One story. Gone deep.

For three weeks I have been walking you toward a single move.

Pulse #16: severity is not probability. Pulse #17: the number on your screen was never the question. Last Sunday, the whole thing in one demo. A scanner handed a sixty-person firm 312 vulnerabilities, 47 of them flagged Critical at CVSS 9.0 and up, and a team that could close about 10 fixes a month. Five months of grinding through reds in the order a tool chose.

Then we ran the list through two lenses the scanner cannot see. Exploitation probability: only 6 of the 47 sat in the high-EPSS tier. Cost to that firm: only 3 of those touched the crown-jewel client data. 47 down to 3. And it did not just get shorter, it got reordered. A flaw the scanner rated Medium, a remote-access authentication bypass on the firm's VPN, climbed past nearly every 9.8 on the page because it was both likely and expensive. Then we said it in one sentence a board can hear: roughly a 1-in-7 chance we lose more than $250,000 this year, and about a 1-in-50 chance we lose more than $2 million.

That is the method. Here is the part I left out.

Doing that yourself is the hard part.

You can read every Pulse I write, nod at every paragraph, and still be staring at the same scanner dump on Monday morning. The gap between understanding the method and running it on your own systems is the gap that has kept this discipline locked inside enterprises with seven-figure risk teams. Pulling your real asset inventory. Mapping it to live exploitation data. Sitting a managing partner down and turning "it would be bad" into a defensible dollar range. That is real work, and most SMBs have nobody whose job it is to do it.

So I am going to do it with you.

I am opening three pilot slots for a fixed-scope engagement I have been building all quarter. We take one decision your team is currently making by severity alone, vulnerability triage, and we rebuild it on probability and calibrated cost. You walk away with a calibrated workbook, an honest audit of how you prioritize today, a methodology doc, and training for the person on your team who owns it after I leave, because a model with no owner is dead in ninety days.

The catch, in plain sight, not in a footnote: this is a founding cohort. $5,000 flat, a one-time rate, well under what this becomes once it is proven. In exchange, I publish what we learn, anonymized as needed, as the case study that makes the next cohort possible. You get the method at founding pricing. I get the proof. That is the whole trade.

Three slots, because I am one person and would rather do three of these right than ten of them badly. Work starts late June, after this campaign closes. The slots fill now. The calendar fills later.

This is not a new tool. You have enough tools. It is the discipline that makes every tool decision sharper, run once, with you, until your team can run it without me.

The whole campaign was about one move: stop inheriting the scanner's list and start owning yours. Now it is a thing you can buy.

What else matters this week.

Watch the campaign's whole thesis happen in one CVE. On June 2, CISA added a Linux kernel privilege-escalation flaw to its Known Exploited Vulnerabilities catalog. The catch: it is CVE-2022-0492, disclosed and patched in 2022. A cgroups-v1 weakness that lets a local attacker break container isolation and gain root on the host. Its severity score is a 7.8, a "High," not even a top-shelf Critical, patched in modern kernels for four years. But the systems that never got patched, legacy servers and unattended container hosts, are being attacked right now, which is why it landed on the live-exploitation list this week with a federal deadline of June 5. The date on a vulnerability tells you nothing about whether it is being used today. Neither does its severity. The only signal that means "this is happening now" is evidence that it is happening now, and that signal is free and published. A 2022 "High" outranked your 2026 "Criticals" this week, because the attackers, not the scanner, decide what matters. via SecurityWeek and CISA KEV

For the first time, cybersecurity has overtaken economic pressure as the top concern for small and mid-sized businesses. VikingCloud's 2026 SMB Threat Landscape Report found that 3 in 4 SMBs say cyber incidents are the most likely thing to hurt their business this year, ranking ahead of inflation and rising costs, recession, and hiring. But the number that matters for everything I have written this month is this one: 40% say an attack of $100,000 or less could put them out of business. Sit with that. The thing that ends most of these companies is not a $10 million catastrophe. It is a six-figure event, a number you can estimate, against assets you can name. So the loss-exceedance question is not an enterprise luxury. For a firm where $100,000 is an extinction event, knowing your odds of crossing that line this year is the most important number nobody is calculating. The companies most likely to be ended by a breach are the ones least likely to have measured the odds. via VikingCloud

Not every signal needs action.

A new industry report this month asked security and risk leaders where AI offers the biggest opportunity, and the top answer was automated risk quantification. The pitch writes itself: point a model at your environment, and out comes your risk, scored, ranked, dollarized, no humans required.

Here is what to do about it. Notice what is being skipped.

The hard part of risk quantification was never the arithmetic. A spreadsheet has done the math for decades. The hard part is the judgment: which assets actually matter to this business, what a breach of each would actually cost, which uncertainties you can responsibly estimate and which you cannot. That is calibration, and calibration is a conversation with the people who run the company, not a job you hand to a model that has never met them. An AI that automates the math while skipping the judgment has not quantified your risk. It has produced a confident number with nobody's name on it.

The discipline I have spent a month describing is not waiting on a model. It is available right now, it is mostly free, and the only thing it requires is the willingness to ask a better question than your scanner can answer. Let the robots compete for that headline. You have a method.

No answer. Just the question.

If a $100,000 breach would end your company, and you cannot say within ten percent what your odds are of crossing that line this year, then what exactly is your security program optimizing against, and who decided that was good enough?

If "highest severity first" is how your team decides what to fix, this is the thing the whole month has been pointing at.

Signal Measure is a fixed-scope engagement. We take one decision, vulnerability triage, and rebuild it the way the demo showed: severity, plus exploitation probability, plus what a hit would actually cost you. You walk away with a calibrated workbook, an audit of how you prioritize today, a methodology doc, a loss-exceedance read your board can hear, and training for the owner who runs it after I leave.

Three pilot slots. $5,000 flat, a founding-cohort rate. In exchange, I publish what we learn, anonymized as needed, as the case study. You get the method at founding pricing. I get the proof. Work starts late June, after this campaign closes. The slots fill before the calendar does.

→ echocyber.io/sprint/measure

Not sure you qualify, or want to see where you stand first? The Signal Score is free, fifteen minutes, and tells you whether severity-only prioritization is quietly dragging your program down. → echocyber.io/assessment

Prefer audio? Jane reads every Pulse edition on the Signal vs. Noise podcast. Five minutes, same signal, no scrolling. Find it wherever you listen.

Michael Faas is a fractional CTO/CISO who translates technical complexity into business decisions. echocyber.io