One story. Gone deep.

Your Identity program isn't an Identity problem.

Most security programs can't hear that sentence. The way they're built tells them the opposite. You buy identity tools from identity vendors. You staff an IAM team. You run an access review every quarter and call it governance. Identity has a budget line, a KPI, a dashboard. A silo. Clean boundaries. Defined ownership.

Then it fails, and nine other things fail with it.

Three breaches rolled through the feed lately — a hospital diverted ambulances over a video game vendor, thirty million crypto wallets exposed via an embedded SDK, a WordPress plugin backdoored through its own update channel. Same shape each time. Cascades between companies. Everyone's writing about supply chain. Fine.

That's not the cascade I'd worry about…

The cascade that takes your program down isn't in the vendor chain. It's inside yours. Map a security program as a graph of dependencies and the picture is this: a single weak area doesn't stay weak. It reaches through the graph and pulls nine others down with it.

Weak Identity cascades into AppSec — your code review can't tie commits to humans. Into Data Privacy — your access logs can't answer who touched the record. Into SecOps — your alerts can't separate real activity from compromised credentials. Into Incident Response — your responders can't tell whose session is whose. Into AI Governance — your model access has no accountable owner. Into Risk & Compliance — your control evidence can't name a person, so audits surface nine findings that are actually one. Into Awareness & Culture — your phishing simulation results don't map to humans. Into Security Architecture — your zero-trust design has no anchor identity. Into Vendor & SaaS Risk — your third-party access reviews are educated guessing.

Nine domains. One root cause. Each with its own budget, KPI, dashboard.

That's what "complex, not complicated" looks like in a security program.

Most programs can't see this shape because they're organized to hide it. Budget runs per domain. Tools are evaluated per silo. Audits grade per framework. You look at your program through twelve windows and see twelve problems. The graph shows them as one root with nine echoes.

The data is showing up right on cue. CrowdStrike's 2026 Global Threat Report dropped a number worth sitting with: eighty-two percent of detections last year were malware-free. The fastest eCrime breakout observed was twenty-seven seconds. Attackers stopped needing to break in. They log in.

Your perimeter controls were designed to catch people without credentials. The attacker has a key. A cascade isn't a product problem — you can't stack another tool on the upstream silo to fix it. You solve it by mapping the graph and governing the dependencies.

Your Identity program isn't an Identity problem. Your policy gap isn't a compliance problem. Your audit finding isn't an audit problem.

They're the same problem, one hop apart.

What else matters this week.

Microsoft shipped more than 160 fixes this month, including two zero-days. CVE-2026-32201 is a SharePoint spoofing flaw already being exploited in the wild — CISA added it to the KEV catalog with an April 28 federal deadline. The second, CVE-2026-33825 (nicknamed BlueHammer), is a privilege escalation in Windows Defender itself. A working proof-of-concept was public before the patch shipped.

When the zero-day is in your EDR, your detection coverage isn't what you think it is. And a SharePoint spoofing bug plus a local privilege escalation is the starter kit for a full compromise — spoof the login, escalate, pivot. Patch both Monday. via BleepingComputer, Krebs on Security

CVE-2026-39987, a pre-auth RCE in Marimo (open-source Python notebooks), went from disclosure to active exploitation in nine hours and forty-one minutes. CVSS 9.3. Unauthenticated WebSocket endpoint, full PTY shell, game over. Marimo is popular with data science teams — the kind of tool that ends up on internal networks and gets forgotten.

The number to track isn't the CVSS. It's the time-to-exploit. Median has collapsed from years to a single workday. If your patch cycle is measured in sprints, you're already behind. via Sysdig, The Hacker News

Not every signal needs action.

82% malware-free is going to launch the next quarter of vendor pitches around the same sentence: our platform solves identity risk. No, it doesn't. Identity risk isn't a product gap — it's a graph of dependencies you haven't mapped. Another IAM SKU doesn't fix a cascade; it adds a node to it. Companies who buy tools to solve cascades end up with a tool inventory and the same exposure. The ones who map the dependencies first end up with fewer tools and less exposure. Same budget, different category of thinking.

No answer. Just the question.

When your weakest security domain takes nine others down with it, could anyone in your organization name the nine — before the incident report does?

The Signal Score is how you start seeing it in your own program.

Fifteen minutes. Eight categories most likely to cascade in a mid-market program. No call, no scoping meeting. At the end you get:

Free. If the grade wants a conversation, there's a thirty-minute review on the back end — no pitch, just where your cascade points are and where to start.

→ Take it here: echocyber.io/assessment

Michael Faas is a fractional CTO/CISO helping growth-stage companies navigate complexity without building bloated security programs. More at echocyber.io.