indicators. Revenue estimates, employee counts, growth signals, recent funding rounds, news about layoffs or acquisitions. Sources include Crunchbase, PitchBook, ZoomInfo Intent, news aggregation services, SEC EDGAR. Cost is $50 per month to $100,000+ per year.
Cyber insurance and loss history. Which companies carry cyber insurance, with which carriers, at what coverage levels, and which have filed claims. Sources include specialty insurance underwriters and brokers. Not directly purchasable by outsiders but inferable from public bankruptcy filings, SEC disclosures, and breach notification records.
Specialized compromise data. Which specific organizations have already been breached, what data was taken, what credentials are active for sale on criminal marketplaces. Sources include initial access brokers operating on Russian-language and Chinese-language forums. Cost is $500 to $30,000+ per organization, depending on access type and target value.
Vulnerability intelligence. Which specific CVEs are actively being exploited, against which product versions, by which threat groups, with what success rates. Sources include VulnCheck, GreyNoise Trends, Shadowserver, and the CISA KEV catalog. Free at the CISA level, $25,000-$200,000+ per year for commercial KEV-enriched feeds.
The 12 ingredients above are all separately commercially available. A determined operator with a budget under $250,000 per year can subscribe to enough of these data sources to build a comprehensive targeting infrastructure for any region, industry, or organization type they are interested in.
A determined operator with no budget can substitute free public sources, scraping, criminal marketplace purchases, and open-source intelligence for most of the same data layers. The output quality is lower, but the scope is the same.
---
## What This Looks Like In Practice — Imperial County In One Afternoon
Let me make this concrete with a local example. Suppose someone wants to build a target dossier of small businesses in Imperial County, California — agricultural operations, irrigation districts, cattle feeding operations, local government, healthcare facilities, schools. What would the workflow actually look like?
Step 1 — geographic enumeration. Query the California Secretary of State business registry, which is free and public, for active business entities with registered agents in Imperial County. Cross-reference with the IRS EIN database for nonprofits, the FDIC for local banks, the state Department of Public Health for medical facilities, the California Department of Education for school districts. Output: a list of every formally-registered organization in the county.
Step 2 — domain enumeration. For each organization, find their primary domain name. Use SecurityTrails or DomainTools to enumerate all subdomains and historical DNS records. Use Hunter.io or similar email-format-guessing tools to identify likely email address formats for each domain. Output: a mapping of organization to internet-facing footprint.
Step 3 — internet-facing infrastructure enumeration. For each domain and each known IP range belonging to each organization, query Shodan and Censys for everything exposed on the internet. Service banners, software versions, certificate details, open ports. Output: a complete external attack surface inventory for every organization in the county.
Step 4 — personnel enumeration. For each organization, query LinkedIn Sales Navigator and ZoomInfo for employee lists. Pull job titles, tenure, professional history. Cross-reference with HaveIBeenPwned and DeHashed to find which employees have had their credentials exposed in past breaches. Output: a personnel roster with breach exposure status for each employee.
Step 5 — credential check. For exposed employee emails, query the commercial leaked-credential databases for plaintext or hashed passwords associated with those email addresses. Output: a list of usable credentials, ranked by recency and confidence.
Step 6 — vulnerability matching. For each organization's externally-exposed services from Step 3, match the service versions against the active CVE exploitation database from GreyNoise Trends or CISA KEV. Output: a prioritized list of organizations with known-exploitable exposures, ranked by exploitation likelihood.
Step 7 — financial enrichment. For each organization, pull revenue estimates and employee counts from ZoomInfo or D&B to assess economic significance. For ransomware-relevant targeting, this determines ransom-demand sizing. For supply-chain targeting, this identifies which organizations would have downstream impact. Output: a financial-weighted target list.
Step 8 — dossier compilation. Combine all of the above into a single per-organization record. Legal entity name, primary contact, internet footprint, exposed services with versions, vulnerable services with active exploitation campaigns, employees with credential exposure, estimated revenue, geographic context. Output: a comprehensive target dossier for every organization in Imperial County, produced in a matter of hours by a single skilled operator, costing somewhere between $0 and $50,000 in data subscriptions depending on how much budget the operator brought.
That is the recipe. That is what happens before you even know someone is looking at you. By the time an attacker decides which of your services to probe, they already have a tier list of every business in your county sorted by exploitation probability and ransom-demand potential.
---
## The Snowden-Era Thesis — Whoever Connects The Most Datasets Has The Most Visibility
The broader thesis from the Snowden era and the surveillance-studies literature that followed says that in a world of abundant data, power flows to whoever can fuse the most datasets together. This is not romantic. It is the operational reality of every signals intelligence agency on Earth and a growing number of commercial actors.
Individual datasets are usually mundane. A list of all IPs in Imperial County, by itself, does not enable anything. A list of all employees at a single company, by itself, does not enable anything dangerous. A list of all breached credentials, by itself, is just history.
Combined datasets become powerful exponentially with each addition. Two datasets joined produce relationships neither contained alone. Three datasets produce relationships visible across all three. By the time you have eight or twelve datasets fused on common identifiers — domain names, IP addresses, email addresses, corporate entities — you can answer questions no individual dataset could answer. The classic example: which Imperial County agricultural operations have exposed industrial control systems running pre-2015 firmware versions, owned by companies whose IT directors have had credentials exposed in past breaches, where the company's revenue is over $5 million annually.
The data-fusion capability is not equally distributed. Most defenders see only their own logs. Their visibility ends at their network boundary. Attackers and intelligence operators can see across many networks simultaneously. This is the asymmetry that makes targeted attacks easier than they should be. The defender is operating with a flashlight. The attacker is operating with a satellite view.
The asymmetry compounds. Once an attacker compromises one organization in a supply chain, they can see into the next organization through legitimate communication channels. Their visibility expands with each successful operation. The defender's visibility stays bounded by their own network.
Commercial data brokers are the great equalizer in the wrong direction. Twenty years ago, this kind of data fusion was a capability that required a signals intelligence agency. Today, most of the same datasets are commercially available to anyone with a credit card. The capability gap between a nation-state intelligence operation and a sophisticated criminal organization has narrowed dramatically because the underlying data is now a commercial commodity.
Edward Snowden's central insight was not that the NSA was doing something unprecedented. It was that the apparatus for comprehensive surveillance had become technically and economically feasible. What he documented in 2013 has, in the intervening decade-plus, been replicated in the commercial sector to a degree that would have seemed implausible at the time. The data brokers, the OSINT vendors, the threat intelligence companies, and the residential proxy networks have collectively built civilian-sector equivalents of much of what the NSA was doing.
In 2026, whoever can connect the most datasets has the most visibility, and that capability is increasingly available to whoever wants to pay for it.
---
## So What Does The Defender Actually Do
This is where most security articles either give up or start selling fear. I am going to try not to do either.
The implications for any organization that might be a target are concrete.
Assume the dossier already exists. Anyone who wanted to build a target profile of your organization could probably do it today, in a matter of hours, for under $1,000 in data subscriptions and ad-hoc purchases. They might not have done it yet, but the capability is real. Your defensive posture should account for this rather than assume obscurity provides protection.
The defender's information advantage is local and behavioral. The attacker has comprehensive but stale data from public sources. The defender has incomplete but real-time data from local sensors. The strategic move for defense is to lean into what only you can see — your own network's actual behavior, in detail, right now — and let the attacker's superior external visibility be partially compensated for by your superior internal visibility.
Reduce the attack surface aggressively to keep the dossier stale. If an attacker's dossier on your organization was compiled six months ago and you have closed the exposed ports, retired the vulnerable services, and rotated the leaked credentials, their dossier is now substantially out of date. It still has value — your corporate structure, your employee roster, your business relationships — but the technical attack vectors it identified may no longer work. The dossier ages. Aggressive defensive work makes it age faster.
Monitor your own data exposure proactively. Many of the data sources attackers use are the same data sources defenders can use, but defenders rarely think to do this. Querying HaveIBeenPwned for your own employees' emails, checking Shodan for your own external footprint, monitoring DNS data for newly-registered lookalike domains — these are operationally useful exercises that most small businesses never perform.
Accept the asymmetry without paralysis. The data fusion advantage is not going to be neutralized. The commercial market will continue to make targeting data cheaper and more comprehensive. The defensive response is operational discipline applied consistently over time, not the achievement of any final secure state. You cannot be invisible. You can be boring enough that the attacker's dossier ranks you below higher-value targets.
The strategic move that actually compounds, the one piece of defensive territory the attacker cannot take from you, is this — they cannot know what is actively probing your network right now, this morning, in the last 14 days, with what behavioral patterns, from which coordinated source clusters, with what apparent intent. Only you can know that, and only if you have a detection capability looking for it.
That is the territory Nora claims.
---
## Nora — What Happened On January 16
A customer EDR report flagged scanner activity targeting their Lorex NVR — the security camera recording system sitting on their network — on TCP port 35000. The web interface was being probed.
Pulling up the Zeek connection logs revealed something more interesting than a single scan. Dozens of source IPs from two narrow IP ranges hitting the NVR within a single afternoon.
One cluster came from the 87.236.176.x range — multiple IPs ending in .111, .137, .138, .139, .141. Another cluster came from 185.247.137.x — .116, .117, .118, .121, .134, .135, .136, .138, .139, .143.
A whois lookup identified the operators. The 87.236.176.0/24 range belonged to Stretchoid, a commercial internet scanner. The 185.247.137.0/24 range belonged to Recyber, another commercial scanner.
Each individual IP, viewed alone, looked unremarkable. A few connections to one port. Easily dismissed as background noise. But viewed together, the pattern was unmistakable. Organized commercial scanner networks systematically cataloging exposed devices across the internet, hitting this customer's NVR among millions of others.
This was not a targeted attack. It was a different kind of threat. Industrial-scale reconnaissance of every internet-connected device on Earth, run by companies that sell the resulting database. The customer's NVR existed in someone's commercial inventory of "exposed security cameras worldwide."
Three uncomfortable truths emerged from that morning's investigation.
Individual-IP analysis misses coordinated networks. Traditional security tools score IPs one at a time. Each Stretchoid or Recyber IP, scored individually, looked like background noise. The actual signal was visible only when grouping by source /24 and target. No tool in the SmiteByte stack at that time correlated source IPs across a network range.
Reputation databases lag the threat. Commercial scanner networks rotate IP addresses faster than reputation services can catalog them. By the time an IP shows up in GreyNoise's database as a known scanner, that IP has moved on and 50 new IPs from the same operator are scanning fresh. The 2026 GreyNoise threat report had documented this. 39% of unique IPs targeting enterprise edges come from residential or rotating IP space, and 78% rotate before reputation systems can catalog them.
The customer did not know any of this was happening. The morning EDR report mentioned a Suricata alert. It did not show the broader pattern of two distinct commercial scanner networks systematically probing their security infrastructure. The report had the data — Zeek had logged every connection in detail — but no layer of the existing stack was reading it for this pattern.
If existing reputation tools cannot keep up with rotating IP space, and individual-IP analysis misses coordinated networks, then behavioral correlation on locally-observed traffic is the only path forward. The data is already on disk. Zeek logs every connection with 50+ fields per record. Most security operators glance at source-IP-destination-port-protocol and ignore the other 45 fields.
The question became — what could we build that reads what Zeek already produces, applies pattern recognition that does not depend on external reputation, and surfaces signals like the January 16 cluster automatically every morning?
That question led to Nora.
---
## The MacGyver Principle — Why SmiteByte Can Build Enterprise-Grade Detection On A Small-Business Budget
Enterprise security tools like Vectra, Darktrace, Corelight, and ExtraHop cost tens to hundreds of thousands of dollars per year per deployment. They market sophisticated AI/ML behavioral analytics, threat intelligence integration, expert-tuned detection rules. What they actually do, when you read their documentation carefully, is read network traffic and apply pattern recognition.
Here is the secret. The open-source tools they are built on top of are the same tools available to anyone. Zeek, formerly Bro, is free. Suricata is free. The Critical Path Security Zeek Intelligence Feeds are free. The OTX API is free. Every line of Zeek's connection log includes 50+ fields of forensic detail.
So why does enterprise-grade security cost enterprise-grade money? Most operators use the same 10 features over and over. Like Microsoft Word — there are roughly 2,000 capabilities in Word, but 98% of users only ever use formatting, paragraphs, and spell-check. The other 1,990 features are unused because nobody read the documentation.
Network security tools are the same. The capabilities are there. The data is there. Most operators just do not read what is actually being captured.
SmiteByte's edge is not access to expensive intelligence feeds we do not have. It is reading the documentation of the tools we already use, finding the 1,990 features nobody uses, and assembling them into something purpose-built for small business operations.
That is the MacGyver Principle. When you do not have the exact part, you make it. When you cannot afford the enterprise tool, you build it from what you already have. Sometimes better than what they sold.
Nora is the most direct expression of this principle in the SmiteByte stack. Every signal Nora detects comes from data Zeek was already capturing. No external API calls. No reputation database. No vendor dependency. Just careful reading of what was already on disk.
---
## How Nora Works — The Eight Operational Patterns
Nora is a Python script that runs at 03:45 daily on each BlackBox. It reads the previous 14 days of Zeek connection logs, applies a five-layer filter chain to remove noise, aggregates traffic by source IP with day-tracking, and classifies each source against eight behavioral patterns.
The aggregation structure per source IP includes connection count, days active, average connections per active day, unique destination IPs, unique destination ports, unique source ports, connection state distribution (SF, REJ, RSTO, S0, and others), byte payload statistics for originator and responder, TCP history strings (the letter codes that show the actual handshake sequence), and first-seen and last-seen timestamps.
That structure is the foundation. Every pattern operates on these aggregated stats. Nothing else.
### Pattern 1 — Port Sweep (Horizontal Scan)
A single source IP hitting many ports very fast, mostly SYN-only. The classic nmap-style scan signature. Trigger threshold is 10 or more ports, 300 seconds or less duration, 80% or more SYN-only handshakes. Concern level is low to medium, because this is common and often automated background activity.
### Pattern 2 — Service Probe
A source IP completing TCP handshakes on a few specific ports, sending some payload, getting no application response. The probe got past TCP, the application refused. This is the signature that originally showed up against the customer's NVR. Trigger threshold is 1 to 5 ports, 70% or more completed handshakes, originator bytes greater than 0, responder bytes equal to 0. Concern level is medium to high.
### Pattern 3 — Slow Scan (Low-and-Slow)
The same source IP, focused on a small target set, returning over multiple days at very low volumes. Deliberately avoiding rate-based detection. Sophisticated attacker behavior. Trigger threshold is 3 or more days active in the 14-day window, 5 or fewer connections per active day, 3 or fewer destination IPs. Concern level is high.
### Pattern 4 — Vertical Port Sweep
A source IP enumerating a wide port range in sequence. Classic nmap top-1000 scan. Trigger threshold is 50 or more unique ports, sequential port clusters, 1 hour or less duration. Concern level is medium.
### Pattern 6 — Returning Visitor (Persistence Check)
A source IP that came back across multiple days. Opportunistic scanners rarely return. Persistent attackers and slow-scan operations do. Trigger threshold is 2 or more days active in the 14-day window. Concern level is medium to high.
### Pattern 7 — Background Noise
Low-volume probes on common service ports. The acknowledged baseline of internet hum. Trigger threshold is 3 or fewer connections, all on common ports (22, 80, 443, 3389, 445, and similar), single-day activity. Concern level is low. This is the proof-of-work signal — it confirms Nora is reading traffic correctly, because every internet-facing network sees this constantly.
### Pattern 8 — Coordinated Network / Residential Proxy
This is the 2026 differentiator. Multiple distinct source IPs from the same /24 (or wider range) targeting the same destination IP. The pattern that caught the Recyber and Stretchoid clusters in the original January 16 incident. Trigger threshold is 2 or more source IPs in the same /24 hitting the same destination IP within the lookback window. Concern level is high. Confidence tiers run HIGH when payload variance is 20% or less (indicating likely coordination), MEDIUM at 20-100% (uncertain), LOW above 100% (probably just shared hosting coincidence).
This is the pattern that exists because the existing security stack did not surface what was already in the logs. Every other tool on the market scores IPs individually. Nora groups them and asks whether the group is acting as a coordinated unit.
### Pattern 10 — Anomalous / Uncategorized
Source IPs exhibiting structurally weird signatures that do not fit any named pattern. Service-port-as-source-port (the "crafted packet" signal) is the primary trigger. Concern level is unknown — flagged for human review. This pattern catches the unknown. The thing tomorrow's pattern will be named after.
### Patterns Deferred — Not Built
Pattern 5 (Targeted Application Probe) and Pattern 9 (Active CVE Campaign Alignment) were designed but deliberately not built. Both would require maintaining a list of CVE-aligned ports as new vulnerabilities emerge — unbounded operational toil for marginal value. GreyNoise's free web UI handles spot-checks for individual IPs against active campaigns more cheaply than maintaining our own list. Do not build automation that requires more maintenance than the problem demands.
---
## The Filter Chain — Why Most "Suspicious" Traffic Gets Dismissed Before Classification
Before any pattern logic runs, every Zeek connection log record passes through five filter layers.
Comment and header lines starting with # are skipped — these are Zeek metadata, not real connection records.
Source IPv4 filtering drops internal RFC1918 traffic, loopback, multicast, broadcast, link-local. Nothing internal needs scanner classification.
Destination filtering drops broadcast and multicast destinations.
Trusted-services filtering drops connections involving the customer's known business relationships — mail server, DNS resolvers, VoIP carriers, software-update endpoints — in either direction.
ICMP and destination-port-zero traffic gets dropped. It is out of scope for behavioral detection of TCP/UDP recon.
The trusted-services filter is critical. On the production deployments, this list includes the customer's mail server (every BlackBox sends reports out through the lab mail relay), Quad9 DNS resolvers, the 8x8 VoIP carrier IP ranges (researched from official 8x8 documentation), Google DNS, Level 3 DNS, Apple's 17.0.0.0/8 range (iCloud, push notifications, software updates), Microsoft Azure ranges (Windows Update, Office 365), and Akamai CDN ranges (software delivery).
Without trusted-services filtering, Nora would generate noise from every legitimate business service the customer uses. The filter is per-deployment — common entries plus customer-specific additions.
---
## How Nora Integrates With The Rest Of The Stack
Nora is one of several detection personas in the SmiteByte stack. Each persona is named because each behaves like a person doing a job.
Sara is Suricata signature-based detection. The rule-matcher.
Zara is Zeek protocol logging and connection analysis. The observer.
Vera is OpenVAS vulnerability scanning. The auditor.
Alice is device discovery and inventory. ALICE — Agentless Local Intelligence Capture Engine (Beacon Network Scanner. The recorder.
Aria is statistical behavioral C2 beacon detection on outbound traffic. The listener.
Nora is statistical inbound reconnaissance detection. The watcher.
Aria watches outbound — the heartbeat leaving your network that might indicate command-and-control traffic from compromised devices. Nora watches inbound — the knocking on your door from attackers trying to find a way in. Together they create a paired detection model. One for "is something already inside reaching out." One for "is something outside trying to get in."
The integration point is the daily report generator that runs at 06:00 PDT. Each persona writes its findings to a flat file. The report script reads those flat files, applies whois enrichment so source IPs show their organizational owner, formats them into the morning report, and emails it to the customer.
The architectural discipline is critical here. Heavy computation never happens at report time. Nora runs at 03:45 and writes its results to disk. By 06:00 when the EDR report builds, Nora's work is done. The report just reads the file and renders. Adding Nora's full detection capability cost approximately 0.4 seconds of report runtime overhead.
This pattern — pre-compute, write flat file, fast consumer — is how SmiteByte stacks more capability without bloating the morning report pipeline.
---
## What The Customer Actually Sees
If Nora finds nothing — the expected state on a clean lab deployment — the report section reads "No inbound external reconnaissance activity observed."
If Nora finds clustered scanner activity — the expected state on production deployments facing the internet — the report shows a cluster summary with confidence tier (HIGH, MEDIUM, or LOW), source /24 with whois enrichment ("Recyber Networks," "Stretchoid," and whoever else is running coordinated reconnaissance tomorrow), the common target inside the customer's network, member IPs with their individual pattern matches, and the payload variance percentage that supports the confidence metric.
Then in the per-IP sections below, each member IP appears again under its individual pattern classification — Service Probe, Slow Scan, Returning Visitor — with a "Member of cluster: X" tag pointing back to the cluster summary. The operator sees the high-level finding AND can drill into individual IP behavior in the same report.
In plain language, every morning, the report tells you: these external IP ranges are systematically probing your network, here is what they are targeting, here is who they appear to be.
---
## What Would This Cost From The Enterprise Vendors
To understand what Nora is worth in the marketplace, look at what commercial vendors charge for comparable inbound reconnaissance detection capabilities.
Vectra AI Network Detection and Response handles reconnaissance detection — port scans, internal recon, account scanning — with AI-driven behavioral analytics. Typical pricing is $30,000-$150,000+ per year depending on network size, often requiring multi-year contracts. Target market is mid-market and enterprise.
Darktrace ENTERPRISE Immune System uses self-learning AI for network anomaly detection, including reconnaissance and lateral movement detection. Typical pricing is $30,000-$100,000+ per year, sometimes much higher. Target market is enterprise.
Corelight Open NDR Platform is built directly on Zeek — the same underlying tool SmiteByte uses — and adds proprietary detection content and dashboard. Typical pricing is $25,000-$80,000+ per year for sensor plus cloud platform. Target market is enterprise security operations centers.
ExtraHop Reveal(x) handles network detection and response, inbound recon detection, lateral movement, ransomware behavior. Typical pricing is $50,000-$200,000+ per year. Target market is enterprise.
GreyNoise Enterprise, just for the threat intelligence component (not detection), provides IP classification and scanner identification with reputation API access without volume limits. Typical pricing is $15,000-$50,000+ per year depending on lookup volume. And that is just the data feed. It does not include any detection engine.
Stripping out the dashboards, the cloud platforms, the sales and support overhead, the actual detection engine portion of these tools — what they fundamentally do at the algorithm level — would price somewhere in the $15,000-$40,000 per year per network range.
That is the market value of "automated inbound reconnaissance detection with coordinated network identification, persistent threat detection, and behavioral classification" as a standalone capability.
For a small business of 25-100 employees, that pricing is impossible. Their entire IT security budget might be $15,000 per year total. For everything. Not just network detection.
Nora delivers this capability at the operational cost of running Python on existing hardware. No subscription. No per-IP lookup fees. No annual contract renegotiation. Just the script reading the data the BlackBox was already collecting.
A SmiteByte BlackBox deployment includes Nora as part of the morning EDR report at no additional cost beyond the standard service. The customer gets a detection capability that would cost an enterprise customer between $15,000 and $40,000 per year as a standalone product.
This is the MacGyver Principle made commercial. We cannot compete with Vectra or Darktrace on marketing, on sales staff, on enterprise feature checkboxes. We can compete on delivering the actual detection value at a price small businesses can afford, by reading documentation, using open-source tools deliberately, and building purpose-fit software instead of one-size-fits-all.
---
## Why Anyone Should Actually Care About This
Three concrete reasons a small business customer should care that Nora runs on their BlackBox.
Awareness changes behavior. When a small business owner sees in their morning report that their security camera is being probed by 10 IPs from a commercial scanner network, they have actionable information. They can update firmware, change default passwords, restrict remote access, or simply confirm the device should not be internet-exposed at all. Without the report, none of that happens because nobody knew it was a problem.
Pattern continuity reveals real threats. A single scanner hitting your NVR once is unremarkable. The same scanner network systematically probing your NVR every week for two months is a different story. That is targeted reconnaissance, and it usually precedes an exploitation attempt. Nora's 14-day lookback catches this pattern continuity that single-day analysis misses.
Documentation creates accountability. If something does eventually go wrong, you have a forensic record. You can show your insurance company, your auditors, or your incident response team: "We were monitoring this. Here is what we saw. Here is when we saw it." That documentation has value far beyond the prevention layer.
---
## The Honest Floor
I want to do one more thing before closing this out, because honesty matters more than the sale.
Some small businesses really will not get attacked, and some that do get attacked will recover without security investment. Statistics are not destiny. There are 33 million small businesses in the U.S. Most of them, in any given year, will not be breached. Some will be breached and the damage will be modest. Some will be breached and never recover.
When the customer says "I do not think this will happen to me," they might be right. I cannot promise them otherwise. The honest answer is not "you are definitely going to get attacked." The honest answer is something like this.
You might be fine without any of this. Most small businesses are. The reason I think the BlackBox is worth what you would pay for it is not because I can guarantee you will be attacked. It is because if you ARE attacked, you will know about it in time to do something, and most small businesses that go under after a breach do not go under from the breach itself. They go under because they did not catch it in time.
That sentence respects the customer's autonomy. It does not pretend I have a crystal ball. It tells the customer what the product actually does — provides early visibility — and lets them decide whether early visibility is worth what they would pay for it.
The customers who say no to that pitch are making an informed decision. Some of them will be fine. Some of them will be the cautionary tale next quarter. I cannot save the ones who do not want to be saved. What I can do is make sure the offer is made honestly.
---
## What I Would Hand A Customer On A Single Page
If I had to put the answer to "I have nothing anyone wants" on a single page you could hand a customer, it would be something like this.
You are right. You are not a target.
The Fortune 500 is a target. The hospital chain is a target. The Pentagon is a target. You are not those things, and you know it.
But the modern attack economy is not about targets anymore. The Fortune 500 is hard. The hospital chain has a Security Operations Center. The Pentagon has the NSA on retainer. So the attack economy went looking for soft spots, and what it found was every small business connected to those hard targets.
You are not the destination. You are the route.
The criminal who wants the packing plant's records will compromise the small vendor who emails invoices to the packing plant. The criminal who wants the regional bank's wires will compromise the small business whose bookkeeper banks there. The criminal who wants ransom money will compromise twenty small businesses for $50,000 each rather than one Fortune 500 company for $1 million — because the small businesses do not have a Security Operations Center, do not have an incident response team, do not have a cyber insurance carrier already on the phone within an hour of detection.
Your obscurity is not a defense. It is an attacker advantage. When a hospital gets breached, the FBI shows up the same day. When you get breached, nobody shows up. That is not safety. That is lower accountability for the attacker.
You will not get attacked because you are valuable. You will get attacked because you are reachable. Reachable by an automated process. Reachable by a credential someone leaked seven years ago. Reachable by a phishing email that costs the attacker nothing to send to ten thousand small businesses at once, looking for the one or two who click.
The BlackBox does not promise to make you a target worth protecting. It promises to make sure that when something does come knocking — and statistically, eventually, something will — you will know about it on the morning of, not three weeks later when the symptoms become obvious.
That is the actual offer. Early visibility, not invincibility. You decide if it is worth what you would pay for it.
---
## The Architectural Commitment Behind Everything SmiteByte Builds
Small businesses currently have two options for network security.
Option A — buy enterprise tools they cannot afford and do not have the staff to operate. Vectra, Darktrace, Corelight, ExtraHop. All real products. All built for organizations with security teams of 5 to 50 people.
Option B — have no real visibility into network reconnaissance and lateral movement attempts. This is the current default state for the vast majority of small businesses.
SmiteByte's premise is that there is a third option. Purpose-built detection capability at small-business pricing, delivered as a managed service, using the same open-source foundations enterprise vendors charge enterprise prices for.
Nora is the proof-of-concept for that third option in the reconnaissance detection layer. The architecture replicates for other detection categories — outbound C2 beaconing (Aria), lateral movement, credential abuse, data exfiltration, anomalous protocol behavior. Each one a problem that enterprise vendors charge $30,000-$200,000 per year to solve. Each one solvable with careful reading of what open-source tools already produce.
That is the larger commercial bet behind every detection layer SmiteByte builds. The data is on disk. The tools are open source. The capability gap between enterprise security and small-business security exists primarily because nobody has bothered to build for small businesses specifically.
SmiteByte is building for small businesses specifically. Nora is the latest installment.
---
## Closing — The Story In Three Sentences
You are right that you are not a target. But in 2026, the attack economy is not looking for targets, it is looking for infrastructure, and small businesses are the infrastructure between attackers and the bigger systems they actually want to reach.
A customer's security camera was being scanned by commercial scanner networks who systematically catalog exposed devices across the internet. Existing tools in the SmiteByte stack were not surfacing that pattern, so we built Nora — a behavioral classifier that reads Zeek's existing connection logs, applies pattern recognition across eight distinct attack signatures including coordinated network detection, and surfaces findings in the customer's morning EDR report at the operational cost of running Python.
What would cost a small business $15,000-$40,000 per year from an enterprise vendor now ships free with every SmiteByte BlackBox.
That is Nora. That is the MacGyver Principle. That is what is possible when you read the documentation of what you already have.
-Paul @ SmiteByte