Signal vs. Noise - The Pulse cover art

Signal vs. Noise - The Pulse

Signal vs. Noise - The Pulse

By: Michael Faas
Listen for free

Security doesn't fail in silos. It fails in cascades. The Pulse is a five-minute weekly cybersecurity briefing for people making Monday decisions with Friday information. Hosted by Jane. Editorial by Mike Faas, fractional CTO/CISO at Echo Cyber. Each episode takes one signal out of the week's noise and traces how it actually cascades — the connections the dashboard hides. Complicated systems can be optimized. Complex systems have to be governed. Companion to the Signal vs. Noise newsletter at signal.echocyber.io. Plus Mike's Field Notes — long form. Five minutes. One cascade. Every week.Michael Faas
Episodes
  • Pulse 17: Loss Exceedance for the SMB Leader

    Pulse 17: Loss Exceedance for the SMB Leader
    May 24 2026

    Microsoft disclosed an Exchange Server zero-day on May 14. A crafted email runs attacker code in your browser session, and it's being exploited right now.

    Two of the most qualified bodies in the world scored its severity. One said Medium. One said High. Nearly two points apart on a ten-point scale.

    The model that predicts exploitation gives it a 6.3% chance over 30 days. That's the 91st percentile of all known vulnerabilities.

    Severity told two stories this week. Probability told a truer one for free.

    How likely, and how much. Those are the questions severity was never built to answer.

    Second episode of a six-week series on measurement. Last week was the gap. This week is the discipline that closes it.

    Full edition: signal.echocyber.io

    Take the Signal Score: echocyber.io/assessment
    Show More Show Less
    7 mins
  • Pulse 16: Severity is NOT Probability

    Pulse 16: Severity is NOT Probability
    May 18 2026

    CISA added a Linux kernel flaw to its Known Exploited Vulnerabilities list on May 1. CVSS 7.8. Federal agencies got two weeks to patch. Working exploit code in three languages.

    The 9.8s your scanner pushed to the top of the dashboard last week were probably nobody's target.

    This is the CVSS trap. Severity is not probability. CVSS is not a risk score. And almost every founder-led company has stepped in it.

    First episode of a six-week series on the gap between what you measure and what gets exploited.

    Full edition: signal.echocyber.io

    Take the Signal Score: echocyber.io/assessment
    Show More Show Less
    6 mins
  • Pulse 15: Your AI Has a Trust Model. You Didn't Write It.

    Pulse 15: Your AI Has a Trust Model. You Didn't Write It.
    May 11 2026

    Your AI has a trust model. You didn't write it.

    Episode 15 is the audio cut of Pulse #15. Pillar Security disclosed a CVSS 10 in Google's Gemini CLI last month, an exploit chain that started with one public GitHub issue and ended with arbitrary code on the main branch of a Google repo. The same pattern showed up in eight other Google-maintained repos. Host Jane walks through why this isn't a coding flaw, why prompt injection understates what happened, and the question every security review of an AI tool should be asking but isn't: what is this agent authorized to trust, and did anyone define that before we deployed it?

    Featuring Bruce Schneier on trust as a design decision, and why the patch closed the vulnerability but not the governance gap.

    → Signal Score: echocyber.io/assessment

    → Newsletter: signal.echocyber.io

    Editorial: Mike Faas, fractional CTO/CISO at Echo Cyber. Voice by ElevenLabs.
    Show More Show Less
    5 mins
adbl_web_anon_alc_button_suppression_c
No reviews yet