One story. Gone deep.

Last Sunday I left you with two numbers. A 7.8 that was already being exploited, and a 9.8 that was probably nobody's target.

I said the gap between them was the measurement gap. I said this week was about how to close it.

You close it by measuring the thing your scanner never measures. Not how bad it would be. How likely it is, and how much it would actually cost you.

That sounds like more work than you have. It is less work than you think, and the inputs are already free. A real vulnerability first, then the discipline that closes the gap.

On May 14, Microsoft disclosed a flaw in on-premises Exchange Server. CVE-2026-42897. A cross-site scripting and spoofing bug in Outlook Web Access: a crafted email, opened in the browser, can run attacker JavaScript in the victim's session. Session tokens, mailbox access, message tampering. Exchange Online is not affected. If you run your own Exchange, you are.

Now watch what severity does with it.

The federal vulnerability database, NVD, scored it 6.1. Medium. Microsoft scored the same flaw 8.1. High. Same vulnerability, same week, two of the organizations most qualified to rate it, and they are nearly two points apart on a ten-point scale.

That should bother you. We have not even gotten to probability yet, and the industry cannot agree on severity. The one number everyone treats as objective is a judgment call wearing a decimal point.

The day after disclosure, CISA added this flaw to its list of vulnerabilities being actively attacked in the wild. Federal agencies have until May 29 to mitigate. Microsoft confirmed exploitation. This is a true zero-day, being used right now, by someone, against real mailboxes.

And the model that predicts exploitation gives it a thirty-day probability of 6.3 percent.

That looks broken. It is not. That 6.3 percent sits in the 91st percentile of all known vulnerabilities. Most CVEs score a fraction of a percent. In the universe of everything that could be exploited, this one is in the top tenth. Six percent is not "low." Six percent is "high, measured honestly, against a population where almost nothing gets exploited at all."

That number comes from EPSS. The Exploit Prediction Scoring System. It is built by FIRST.org, the same group behind CVSS, and it answers the question CVSS was never built to answer: not how bad, but how likely. It is free. It refreshes daily. There is a public API. Almost nobody at your scale is using it.

EPSS did not tell you to ignore this flaw. KEV says patch it, and you should. The point is that severity alone could never have told you this story. It told you "Medium," or it told you "High," depending on who you asked. The probability lens told you something severity structurally cannot: where this sits against everything else competing for your team's Tuesday.

That is two axes, not one. How bad if it happens. How likely it is to happen. You have been making decisions on one of them and calling it risk management.

There is a third axis, and it is the one that turns this from a security exercise into a business decision: how much would it actually cost you. An Exchange OWA flaw is a different number for a law firm than for a print shop. The vulnerability does not change. Your exposure does.

So the real question was never "how severe is it." The real question is how likely, and how much.

This is not a new idea. It is just new to security. Insurance has priced "how likely, and how much" for three hundred years. Aviation, drug trials, climate models, every field that takes uncertainty seriously stopped sorting threats by how scary they sound and started measuring probability and consequence. Douglas Hubbard wrote the book on bringing that discipline to cybersecurity, and his core provocation is the part most leaders need to hear: you have more data than you think, you need less than you think, and the job is to reduce uncertainty, not eliminate it.

You do not need a perfect model. You need a better question than "what is the highest number on the screen."

The grown-up version of that question produces a curve instead of a list. Not "here are our twelve criticals, sorted." Instead: what is the chance we lose more than fifty thousand dollars this year. More than two hundred. More than the number that ends the company. That curve is called a loss exceedance curve, and you do not have to build one to benefit from it. You only have to start asking the question it answers. The moment you do, your prioritization stops being a sorted dashboard and starts being a decision.

Severity is contested. We just watched two of the best in the world disagree by two points. Probability is free, public, and refreshed daily, and you are not consuming it. And the cost to your specific business is the one number nobody on a generic scanner can see, because it is yours.

Most teams measure none of the three. They sort by the one number their scanner hands them and call it a program.

You can close this gap. The teams I work with do it in a sprint, not a transformation. They keep CVSS for what it measures. They add probability, which is free. They put a dollar figure on what their worst few systems actually protect. Then they make a smaller list, in a different order, and they can defend every line of it to a board.

Severity told you a story this week, and two experts told it two different ways. Probability told a truer one for free. The only number that was ever really yours is the one you have not measured yet.

What else matters this week.

The flaw anchoring this week's Echo. An OWA cross-site scripting and spoofing bug in on-premises Exchange Server (2016, 2019, and Subscription Edition). A crafted email, opened in the browser, runs attacker code in the victim's session: stolen tokens, mailbox access, tampered mail. Exchange Online is not affected. NVD rates it 6.1 Medium; Microsoft rates it 8.1 High. CISA added it to the Known Exploited Vulnerabilities catalog on May 15 with a federal deadline of May 29, and Microsoft has confirmed active exploitation. There is no permanent fix yet. Microsoft shipped automatic mitigation through the Exchange Emergency Mitigation Service, on by default. One sharp catch: that mitigation does not apply if OWA is reached through Internet Explorer or Edge in IE Mode, so the oldest browser in your environment is the one that slips the net. If you run your own Exchange, confirm EEMS is active and check how your users reach OWA. via The Hacker News, CISA KEV, and Microsoft MSRC

On May 20, CISA added seven vulnerabilities to its actively-exploited list. Two were Microsoft Defender flaws from this year. The other five were disclosed between 2008 and 2010: a Windows buffer overflow, a DirectX overwrite, an Adobe Acrobat heap overflow, and two Internet Explorer use-after-frees. A sixteen-year-old browser bug and a days-old Defender bug, on the same alert, with the same federal deadline. The lesson is not "patch your old software." The lesson is that the date on a vulnerability tells you nothing about whether it is being used against someone today, and neither does its severity. The only signal that means "this is happening now" is evidence that it is happening now. That signal is free, and it is published. Severity ranks the theoretical. Exploitation data names the actual. via CISA

Not every signal needs action.

Open almost any vulnerability scanner and you will find a column that says risk. It is usually CVSS, sometimes with a coat of paint, occasionally renamed something proprietary so it sounds smarter.

It is not a risk score. FIRST.org, which publishes CVSS, says so in its own documentation. CVSS measures severity if exploited under ideal conditions. It contains no probability. It contains nothing about what your systems are worth. A tool that multiplies severity by a confidence color and prints "risk" has not measured risk. It has dressed up one variable to look like three.

You do not need to rip the scanner out. You need to stop reading one number as if it were the answer to a question that takes three. The label on the column is marketing. The math behind it is still just severity.

No answer. Just the question.

What is the dollar figure you would lose if your single most important system were breached this year, and if you cannot say it within ten percent, what exactly is your team prioritizing against?

The Signal Score grades your program across eight categories most likely to cascade. Identity & Access. Devices & Patching. Email & Phishing Defense. Backup & Recovery. Network Security. Data Protection. Vendor & SaaS Risk. Incident Readiness. Fifteen minutes. A through F grades, an expected annual loss estimate, and a plain-English read of where your weakest area is pulling the others down.

Free. If the grade wants a conversation, there's a thirty-minute review. No pitch. Just where your cascade points are.

→ echocyber.io/assessment

If "highest severity first" is how your team decides what to fix, we're putting together something for you. Details on June 7.

Next Sunday: what calibrated risk actually looks like when you stop guessing and start measuring. A walkthrough, not a lecture.

Prefer audio? Jane reads every Pulse edition on the Signal vs. Noise podcast. Five minutes, same signal, no scrolling. Find it wherever you listen.

Michael Faas is a fractional CTO/CISO who translates technical complexity into business decisions. echocyber.io