One story. Gone deep.

On May 1, the federal cybersecurity agency (CISA) added a Linux kernel flaw called Copy Fail to its public list of vulnerabilities being actively attacked in the wild. Federal agencies got two weeks to patch.

On CVSS, the 1-to-10 severity scale every scanner uses, the flaw rated 7.8. High, not Critical. In most dashboards, that puts it below the fold.

It is a local privilege escalation. An attacker with a foothold on a Linux host becomes root in a few hundred bytes of Python. Most triage methods quietly assume that foothold away. In cloud and container environments, where shared kernels make "local" a thinner line than the org chart admits, that assumption is a gift to the attacker.

While your scanner sorted the dashboard by score and pushed your team toward the 9.8s, a 7.8 sat on a federal deadline because attackers were already running it.

This is the CVSS trap. And almost every founder-led company I see has stepped in it.

CVSS measures how bad a vulnerability would be if exploited under ideal attacker conditions. That is the definition. Not how likely it is to get exploited. Not how likely it is to get exploited against you. Just impact, assuming the attack works.

You took that number and used it as a risk score.

Nobody told you to. The scanner vendor didn't tell you to. The framework didn't tell you to. The score got sorted highest-to-lowest because that is what tables do, and the rest happened on its own. You patched the 9.8s first because they were at the top.

The research has shown for years: most vulnerabilities scored High or Critical are never exploited in the wild. Attackers do not pick targets by browsing a CVE list and sorting by score. They pick by what is reachable, what is reliable, and what scales. A reliable 7.8 with a public proof-of-concept and a working kernel exploit is worth more to them than a theoretical 9.8 that needs three conditions they cannot guarantee.

Your scanner does not know the difference. Your scanner knows the score.

Severity is not probability. CVSS is not a risk score.

This is the moment most security leaders push back, because the alternative sounds like more work and the current model at least lets you ship a report to the board. I get it. The dashboard is sorted, the cadence is documented, the auditor is satisfied, and the company believes it has a vulnerability management program.

What you actually have is a list, sorted by severity, executed top-down, with no input about what is being exploited against anyone, much less you.

That is not security. That is bookkeeping.

The companies that get this right do not throw CVSS away. They stop using it as the only signal. They cross-reference severity against exploitation data that exists, that is free, and that almost nobody at SMB scale is consuming. They look at what is being exploited right now, not what could be exploited under ideal conditions. They make a smaller list, in a different order, and they ship.

Why this matters more than it used to: the speed of exploitation has collapsed. Public proof-of-concept code now lands within days of disclosure, sometimes hours. Copy Fail had working exploit code in Python, Go, and Rust on public repositories before the KEV listing. Patching by CVSS-sorted dashboard puts you in a race against an attacker who already knew which 7.8 to grab.

The trap is not that CVSS is wrong. CVSS is fine at what it measures. The trap is treating the only number on your screen as the answer to a question it was not built to answer.

You can fix this. Most teams I work with rebuild their prioritization model in a week. They have to admit first that the number they have been sorting by is not the number they thought it was.

The 7.8 already cost you. The 9.8 you raced on last week was probably nobody's target.

That gap is the measurement gap. And next Sunday's Pulse is about how to close it.

What else matters this week.

The vulnerability anchoring this week's Echo. CVSS 7.8, added to CISA's actively-exploited list on May 1, federal patching deadline May 15. Public exploit code in three languages within days of disclosure. Affects virtually every Linux distribution shipped since 2017: Ubuntu, RHEL, Amazon Linux, SUSE, Debian, Fedora. If you run Linux anywhere, this is not below the fold. Patch to the kernel update your distribution shipped this month. via Microsoft Security Blog and CISA

A heap overflow in NGINX's rewrite module, dormant since 2008, surfaced this week. Unauthenticated remote code execution. Public proof-of-concept on GitHub. The bug survived 18 years of public code review and audits before an AI-assisted disclosure tool found it. Tools you trust because they have been around a long time are not exempt. Patch to NGINX 1.31.0 or 1.30.1. Unlike Copy Fail, this one is internet-reachable. The exploitation curve will move fast. via no.security

Microsoft's internal AI system, MDASH, found 16 new Windows CVEs for May Patch Tuesday, including four Critical RCEs. The system hit 96-100% recall against five years of historical MSRC cases. Not a research demo. AI-assisted vulnerability discovery is in production at the largest software vendor on earth. Oracle compressed its patch cycle from quarterly to monthly for the same reason. If your prioritization is still calibrated for a slower disclosure environment, the environment has already moved without you. via Microsoft Security Response Center. via no.security

Not every signal needs action.

This is the answer almost every SMB founder gives when asked how their security team prioritizes. It sounds responsible. It maps to the dashboard. The auditor accepts it.

It also describes a process that no longer matches the environment it was designed for. "Critical" in CVSS means impact, not likelihood. A cadence that races on Criticals and walks on Highs is optimized for a threat model attackers stopped using years ago.

The reflex to defend the current process is strong because it works often enough that the gap stays invisible until it isn't. Copy Fail is what the gap looks like when it stops being invisible. Patching by severity alone is not a strategy. It is a habit your scanner trained you to confuse for one.

No answer. Just the question.

If two vulnerabilities landed on your scanner today, one scored 9.8 with no public exploit code, one scored 7.8 with working code in three languages, which one would your team patch first, and is that the answer you would defend to your board?

The Signal Score grades your program across eight categories most likely to cascade. Identity & Access. Devices & Patching. Email & Phishing Defense. Backup & Recovery. Network Security. Data Protection. Vendor & SaaS Risk. Incident Readiness. Fifteen minutes. A through F grades, an expected annual loss estimate, and a plain-English read of where your weakest area is pulling the others down.

Free. If the grade wants a conversation, there's a thirty-minute review. No pitch, just where your cascade points are.

→ echocyber.io/assessment

Prefer audio? Jane reads every Pulse edition on the Signal vs. Noise podcast. Five minutes, same signal, no scrolling. Find it wherever you listen.

Michael Faas is a fractional CTO/CISO who translates technical complexity into business decisions. echocyber.io