One story. Gone deep.

Last Sunday I named the tools. This Sunday I want to show you the work.

Picture a sixty-person regional accounting and wealth-management shop (an illustration, not a client, but the numbers behave exactly like the real ones). Their crown jewels are client financial records, the kind of data that, if it leaked, would end the firm's reputation before it ended its quarter.

Their scanner finishes a run and reports 312 vulnerabilities. 47 of them flagged Critical. CVSS 9.0 and up. Forty-seven fires, all marked the same shade of red.

Here is the first thing nobody on that dashboard tells you. This team can realistically close about 10 fixes a month. So forty-seven "criticals" is nearly a five-month queue, and while they grind through it, everything the scanner ranked below critical sits and rots. They will spend half a year fixing what a tool told them to fix, in the order the tool told them to fix it, and they will never once ask whether the tool was right.

So let's ask. Three questions, three lenses.

First lens: how bad would it be? That's severity, the CVSS number, and it's the one the scanner already answered. It's the reason all 47 are red. But notice what just happened: severity is the only one of the three a generic scanner can even see. It knows how bad a flaw could theoretically be, in the abstract, on any network anywhere. It knows nothing about how likely it is or what it would cost you. Stopping at the one lens the tool can measure is exactly the trap.

Second lens: how likely is each one actually to be exploited? Run the 47 through EPSS, the exploitation-probability model from last week. Of the 47, only 6 sit in the high-exploitation tier. The rest? Many of those 9.8s carry a sub-one-percent chance of being used against anyone this year. Theoretically catastrophic. Practically inert. The scanner can't tell the difference, because severity was never built to.

Third lens: what would it actually cost this firm? Of those 6, only 3 touch the systems that hold or reach the crown-jewel client data. The other three are real, and they get fixed, but they are not what keeps a managing partner up at night.

47 down to 3.

Now read the part that matters more than the shrinkage. The list didn't just get shorter. It got reordered. One of the final three was something the scanner rated Medium. A remote-access authentication bypass on the firm's VPN, the kind of flaw that lets someone skip the login and walk straight into the network. The scanner buried it under thirty-some "criticals" because its raw severity number was middling. But weight it by real-world exploitation and what it touches, and it climbs past nearly every 9.8 on the page.

The tool didn't just hand them too long a list. It handed them the wrong order. The thing most likely to actually hurt them was sitting in the middle of the pile, outranked by flaws that will never be touched. That is the difference between a sorted dashboard and a decision.

And here is the payoff, the reason any of this is worth a partner's attention. Once you've weighted likelihood and cost, you can turn the whole mess into one sentence a board understands. Not "we have 47 criticals." Instead: there's roughly a 1-in-7 chance we lose more than $250,000 this year, and about a 1-in-50 chance we lose more than $2 million. That second number is the client-trust, breach-notification scenario. The one that ends the firm. No CVSS score ever said that out loud. This sentence does, in dollars, in plain English, with no math on the slide.

That's the whole method. Douglas Hubbard has spent a career proving you can measure things people swear are unmeasurable, and this is what it looks like when you do. Not a bigger model. A better question.

Notice what calibration did not do. It did not give that team more work. It gave them a shorter, truer, defensible list. Three things to fix this month instead of a five-month death march. The old list was the scanner's, sorted by the one variable a tool could measure without ever seeing their business. The new list is theirs, and they can say out loud why number three matters more than the thirty things above it.

You can sort by the number a machine handed you, or you can make a decision you'd put your name on. Only one of those is risk management.

What else matters this week.

Watch the Echo's lesson happen in real time. On May 13, Palo Alto disclosed a flaw in PAN-OS and Prisma Access GlobalProtect: a remote, unauthenticated attacker can forge "authentication override" session cookies and stand up unauthorized VPN connections. Active exploitation hit on May 17, a second wave on May 21, and CISA added it to the Known Exploited Vulnerabilities catalog on May 29. Its CVSSv4 score is Medium. Rapid7 is telling people to treat it as critical-priority anyway: an internet-facing VPN authentication bypass, confirmed exploitation, public proof-of-concept code. Severity said "medium." Exploitation said "drop everything." If your team sorts by severity alone, this is the one that walks right past them while they patch a 9.8 nobody is touching. The score and the threat disagreed this week, and the threat was right. via The Hacker News and Rapid7

For years the headline cause of breaches was stolen credentials. That just flipped. In Verizon's 2026 Data Breach Investigations Report, exploitation of vulnerabilities accounted for 31% of breaches, while abuse of stolen or user credentials dropped to 13%. Vulnerability exploitation is now the top initial-access vector, full stop. The same report puts the median time to fully remediate a vulnerability at 43 days, and finds only 26% of the critical vulnerabilities in CISA's Known Exploited list were fully remediated in 2025, down from 38% the year before. The thing breaking into companies is exploited vulnerabilities, and teams are closing barely a quarter of the ones we already know are used in the wild. That is not a tooling gap. It is a prioritization gap, and it is exactly the one the Echo walks through closing. The thing breaking in is the thing you ranked thirty-seventh. via Help Net Security

Not every signal needs action.

Every January the industry picks a horseman. This year it's AI-assisted attacks, and you've already seen the headlines: vendor X's tool "discovered N previously unknown vulnerabilities," attackers are "weaponizing" large language models, the robots are coming for your network.

Here's what to do about it. Nothing different.

An AI that helps an attacker find a flaw faster still needs a flaw to find, and it still needs that flaw to be reachable and worth reaching. The defense did not change. The math did not change. Faster discovery of vulnerabilities you've already deprioritized correctly is not a new threat, it's the same threat with better marketing. Meanwhile the actual 2026 data says the boring thing is winning: unpatched vulnerabilities, sorted badly.

Another scary headline competing for the attention you've just learned to ration by probability and consequence. Let it compete. You have a method now.

No answer. Just the question.

Your team can fix ten things this month, and the scanner just handed you forty-seven "criticals." Which thirty-seven are you choosing not to fix this month, and be honest: did you choose them, or did the tool choose for you?

The Signal Score grades your program across the eight categories most likely to cascade: Identity & Access, Devices & Patching, Email & Phishing Defense, Backup & Recovery, Network Security, Data Protection, Vendor & SaaS Risk, Incident Readiness. Fifteen minutes. A through F grades, an expected annual loss estimate, and a plain-English read of where your weakest area is dragging the others down.

Free. If the grade wants a conversation, there's a thirty-minute review. No pitch. Just where your cascade points are.

→ echocyber.io/assessment

If "highest severity first" is still how your team decides what to fix, the thing we've been building toward all month arrives next Sunday. Details June 7.

Next Sunday: the thing this whole series has been pointing at. The way to stop inheriting the scanner's list and start owning yours.

Prefer audio? Jane reads every Pulse edition on the Signal vs. Noise podcast. Five minutes, same signal, no scrolling. Find it wherever you listen.

Michael Faas is a fractional CTO/CISO who translates technical complexity into business decisions. echocyber.io