One story. Gone deep.

The Guardz 2026 State of SMB Threat report landed with one line that does more work than the rest of the report combined.

Nine in ten SMBs have at least one compromised user account active right now.

Not "at risk of being compromised." Not "exposed to phishing." Actively compromised. Credentials in the wild. An open door somebody else already knows about.

Ransomware detections are up 190% year over year in the same dataset. Read those two facts in sequence and the picture sharpens. The pool of pre-positioned access is growing, and attackers are converting that access into something destructive faster than defenders can see it happening.

Wendy Nather built a phrase a decade ago that still names the problem better than anything coming out of the vendor circuit. The security poverty line. Below it sit the businesses that can't afford the people, the tooling, or the time to do security the way the frameworks assume. Most SMBs live below that line and always have. What changed is that the attackers stopped treating that population as low-value. Initial access brokers price an SMB foothold the way the rest of the economy prices anything: by what someone will pay for it. Ransomware-as-a-service crews pay well.

So the math: more access for sale, more buyers, more conversions. Most SMBs find out they were compromised when something downstream forces the conversation. A wire that didn't land where it was supposed to. A customer asking about an email they never sent. A ransom note on a Monday morning.

The compromise isn't the event. It's the precondition.

Mandiant's M-Trends data has put numbers on the visibility gap for years. Median dwell time, the days between intrusion and detection, has improved over the decade but still runs weeks for most organizations and months for those without a dedicated detection function. SMBs are disproportionately in that second group. The attacker is in the building before the alarm gets installed.

That's not a tooling failure. Most SMBs already own EDR, MFA, a SIEM trial they never finished configuring, an email gateway, sometimes two. The tools generate signal. The gap is that nobody is paid to watch what the signal says, follow the threads it raises, and decide whether what they're seeing matters.

So the question the Guardz number forces isn't "do you have security tools?" You do. The question is closer to: who in your business would know if a credential belonging to someone on your team was being used by someone who isn't them, and how long would it take them to find out?

For most growth-stage businesses, the honest answer is "we'd find out when something breaks." That's the gap between owning visibility and exercising it. Tools generate visibility. People exercise it. The cost of the second one is what most SMBs have not yet decided to pay.

Nine in ten SMBs are already past the point where prevention is the relevant conversation. The relevant conversation is detection: who is responsible for it, how fast they can confirm it, and what they are authorized to do when they confirm it.

If you can answer those three things in one sentence each, you have a security program. If you can't, what you have is a tool stack and a hope.

The hope is the part the attackers are pricing.

What else matters this week.

Adobe shipped a patch last week for a critical Acrobat Reader vulnerability that attackers had been exploiting for roughly four months. The detection lag is the story, not the CVE. Four months of in-the-wild exploitation against a file format every business opens daily, and the visibility loop didn't close until the vendor disclosed.

That's the Echo's frame in miniature. The compromise was in motion long before the patch made it public. If you process PDFs from outside parties, deploy this update this week, not in your next maintenance window. via no.security

Some Windows Server environments are seeing Domain Controller restart loops after deploying April's cumulative updates, with the failure mode varying by server version and AD configuration. If you run on-prem AD and haven't patched yet, read the relevant KB before you deploy and stage on a non-critical DC first.

This is the inverse problem to the one above. There, the visibility gap was missing what attackers were doing. Here, it's missing what your own change risks. The companies that get hurt by Patch Tuesday aren't the ones who patch slowly. They're the ones who patch without knowing what they're walking into. via no.security

An AI coding agent deleted 2.5 years of production data on a live system. One command, no confirmation gate, no guardrails between the agent's intent and the infrastructure's response. Then it was gone.

The reflexive read is "AI is dangerous." The actual story is governance. Somebody gave an autonomous agent the permissions to issue destructive infrastructure commands without a human in the loop, and nobody owned the decision to do that. That isn't an AI failure. It's the same visibility gap the Echo is about, on a different surface. Nobody was watching the agent the way nobody is watching the credentials. via no.security

Not every signal needs action.

Phishing simulations have a place. They build awareness, they generate training data, they give the security function something to report at the QBR. Useful. Not what the Guardz number is asking about.

Simulations are about access that hasn't happened yet. The Guardz data is about access that already has. One is prevention against future attempts. The other is detection against present compromise. Two different programs, two different tool sets, two different operating cadences, two different humans accountable for outcomes.

When 9 in 10 SMBs already have a compromised account active, the simulation program isn't the thing standing between you and the bad outcome. The detection program is. The risk in this category isn't running simulations. The risk is letting the simulation report serve as the answer to the question the Guardz number actually asked.

No answer. Just the question.

If 9 in 10 businesses like yours have an active compromised account right now, and you believe yours is the lucky 1 in 10, what would it look like if you were wrong?

The Signal Score grades your program across the eight categories most likely to cascade. Identity & Access. Devices & Patching. Email & Phishing Defense. Backup & Recovery. Network Security. Data Protection. Vendor & SaaS Risk. Incident Readiness. Fifteen minutes. A through F grades, an expected annual loss estimate, and a plain-English read of where your weakest area is pulling the others down.

It's the assessment built for the gap this week's Pulse is about: businesses already compromised who don't yet know it, and the leaders who'd benefit from a clear picture of where the visibility holes are. Free. If the grade wants a conversation, there's a thirty-minute review with no pitch attached, just where your cascade points are.

→ echocyber.io/assessment

Prefer audio? Jane reads every Pulse edition on the Signal vs. Noise podcast. Five minutes, same signal, no scrolling. Find it wherever you listen.

Michael Faas is a fractional CTO/CISO who translates technical complexity into business decisions. echocyber.io