The first week of July handed IT teams a worst-case scenario. The interesting part is that the survey data said this was coming.
On Wednesday, CISA added a high-severity SharePoint flaw to its Known Exploited Vulnerabilities catalog. By Thursday, threat actors were actively probing a critical (CVSS 9.8) bug in the official Gitea Docker image, 13 days after disclosure, letting any unauthenticated visitor impersonate any user, including admin. The same day, Progress warned of live exploitation of a pre-auth remote code execution bug in Kemp LoadMaster, a load balancer used heavily in mid-market networks. Adobe patched seven CVSS 10.0 vulnerabilities in ColdFusion and Campaign Classic. The Linux kernel dropped a fix for a use-after-free privilege escalation dubbed “Bad Epoll” that an ordinary logged-in user can ride straight to root, including from inside Chrome’s sandbox.
If you read security news, that paragraph sounds normal. That is the problem.
The Week Was Not Unusual
That string of disclosures is not a coincidence and not a fluke. The week of June 29 to July 6, 2026 was ordinary. Run the same exercise next month and you will get a similar wall of CVEs, similar exploitation, similar “patch now” advisories. The cadence is the story.
Bitdefender published its 2026 Cybersecurity Assessment on July 1, surveying 1,200 IT and security professionals across six countries. The headline finding is the one the industry has been quietly avoiding: awareness of cyber risk is at an all-time high, and operational resilience is at an all-time low. The two curves have decoupled, and they are still moving apart.
The numbers tell the same story in different rooms. 51.8% of respondents told Bitdefender they have full visibility into how AI is being used inside their company. 47.4% admitted they have only partial or no visibility into “Shadow AI,” the personal ChatGPT tabs, the unauthorized Copilot installs, the unvetted browser extensions that summarize meetings. When you split that answer by role, the gap is sharper. Nearly 58% of managers believe they have complete AI visibility. Among frontline practitioners, that number drops to 45.9%. The strategic decisions are being made on a picture half the building does not recognize.
SMBs Feel This Harder Than Anyone
The large enterprise has more attack surface, but it also has people whose entire job is to read the CISA KEV catalog on Monday morning and have a remediation plan by lunch. The 80-person logistics company does not. The 200-person law firm does not. The 40-person SaaS startup does not. They have one or two people doing IT, often with no dedicated security hire, and they are reading the same Gitea writeup that a Fortune 500 CISO is reading, except without a team to back them up.
The Bitdefender report is blunt about this part too. “Security teams understand the importance of reducing the attack surface,” it reads, “yet they often lack the skills, resources, or strategy to do so.” That sentence does not get quoted in marketing decks. Awareness without capacity is a tax you pay every quarter and collect no return on.

The Quantum Shock Coming For Your Baseline
On the same day the Bitdefender report came out, Microsoft’s Mark Russinovich published a blog post that nobody at a small business had time to read. He announced that Microsoft is pulling its post-quantum cryptography roadmap forward to 2029, two years earlier than the previous schedule. His reasoning: cryptographically relevant quantum computers could arrive sooner than previously expected. For a CISO at a global bank, this is a multi-year migration program. For an IT generalist at a 150-person manufacturer, it is one more line item on a list that is already too long.
The fix is not exotic, though. Microsoft’s own plan rests on three moves small IT teams can start with: adopt TLS 1.3 everywhere you terminate HTTPS, audit where cryptography is hard-coded into your applications and break those couplings, and design for “crypto agility,” meaning your systems can swap algorithms without being rebuilt from scratch. None of this is a 2029 problem. The migration window is what makes it one.
What Actually Moves the Needle This Week
The honest version of a hardening plan for a small team is small. It is not “buy a SIEM.” It is five things, do them this month.
-
Subscribe to the CISA KEV catalog as an email or RSS feed. Anything that lands on that list gets a 14-day patch or mitigation deadline from the U.S. government. Treat it as a binding SLA. If you cannot patch in 14 days, document why and what compensating control you have in place.
-
Build a real list of internet-exposed assets. Not a theoretical list. The actual set of hosts, services, and ports exposed to the public internet as of this week. Run an unauthenticated scan from outside your network. The gap between what you think is exposed and what is exposed is where the Gitea bugs live.
-
Replace “is MFA enabled” with “is MFA enforced on the highest-privilege accounts, with phishing-resistant factors.” Hardware keys (FIDO2) and platform-bound passkeys are not exotic anymore. They are cheap. They are the single highest-ROI control most small businesses are still not using.
-
Pick one “if this breaks at 2 a.m.” scenario and write the runbook. A Gitea admin compromise, a SharePoint exploit, a VPN appliance RCE, pick the one most likely to hit you, write three pages of what you do, and rehearse it with the team. A 200-person company with a good runbook beats a 2,000-person company with a stale one.
-
Schedule a 90-minute review of your top five SaaS vendors by data exposure. SOC 2 report, SBOM availability, breach notification clause. The questions alone will reveal the ones that should not be in your stack.
The Honest Take
The gap between awareness and resilience is not going to close on its own. The CVE flood is not going to slow down. AI is not going to reduce the attack surface. The post-quantum transition is going to land on the same overstretched IT generalist who is already triaging a Gitea CVE and patching a SharePoint server. The companies that handle the next two years well are the ones that stop pretending awareness is the same as readiness. The job of hardening is unglamorous, mostly invisible, and the actual work of 2026. The week of July 6 made that impossible to miss.
