Logo
Log in
Subscribe
Logo
Oliver Buchannon
Michael Faas
New post

Jun 28, 2026

•

1 min read

New post

One week's breath. The archive is the assignment.

Michael Faas
Michael Faas
It was never about vulnerabilities.

Jun 21, 2026

•

5 min read

It was never about vulnerabilities.

Six weeks I spent on vulnerability triage. Here is the confession at the end of it: triage was the easiest place to show you the discipline, not the only place it lives. The same move scales to vendor risk, AI procurement, the budget, the next hire. This was never about vulnerabilities. It is about how you decide under uncertainty in a system too complex to score.

Michael Faas
Michael Faas
When NOT to measure.

Jun 14, 2026

•

5 min read

When NOT to measure.

For five weeks I taught you to measure. Here is the part that makes it discipline instead of a tic: knowing the decisions that do not earn a model. One week after I opened a paid measurement pilot, here is me telling you when measuring is the wrong move.

Michael Faas
Michael Faas
Stop Inheriting the Scanner's List

Jun 7, 2026

•

5 min read

Stop Inheriting the Scanner's List

For three weeks I showed you how to shrink forty-seven "criticals" to three and say the risk in dollars. Here's the part I left out: doing it yourself is the hard part. So I'm opening three pilot slots to do it with you.

Michael Faas
Michael Faas
47 criticals...you can fix 3.

May 31, 2026

•

5 min read

47 criticals...you can fix 3.

A scanner handed one firm forty-seven "criticals" and a five-month queue. Watch probability and cost shrink it to three, reorder it, and turn it into a number a board can hear.

Michael Faas
Michael Faas
You're sorting by the wrong number.

May 24, 2026

•

6 min read

You're sorting by the wrong number.

One Exchange flaw. Two severity scores that don't agree. A six-percent probability that's actually in the ninety-first percentile. The number on your screen was never the question.

Michael Faas
Michael Faas
Severity is not probability.

May 17, 2026

•

4 min read

Severity is not probability.

You patched a 9.8 last week. A 7.8 was the one getting popped. CISA's KEV list keeps publishing the gap. Most security teams keep ignoring it.

Michael Faas
Michael Faas
Your AI has a trust model. You didn't write it.

May 10, 2026

•

4 min read

Your AI has a trust model. You didn't write it.

Pillar Security found a CVSS 10 in Google's Gemini CLI last month. Not a coding error. A trust error. Your AI tools all have it. Most organizations haven't designed the answer.

Michael Faas
Michael Faas
9 in 10 SMBs have a compromised user right now.

May 3, 2026

•

4 min read

9 in 10 SMBs have a compromised user right now.

The question isn't whether. It's whether anyone is watching.

Michael Faas
Michael Faas
You Bought a Product. It's Running a Process You Never Designed.

Apr 26, 2026

•

4 min read

You Bought a Product. It's Running a Process You Never Designed.

AI coding agents aren't the tool you bought. They're the process you have to govern — and that's a leadership gap, not a tooling gap.

Michael Faas
Michael Faas
Security doesn't fail in silos — it fails in cascades.

Apr 19, 2026

•

3 min read

Security doesn't fail in silos — it fails in cascades.

The cascades everyone's writing about are between companies. The ones that take you down are inside yours. One weak domain. Nine downstream failures. Most security teams can't see the shape.

Michael Faas
Michael Faas
The Soft Underbelly Doesn't Care About Your Clearance Level

Apr 12, 2026

•

6 min read

The Soft Underbelly Doesn't Care About Your Clearance Level

The head of the FBI got phished. Your executives are next.

Michael Faas
Michael Faas
Your AI Supply Chain Is Already Compromised

Apr 5, 2026

•

6 min read

Your AI Supply Chain Is Already Compromised

They didn't hack the AI. They hacked the security tools first.

Michael Faas
Michael Faas
The Assumptions Nobody Wrote Down

Mar 30, 2026

•

9 min read

The Assumptions Nobody Wrote Down

Three failures. Three industries. One structural flaw: the assumptions nobody documented, questioned, or tested.

Michael Faas
Michael Faas
Your Security Program Has a 28-Day Blind Spot

Mar 22, 2026

•

7 min read

Your Security Program Has a 28-Day Blind Spot

Offense gets instant feedback. Defense gets quarterly reviews. AI just made that gap unsurvivable.

Michael Faas
Michael Faas
Your Patching Window Just Collapsed

Mar 15, 2026

•

6 min read

Your Patching Window Just Collapsed

Exploitation just overtook credentials as the #1 breach vector. First time ever.

Michael Faas
Michael Faas
No Malware. No Exploit. Just a Prompt

Mar 8, 2026

•

5 min read

No Malware. No Exploit. Just a Prompt

The AI Kill Chain doesn't need binaries. It needs your agent's trust.

Michael Faas
Michael Faas
29 Minutes. That's All They Need.

Mar 1, 2026

•

5 min read

29 Minutes. That's All They Need.

Your board thinks "incident response" means hours. Attackers think it means minutes. Someone needs to translate that gap.

Michael Faas
Michael Faas
Google Just Bought Your Cloud Security Team

Feb 23, 2026

•

5 min read

Google Just Bought Your Cloud Security Team

$32B. Largest cyber acquisition ever. Your vendor's new boss is a hyperscaler with its own agenda.

Michael Faas
Michael Faas
They Phished His Kid's Soccer Team to Hack a Defense Contractor

Feb 16, 2026

•

5 min read

They Phished His Kid's Soccer Team to Hack a Defense Contractor

When attackers know your family better than your security team does

Michael Faas
Michael Faas
Your Firewall Vendor Got Hacked. So Did 80 Banks.

Feb 8, 2026

•

4 min read

Your Firewall Vendor Got Hacked. So Did 80 Banks.

When your vendor's vendor gets breached, the cascade finds you.

Michael Faas
Michael Faas
Your AI Agent Has the Keys. Who's Watching the Door?

Jan 31, 2026

•

5 min read

Your AI Agent Has the Keys. Who's Watching the Door?

Signal vs. Noise — Pulse #01

Michael Faas
Michael Faas

Signal vs. Noise

Cutting through the chaos of cybersecurity and technology — so you can lead with clarity.

© 2026 Signal vs. Noise.
beehiivPowered by beehiiv