TL;DR

May 2026 brought 120+ Microsoft patches and a CVSS 9.9 RCE in Microsoft Dynamics 365. Supply chain attacks are now the fastest-growing threat vector for SaaS companies. lil.business's compliance scoping maps these threats directly to your ISO 27001 and SOC 2 controls, running real vulnerability assessments with OpenVAS and penetration testing before your auditor ever walks in the door. Visit lil.business/book for a free scoping call.

The Compliance Landscape Has Changed

Two things happened in May 2026 that should make any business pursuing ISO 27001 or SOC 2 sit up straight. Microsoft patched CVE-2026-42898, a critical remote code execution vulnerability in Dynamics 365 with a CVSS score of 9.9. Cisco published 48 firewall CVEs, including two scoring a perfect 10. And CISA added new entries to its Known Exploited Vulnerabilities catalog — the list of flaws attackers are actively using right now.

Meanwhile, supply chain compromise became the fastest-growing threat vector for SaaS companies in 2026. An AI model you're running, an open-source library your dev team pulled last week, a vendor's API integration — any of these is now a viable attack path.

Here is the thing most compliance consultants will not tell you up front: if you are running vulnerability scans that come back clean because they missed the actual threats, you are building compliance on sand. Auditors check that you have a process. Attackers check that your process works. lil.business makes sure both are true.

Critical CVEs and What They Mean for Your Compliance Scope

CVE-2026-42898 — Microsoft Dynamics 365 RCE (CVSS 9.9)

This is a code injection flaw in on-premises Dynamics 365. If your organization uses Dynamics 365 and it touches customer data, this CVE falls squarely inside your ISO 27001 Annex A.12.6 (technical vulnerability management) and SOC 2 CC7.1 (detection and monitoring).

What lil.business does: Our vulnerability assessment runs OpenVAS against your entire subnet, not just the assets you remember to list. Greenbone Community Edition with up-to-date NVT feeds catches this CVE on the first scan. We map every finding directly to your compliance controls so you walk into audit with evidence already tagged.

Cisco Firewall CVEs (Two CVSS 10s)

Forty-eight Cisco firewall CVEs dropped in March 2026. Two of them are perfect 10s. If your edge device is unpatched, the rest of your compliance posture is window dressing.

What lil.business does: Penetration testing from an external vantage point — we test your perimeter the way an attacker would. Firewall rules, NAT configurations, exposed management interfaces. Every finding gets a severity rating tied to your compliance framework. SOC 2 auditors want to see that you detect and respond. Our threat intelligence monitoring gives you the detection piece with real-time CVE alerts mapped to your actual asset inventory — not a generic feed.

Supply Chain Attacks — The Blind Spot in Most Compliance Programs

Secureframe's 2026 threat report calls supply chain compromise the defining shift of the year. It is not just Fortune 100 vendors anymore. It is the SaaS tools your startup depends on. It is the open-source packages in your build pipeline. It is the AI model you fine-tuned last quarter.

ISO 27001 Annex A.15 (supplier relationships) and SOC 2 CC9.2 (vendor risk management) cover this. But most SMBs treat these controls as a checkbox — a questionnaire sent to vendors once a year.

What lil.business does: We scope your supply chain exposure as part of compliance readiness. For each vendor that touches your data or your infrastructure, we identify the blast radius. If a vendor gets compromised, what does the attacker gain access to? This is not a questionnaire. This is a threat model. We document it in language your auditor accepts and your CISO actually finds useful.

AI-Driven Threats — The New Control Surface

AI is not just making phishing more convincing. It is changing how attacks are carried out at the infrastructure level. Who can access your models, what data they touch, how abuse would be detected — these are questions your SOC 2 auditor will ask in 2026.

What lil.business does: Managed AI security means we assess your AI deployments the same way we assess production systems. Access controls, data flows, monitoring coverage. If you are running models that process customer data, that is a control surface. We make sure it is in your scope from day one — not discovered during audit remediation.

How lil.business Fast-Tracks Your Compliance Journey

Most compliance engagements follow the same slow path: consultant scopes for two weeks, gap analysis takes another week, and then you get a spreadsheet of things to fix. lil.business collapses the first two phases.

Our compliance scoping engagement covers ISO 27001, SOC 2, and Essential Eight simultaneously. The Australian Cyber Security Centre (ACSC) Essential Eight maturity model aligns naturally with ISO 27001 Annex A controls and SOC 2 Trust Services Criteria. Scoping once against all three frameworks saves time and prevents duplicate work.

The engagement runs:

  1. Vulnerability assessment — OpenVAS/Greenbone against your full subnet, authenticated where possible, with CVE-to-control mapping
  2. External penetration testing — perimeter assessment targeting the same CVEs attackers are exploiting today
  3. Threat intelligence integration — real-time monitoring feeds mapped to your asset inventory, not a generic CVE dump
  4. Control mapping — every finding tagged to ISO 27001 Annex A, SOC 2 TSC, and Essential Eight maturity levels
  5. Gap report — delivered as evidence-ready documentation, not a spreadsheet you have to translate for your auditor

FAQ

Q: I am a small business. Do I really need ISO 27001 or SOC 2? A: If you handle customer data and want enterprise clients, yes. Australian government RFPs increasingly require ISO 27001 certification or equivalent. SOC 2 is becoming table stakes for any SaaS company selling into the US market. lil.business scopes realistically for SMBs — we know you do not have a 10-person security team, and we build compliance programs that match your actual size.

Q: How long does a scoping engagement take? A: Two to three days of active assessment, not two weeks of back-and-forth. We scan, we test, we map findings to controls, we deliver a gap report ready for your auditor.

Q: What is the difference between vulnerability scanning and penetration testing? A: Scanning tells you what is open. Penetration testing tells you what is exploitable. Compliance frameworks want both. lil.business runs both in the same engagement, cross-referenced against the CVEs attackers are actively exploiting right now.

Q: Does Essential Eight cover the same ground as ISO 27001? A: Essential Eight is more prescriptive and narrower. It covers application control, patching, administrative privileges, and hardening. ISO 27001 is broader — it covers your entire information security management system. The two map together well, and scoping both at once saves you from paying for separate engagements.

Conclusion

The May 2026 threat landscape is not hypothetical. A CVSS 9.9 RCE in Microsoft Dynamics 365 is a real thing that needs a real patch. Two Cisco CVSS 10s are sitting on edge devices right now. Supply chain attacks are the fastest-growing vector, and your AI deployments are a control surface your auditor will ask about.

Compliance is not a paperwork exercise anymore. It is evidence that your security controls work against the threats that actually exist. lil.business scopes your compliance journey with today's threat landscape in mind — vulnerability assessment, penetration testing, threat intelligence, and control mapping — so you walk into audit with the proof already in hand.

Visit lil.business/book for a free cybersecurity scoping call. No sales pitch. We look at your environment, map your threats, and tell you what it takes to get audit-ready.

References

  1. CrowdStrike — May 2026 Patch Tuesday: Updates and Analysis
  2. Zero Day Initiative — The May 2026 Security Update Review
  3. CISA — Known Exploited Vulnerabilities Catalog
  4. Greenbone — March 2026 Threat Report: Critical CVEs
  5. Secureframe — Emerging Cyber Threats in 2026: What SaaS Companies Need to Do
  6. ACSC — Essential Eight Maturity Model

Need to prove security trust?

Start with qualified triage. We verify authority, minimise access, define scope, and focus on evidence that helps with insurers, customers, tenders, boards, auditors, and AI governance reviewers.

Start Qualified Triage